Merge pull request #2001 from ggouaillardet/topic/pmix2x_sec_native

rhc54 · web-flow · commit b12e43fc03c5 · 2016-08-23T22:47:05.000-05:00
fix sec/native module under Solaris and other misc issues
diff --git a/opal/mca/pmix/pmix2x/pmix/config/pmix.m4 b/opal/mca/pmix/pmix2x/pmix/config/pmix.m4
@@ -18,7 +18,7 @@ dnl                         reserved.
 dnl Copyright (c) 2009-2011 Oak Ridge National Labs.  All rights reserved.
 dnl Copyright (c) 2011-2013 NVIDIA Corporation.  All rights reserved.
 dnl Copyright (c) 2013-2015 Intel, Inc. All rights reserved
-dnl Copyright (c) 2015      Research Organization for Information Science
+dnl Copyright (c) 2015-2016 Research Organization for Information Science
 dnl                         and Technology (RIST). All rights reserved.
 dnl Copyright (c) 2016      Mellanox Technologies, Inc.
 dnl                         All rights reserved.
@@ -301,7 +301,8 @@ AC_DEFUN([PMIX_SETUP_CORE],[
                       time.h unistd.h dirent.h \
                       crt_externs.h signal.h \
                       ioLib.h sockLib.h hostLib.h limits.h \
-                      sys/statfs.h sys/statvfs.h])
+                      sys/statfs.h sys/statvfs.h \
+                      netdb.h ucred.h])
 
     # Note that sometimes we have <stdbool.h>, but it doesn't work (e.g.,
     # have both Portland and GNU installed; using pgcc will find GNU's
@@ -507,7 +508,7 @@ AC_DEFUN([PMIX_SETUP_CORE],[
     # Darwin doesn't need -lm, as it's a symlink to libSystem.dylib
     PMIX_SEARCH_LIBS_CORE([ceil], [m])
 
-    AC_CHECK_FUNCS([asprintf snprintf vasprintf vsnprintf strsignal socketpair strncpy_s usleep statfs statvfs getpeereid strnlen])
+    AC_CHECK_FUNCS([asprintf snprintf vasprintf vsnprintf strsignal socketpair strncpy_s usleep statfs statvfs getpeereid getpeerucred strnlen])
 
     # On some hosts, htonl is a define, so the AC_CHECK_FUNC will get
     # confused.  On others, it's in the standard library, but stubbed with
diff --git a/opal/mca/pmix/pmix2x/pmix/src/dstore/pmix_esh.c b/opal/mca/pmix/pmix2x/pmix/src/dstore/pmix_esh.c
@@ -1,6 +1,8 @@
 /*
  * Copyright (c) 2015-2016 Mellanox Technologies, Inc.
  *                         All rights reserved.
+ * Copyright (c) 2016      Research Organization for Information Science
+ *                         and Technology (RIST). All rights reserved.
  * $COPYRIGHT$
  *
  * Additional copyrights may follow
@@ -12,6 +14,7 @@
 #include <stdio.h>
 #include <sys/types.h>
 #include <sys/stat.h>
+#include <fcntl.h>
 #include <sys/file.h>
 
 #include <src/include/pmix_config.h>
diff --git a/opal/mca/pmix/pmix2x/pmix/src/sec/pmix_native.c b/opal/mca/pmix/pmix2x/pmix/src/sec/pmix_native.c
@@ -1,6 +1,8 @@
 /*
  * Copyright (c) 2015-2016 Intel, Inc.  All rights reserved.
  * Copyright (c) 2016      IBM Corporation.  All rights reserved.
+ * Copyright (c) 2016      Research Organization for Information Science
+ *                         and Technology (RIST). All rights reserved.
  *
  * $COPYRIGHT$
  *
@@ -24,6 +26,9 @@
 #ifdef HAVE_SYS_TYPES_H
 #include <sys/types.h>
 #endif
+#ifdef HAVE_UCRED_H
+#include <ucred.h>
+#endif
 
 #include "pmix_sec.h"
 #include "pmix_native.h"
@@ -65,6 +70,9 @@ static pmix_status_t validate_cred(pmix_peer_t *peer, char *cred)
     struct ucred ucred;
 #endif
     socklen_t crlen = sizeof (ucred);
+#endif
+#ifdef HAVE_GETPEERUCRED
+    ucred_t *ucred = NULL;
 #endif
     uid_t euid;
     gid_t gid;
@@ -99,7 +107,24 @@ static pmix_status_t validate_cred(pmix_peer_t *peer, char *cred)
                             strerror (pmix_socket_errno));
         return PMIX_ERR_INVALID_CRED;
     }
+#elif defined(HAVE_GETPEERUCRED)
+    pmix_output_verbose(2, pmix_globals.debug_output,
+                        "sec:native checking getpeerucred for peer credentials");
+    if (0 != getpeerucred(peer->sd, &ucred)) {
+        pmix_output_verbose(2, pmix_globals.debug_output,
+                            "sec: getsockopt getpeerucred failed: %s",
+                            strerror (pmix_socket_errno));
+        pmix_output_verbose(2, pmix_globals.debug_output,
+                            "sec: getsockopt getpeerucred failed: %s",
+                            strerror (errno));
+        return PMIX_ERR_INVALID_CRED;
+    }
+    euid = ucred_geteuid(ucred);
+    gid = ucred_getrgid(ucred);
+    ucred_free(ucred);
 #else
+    pmix_output_verbose(2, pmix_globals.debug_output,
+                        "sec: native cannot validate_cred on this system");
     return PMIX_ERR_NOT_SUPPORTED;
 #endif
 
