Solaris ident authentication using unix domain sockets

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
11 messages Options
Reply | Threaded
Open this post in threaded view
|

Solaris ident authentication using unix domain sockets

Garick Hamlin-2
Hi,
        I have a patch that I have been using to support postgresql's
notion of ident authentication when using unix domain sockets on
Solaris.  This patch basically just adds support for using
getupeercred() on Solaris so unix sockets and ident auth works just
like it does on Linux and elsewhere.

        This was my first attempt wrestling with automake.  I've
tested it builds properly after it is applied and autoreconf is run
on RHEL4/Linux/x86.  I am using the patch currently on Solaris 10 /
x86.

Garick

diff -cr postgresql_CVS/configure.in postgresql/configure.in
*** postgresql_CVS/configure.in Tue Jun 24 15:52:30 2008
--- postgresql/configure.in Tue Jun 24 15:57:22 2008
***************
*** 1095,1101 ****
  AC_FUNC_ACCEPT_ARGTYPES
  PGAC_FUNC_GETTIMEOFDAY_1ARG
 
! AC_CHECK_FUNCS([cbrt dlopen fcvt fdatasync getpeereid getrlimit memmove poll pstat readlink setproctitle setsid sigprocmask symlink sysconf towlower utime utimes waitpid wcstombs])
 
  AC_CHECK_DECLS(fdatasync, [], [], [#include <unistd.h>])
  AC_CHECK_DECLS(posix_fadvise, [], [], [#include <fcntl.h>])
--- 1095,1101 ----
  AC_FUNC_ACCEPT_ARGTYPES
  PGAC_FUNC_GETTIMEOFDAY_1ARG
 
! AC_CHECK_FUNCS([getpeerucred cbrt dlopen fcvt fdatasync getpeereid getrlimit memmove poll pstat readlink setproctitle setsid sigprocmask symlink sysconf towlower utime utimes waitpid wcstombs])
 
  AC_CHECK_DECLS(fdatasync, [], [], [#include <unistd.h>])
  AC_CHECK_DECLS(posix_fadvise, [], [], [#include <fcntl.h>])
diff -cr postgresql_CVS/src/backend/libpq/hba.c postgresql/src/backend/libpq/hba.c
*** postgresql_CVS/src/backend/libpq/hba.c Tue Jun 24 15:52:32 2008
--- postgresql/src/backend/libpq/hba.c Tue Jun 24 15:53:00 2008
***************
*** 25,30 ****
--- 25,33 ----
  #include <sys/uio.h>
  #include <sys/ucred.h>
  #endif
+ #if defined(HAVE_GETPEERUCRED)
+ #include <ucred.h>
+ #endif
  #include <netinet/in.h>
  #include <arpa/inet.h>
  #include <unistd.h>
***************
*** 1500,1505 ****
--- 1503,1539 ----
  strlcpy(ident_user, pass->pw_name, IDENT_USERNAME_MAX + 1);
 
  return true;
+ #elif defined(HAVE_GETPEERUCRED) /* Solaris > 10 */
+ uid_t uid;
+ gid_t gid;
+ struct passwd *pass;
+ int ucred_ok=1;
+ ucred_t *ucred = NULL;
+ if (getpeerucred(sock, &ucred) == -1)
+ ucred_ok = 0;
+ if (ucred_ok && (uid = ucred_geteuid(ucred)) == -1 )
+ ucred_ok = 0;
+ if (ucred_ok && (gid = ucred_getrgid(ucred)) == -1 )
+ ucred_ok = 0;
+ if (ucred)
+ ucred_free(ucred);
+ if (!ucred_ok) {
+ /* We didn't get a valid credentials struct. */
+ ereport(LOG, (
+ "could not get peer credentials: %s",
+ strerror(errno)));
+ return false;
+ }
+ pass = getpwuid(uid);
+ if (pass == NULL)
+ {
+ ereport(LOG,
+ (errmsg("local user with ID %d does not exist",
+ (int) uid)));
+ return false;
+ }
+ strlcpy(ident_user, pass->pw_name, IDENT_USERNAME_MAX + 1);
+ return true;
  #elif defined(HAVE_STRUCT_CMSGCRED) || defined(HAVE_STRUCT_FCRED) || (defined(HAVE_STRUCT_SOCKCRED) && defined(LOCAL_CREDS))
  struct msghdr msg;
 

--
Sent via pgsql-patches mailing list ([hidden email])
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-patches
Reply | Threaded
Open this post in threaded view
|

Re: [HACKERS] Solaris ident authentication using unix domain sockets

Tom Lane-2
Garick Hamlin <[hidden email]> writes:
> I have a patch that I have been using to support postgresql's
> notion of ident authentication when using unix domain sockets on
> Solaris.  This patch basically just adds support for using
> getupeercred() on Solaris so unix sockets and ident auth works just
> like it does on Linux and elsewhere.

Cool.

