-Add 'becomeuser' tag to commands. If client supplies such a tag, will attempt

to change name to match based on passwd table contents. Rejects request outright if tag attempted and process fails. git-svn-id: https://svn.code.sf.net/p/xcat/code/xcat-core/trunk@2245 8638fb3e-16cb-4fca-ae20-7b5d299a9bcd
2008-09-27 19:24:02 +00:00
parent 8acad4e8ef
commit cb0a8f5c43
1 changed files with 35 additions and 0 deletions
--- a/xCAT-server/sbin/xcatd
+++ b/xCAT-server/sbin/xcatd
@@ -1055,6 +1055,28 @@ sub build_response {
  }
 }

+sub becomeuser {
+#if username and password match, return the new username
+#otherwise, return undef
+#TODO PAM?
+    my $passtab = xCAT::Table->new('passwd');
+    my $id=shift;
+    my $pass=shift;
+    my $passent=$passtab->getAttribs({key=>'xcat',username=>$id},['password']);
+    unless ($passent) {
+        return undef;
+    }
+    $passent=$passent->{password};
+    if ($passent =~ /^\$1\$.*\$/) { #MD5 hash, calculate before comparison
+        $pass = crypt($pass,$passent);
+    } #Not bothering with old DES method, for now assume plaintext if not set
+    if ($pass eq $passent) {
+        return $id;
+    }
+#If here, unable to validate given credential
+    return undef;
+}
+
 sub service_connection {
  my $sock = shift;
  my $peername = shift;
@@ -1078,6 +1100,19 @@ sub service_connection {
      #$req = eval { XMLin($request, ForceArray => [ 'attribute' , 'attributepair' ]) };
      if ($request =~ m/<\/xcatrequest>/) {
        $req = eval { XMLin($request, SuppressEmpty=>undef,ForceArray=>1) };
+        #first change peername on 'becomeuser' tag if present and valid
+        if (defined $req->{becomeuser}) {
+            $peername=becomeuser($req->{becomeuser}->[0]->{id}->[0],
+                                 $req->{becomeuser}->[0]->{password}->[0]);
+            unless (defined $peername) {
+                my $resp={error=>["Authentication failure"],errorcode=>[1]};
+                $resp->{serverdone}={};
+                print $sock XMLout($resp,RootName => 'xcatresponse',NoAttr=>1);
+                return;
+            }
+            delete($req->{becomeuser}); #Remove it to keep it from view
+        }
+
        #we have a full request..
        #printf $request."\n";
        $request="";