mirror of
https://github.com/xcat2/confluent.git
synced 2024-11-25 11:01:09 +00:00
Leverage unix_chkpwd
If doing PAM authentication, we can setuid to the target user and then pam_unix will use unix_chkpwd on our behalf. Problems with this working in the lab was resolved by a yum reinstall pam, so it was presumably due to messed up setcap or similar experiments.
This commit is contained in:
parent
6a12af1242
commit
4437e81e04
@ -28,6 +28,7 @@ import hashlib
|
||||
import hmac
|
||||
import multiprocessing
|
||||
import os
|
||||
import pwd
|
||||
import confluent.userutil as userutil
|
||||
import confluent.util as util
|
||||
pam = None
|
||||
@ -258,6 +259,13 @@ def check_user_passphrase(name, passphrase, operation=None, element=None, tenant
|
||||
_passcache[(user, tenant)] = hashlib.sha256(passphrase).digest()
|
||||
return authorize(user, element, tenant, operation)
|
||||
if pam:
|
||||
pwe = None
|
||||
try:
|
||||
pwe = pwd.getpwnam(user)
|
||||
except KeyError:
|
||||
#pam won't work if the user doesn't exist, don't go further
|
||||
eventlet.sleep(0.05) # stall even on test for existence of a username
|
||||
return None
|
||||
if os.getuid() != 0:
|
||||
# confluent is running with reduced privilege, however, pam_unix refuses
|
||||
# to let a non-0 user check anothers password.
|
||||
@ -267,7 +275,9 @@ def check_user_passphrase(name, passphrase, operation=None, element=None, tenant
|
||||
if not pid:
|
||||
usergood = False
|
||||
try:
|
||||
os.setuid(0)
|
||||
# we change to the uid we are trying to authenticate as, because
|
||||
# pam_unix uses unix_chkpwd which reque
|
||||
os.setuid(pwe.pw_uid)
|
||||
usergood = pam.authenticate(user, passphrase, service=_pamservice)
|
||||
finally:
|
||||
os._exit(0 if usergood else 1)
|
||||
|
@ -14,7 +14,7 @@ ConfigurationDirectory=confluent
|
||||
ExecStart=/opt/confluent/bin/confluent
|
||||
ExecStop=/opt/confluent/bin/confetty shutdown /
|
||||
Restart=on-failure
|
||||
AmbientCapabilities=CAP_NET_BIND_SERVICE CAP_SETUID CAP_SETGID CAP_DAC_READ_SEARCH CAP_CHOWN
|
||||
AmbientCapabilities=CAP_NET_BIND_SERVICE CAP_SETUID CAP_SETGID CAP_CHOWN
|
||||
User=confluent
|
||||
Group=confluent
|
||||
DevicePolicy=closed
|
||||
|
Loading…
Reference in New Issue
Block a user