> + #if defined(HAVE_GETPEERUCRED)
> + #include <ucred.h>
> + #endif

But this is not cool.  There might be systems out there that have
getpeerucred() but not <ucred.h>, and this coding would cause a compile
failure (even if they actually wouldn't be trying to use getpeerucred()
because they have some other way to do it).  You need an explicit
configure probe for the header file too, I think.

Also, what is the rationale for putting this before the
HAVE_STRUCT_CMSGCRED case instead of after?  Again, that seems like it
could cause unexpected behavioral changes on platforms that work fine
now (consider possibility that getpeerucred is there but broken).

                        regards, tom lane

--
Sent via pgsql-patches mailing list ([hidden email])
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-patches
Reply | Threaded
Open this post in threaded view
|

Re: [HACKERS] Solaris ident authentication using unix domain sockets

Garick Hamlin-2
On Thu, Jul 03, 2008 at 02:01:22PM -0400, Tom Lane wrote:

> Garick Hamlin <[hidden email]> writes:
> >       I have a patch that I have been using to support postgresql's
> > notion of ident authentication when using unix domain sockets on
> > Solaris.  This patch basically just adds support for using
> > getupeercred() on Solaris so unix sockets and ident auth works just
> > like it does on Linux and elsewhere.
>
> Cool.
>
> > + #if defined(HAVE_GETPEERUCRED)
> > + #include <ucred.h>
> > + #endif
>
> But this is not cool.  There might be systems out there that have
> getpeerucred() but not <ucred.h>, and this coding would cause a compile
> failure (even if they actually wouldn't be trying to use getpeerucred()
> because they have some other way to do it).  You need an explicit
> configure probe for the header file too, I think.
Ok, I can fix that.
>
> Also, what is the rationale for putting this before the
> HAVE_STRUCT_CMSGCRED case instead of after?  Again, that seems like it
> could cause unexpected behavioral changes on platforms that work fine
> now (consider possibility that getpeerucred is there but broken).
Good Point, It should be the other way.
>
>                         regards, tom lane

Thanks,

Garick

--
Sent via pgsql-patches mailing list ([hidden email])
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-patches
Reply | Threaded
Open this post in threaded view
|

Re: [HACKERS] Solaris ident authentication using unix domain sockets

Robert Treat
In reply to this post by Tom Lane-2
On Thursday 03 July 2008 14:01:22 Tom Lane wrote:
> Garick Hamlin <[hidden email]> writes:
> > I have a patch that I have been using to support postgresql's
> > notion of ident authentication when using unix domain sockets on
> > Solaris.  This patch basically just adds support for using
> > getupeercred() on Solaris so unix sockets and ident auth works just
> > like it does on Linux and elsewhere.
>
> Cool.
>

Hmm... I've always been told that Solaris didn't support this because the
Solaris developers feel that IDENT is inherently insecure. If that is more
than just a philosphical opinion, I wonder if there should be additional
hurdles in place to enable this on that platform. Note that isn't an
objection from me, though I'm curious if any of the Sun guys want to chime in
on this.

--
Robert Treat
Build A Brighter LAMP :: Linux Apache {middleware} PostgreSQL

--
Sent via pgsql-patches mailing list ([hidden email])
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-patches
Reply | Threaded
Open this post in threaded view
|

Re: [HACKERS] Solaris ident authentication using unix domain sockets

Andrew Dunstan


Robert Treat wrote:

> On Thursday 03 July 2008 14:01:22 Tom Lane wrote:
>  
>> Garick Hamlin <[hidden email]> writes:
>>    
>>> I have a patch that I have been using to support postgresql's
>>> notion of ident authentication when using unix domain sockets on
>>> Solaris.  This patch basically just adds support for using
>>> getupeercred() on Solaris so unix sockets and ident auth works just
>>> like it does on Linux and elsewhere.
>>>      
>> Cool.
>>
>>    
>
> Hmm... I've always been told that Solaris didn't support this because the
> Solaris developers feel that IDENT is inherently insecure. If that is more
> than just a philosphical opinion, I wonder if there should be additional
> hurdles in place to enable this on that platform. Note that isn't an
> objection from me, though I'm curious if any of the Sun guys want to chime in
> on this.
>
>  


We don't actually use the Ident protocol for Unix sockets on any
platform. AIUI, this patch just implements what we do on platforms like
Linux or *BSD.

cheers

andrew

--
Sent via pgsql-patches mailing list ([hidden email])
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-patches
Reply | Threaded
Open this post in threaded view
|

Re: [HACKERS] Solaris ident authentication using unix domain sockets

Tom Lane-2
Andrew Dunstan <[hidden email]> writes:
> Robert Treat wrote:
>> Hmm... I've always been told that Solaris didn't support this because the
>> Solaris developers feel that IDENT is inherently insecure.

> We don't actually use the Ident protocol for Unix sockets on any
> platform.

Indeed.  If the Solaris folk feel that getupeercred() is insecure,
they had better explain why their kernel is that broken.  This is
entirely unrelated to the known shortcomings of the "ident" IP
protocol.

                        regards, tom lane

--
Sent via pgsql-patches mailing list ([hidden email])
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-patches
Reply | Threaded
Open this post in threaded view
|

Re: [HACKERS] Solaris ident authentication using unix domain sockets

Josh berkus
Tom,

> Indeed.  If the Solaris folk feel that getupeercred() is insecure,
> they had better explain why their kernel is that broken.  This is
> entirely unrelated to the known shortcomings of the "ident" IP
> protocol.

The Solaris security & kernel folks do, actually.  However, there's no
question that TRUST is inherently insecure, and that's what people are going
to use if they can't get IDENT to work.

--
Josh Berkus
PostgreSQL @ Sun
San Francisco

--
Sent via pgsql-patches mailing list ([hidden email])
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-patches
Reply | Threaded
Open this post in threaded view
|

Re: [HACKERS] Solaris ident authentication using unix domain sockets

Andrew Dunstan


Josh Berkus wrote:

> Tom,
>
>  
>> Indeed.  If the Solaris folk feel that getupeercred() is insecure,
>> they had better explain why their kernel is that broken.  This is
>> entirely unrelated to the known shortcomings of the "ident" IP
>> protocol.
>>    
>
> The Solaris security & kernel folks do, actually.  However, there's no
> question that TRUST is inherently insecure, and that's what people are going
> to use if they can't get IDENT to work.
>
>  


I think I'd pose a slightly different question from Tom. Do the Solaris
devs think that their getupeercred() is more insecure than the more or
less equivalent calls that we are doing on Linux and *BSD for example? I
suspect they probably don't ;-)

cheers

andrew



--
Sent via pgsql-patches mailing list ([hidden email])
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-patches
Reply | Threaded
Open this post in threaded view
|

Re: [HACKERS] Solaris ident authentication using unix domain sockets

Florian Pflug-2
In reply to this post by Josh berkus
Josh Berkus wrote:

> Tom,
>
>> Indeed.  If the Solaris folk feel that getupeercred() is insecure,
>>  they had better explain why their kernel is that broken.  This is
>>  entirely unrelated to the known shortcomings of the "ident" IP
>> protocol.
>
> The Solaris security & kernel folks do, actually.  However, there's
> no question that TRUST is inherently insecure, and that's what people
>  are going to use if they can't get IDENT to work.

I'd be *very* interested in how they come to that assessment. I'd have
thought that the only alternative to getpeereid/getupeercred is
password-based or certificate-based authenticated - which seem *less*
secure because a) they also rely on the client having the correct uid
or gid (to read the password/private key), plus b) the risk of the
password/private key getting into the wrong hands.

How is that sort of authenticated handled by services shipping with solaris?

regards, Florian Pflug, hoping to be enlightened beyond his limited
posix-ish view of the world...


--
Sent via pgsql-patches mailing list ([hidden email])
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-patches
Reply | Threaded
Open this post in threaded view
|

Re: [HACKERS] Solaris ident authentication using unix domain sockets

Josh berkus
Florian,

> I'd be *very* interested in how they come to that assessment. I'd have
> thought that the only alternative to getpeereid/getupeercred is
> password-based or certificate-based authenticated - which seem *less*
> secure because a) they also rely on the client having the correct uid
> or gid (to read the password/private key), plus b) the risk of the
> password/private key getting into the wrong hands.

*shrug* don't ask me.  I don't agree with the policy, I can hardly
defend it.

--Josh

--
Sent via pgsql-patches mailing list ([hidden email])
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-patches
Reply | Threaded
Open this post in threaded view
|

Re: [HACKERS] Solaris ident authentication using unix domain sockets

Bruce Momjian
In reply to this post by Garick Hamlin-2
Garick Hamlin wrote:

> On Thu, Jul 03, 2008 at 02:01:22PM -0400, Tom Lane wrote:
> > Garick Hamlin <[hidden email]> writes:
> > >       I have a patch that I have been using to support postgresql's
> > > notion of ident authentication when using unix domain sockets on
> > > Solaris.  This patch basically just adds support for using
> > > getupeercred() on Solaris so unix sockets and ident auth works just
> > > like it does on Linux and elsewhere.
> >
> > Cool.
> >
> > > + #if defined(HAVE_GETPEERUCRED)
> > > + #include <ucred.h>
> > > + #endif
> >
> > But this is not cool.  There might be systems out there that have
> > getpeerucred() but not <ucred.h>, and this coding would cause a compile
> > failure (even if they actually wouldn't be trying to use getpeerucred()
> > because they have some other way to do it).  You need an explicit
> > configure probe for the header file too, I think.
> Ok, I can fix that.

Garick, have you made any progress on an updated patch?

--
  Bruce Momjian  <[hidden email]>        http://momjian.us
  EnterpriseDB                             http://enterprisedb.com

  + If your life is a hard drive, Christ can be your backup. +

--
Sent via pgsql-patches mailing list ([hidden email])
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-patches