[pve-devel] r4834 - pve-access-control/trunk
svn-commits at proxmox.com
svn-commits at proxmox.com
Wed Jun 23 10:10:50 CEST 2010
Author: dietmar
Date: 2010-06-23 08:10:49 +0000 (Wed, 23 Jun 2010)
New Revision: 4834
Added:
pve-access-control/trunk/pveum
Removed:
pve-access-control/trunk/pvesh
pve-access-control/trunk/pveum-pl
pve-access-control/trunk/pveum.c
Modified:
pve-access-control/trunk/AccessControl.pm
pve-access-control/trunk/ChangeLog
pve-access-control/trunk/Makefile
Log:
* pveum: inplement some simple functions (add user, create ticket)
* pveum-pl: rename to pveum
* pveum.c: remove suexec code - we will use a daemon instead
* pvesh: removed (dead code)
Modified: pve-access-control/trunk/AccessControl.pm
===================================================================
--- pve-access-control/trunk/AccessControl.pm 2010-06-23 06:33:46 UTC (rev 4833)
+++ pve-access-control/trunk/AccessControl.pm 2010-06-23 08:10:49 UTC (rev 4834)
@@ -8,7 +8,6 @@
use Crypt::OpenSSL::Random;
use Crypt::OpenSSL::RSA;
use MIME::Base64;
-use JSON;
use Authen::PAM qw(:constants);
use Data::Dumper; # fixme: remove
@@ -88,7 +87,6 @@
my $old_umask;
-
$cmd = [ $cmd ] if !ref($cmd);
my $cmdstr = join (' ', @$cmd);
@@ -428,32 +426,6 @@
return $username;
}
-sub secure_exec {
- my ($ticket, $method, $param) = @_;
-
- my $input = "JSON:PARAM:". encode_json({method => $method, params => $param});
- my $res;
- run_command(['/usr/bin/pveum', 'jsoncmd'],
- input => $input,
- ticket => $ticket,
- errmsg => "$method failed",
- outfunc => sub {
- my $data = shift;
- if ($data =~ m/^JSON:RESULT:(.*)$/) {
- $res = $1;
- } else {
- print "$data\n";
- }
- });
-
- die "secure_exec: command did not return a result\n" if !defined($res);
-
- my $data = decode_json($res);
- die $data->{error} if $data->{error};
-
- return $data->{result};
-}
-
sub create_ticket {
my ($ticket, @param) = @_;
@@ -461,9 +433,30 @@
}
sub add_user {
- my ($ticket, @param) = @_;
+ my ($newusername, $passwd) = @_;
- return secure_exec($ticket, 'add_user', [ @param ]);
+ my $domain;
+
+ ($newusername, undef, $domain) = verify_username ($newusername);
+
+ my $usercfg = load_user_config();
+
+ die "user '$newusername' already exists\n"
+ if $usercfg->{users}->{$newusername};
+
+ if (!$domain) {
+ die "missing password\n" if !$passwd;
+
+ # fixme: store password somewhere into a protected file
+ } else {
+ die "can't set password on auth domain '$domain'\n" if $passwd;
+ }
+
+ warn "add user $newusername, $passwd not implemented\n";
+
+ $usercfg->{users}->{$newusername} = { enabled => 1 };
+
+ save_user_config ($usercfg);
}
my $valid_privs = {
Modified: pve-access-control/trunk/ChangeLog
===================================================================
--- pve-access-control/trunk/ChangeLog 2010-06-23 06:33:46 UTC (rev 4833)
+++ pve-access-control/trunk/ChangeLog 2010-06-23 08:10:49 UTC (rev 4834)
@@ -1,5 +1,13 @@
2010-06-23 Proxmox Support Team <support at proxmox.com>
+ * pveum: inplement some simple functions (add user, create ticket)
+
+ * pveum-pl: rename to pveum
+
+ * pveum.c: remove suexec code - we will use a daemon instead
+
+ * pvesh: removed (dead code)
+
* test/dump-perm.pl: simple script to dump permissions
* test/: created new directory for test skripts
Modified: pve-access-control/trunk/Makefile
===================================================================
--- pve-access-control/trunk/Makefile 2010-06-23 06:33:46 UTC (rev 4833)
+++ pve-access-control/trunk/Makefile 2010-06-23 08:10:49 UTC (rev 4834)
@@ -22,22 +22,16 @@
dinstall: deb
dpkg -i ${DEB}
-pveum: pveum.c
- gcc pveum.c -o pveum
-
-install: pveum pveum-pl AccessControl.pm
+install: pveum AccessControl.pm
install -d ${DESTDIR}${BINDIR}
install -d ${DESTDIR}${SBINDIR}
- install -s -m 4755 pveum ${DESTDIR}${BINDIR}
- install -m 0755 pveum-pl ${DESTDIR}${SBINDIR}
- install -m 0755 pvesh ${DESTDIR}${BINDIR}
+ install -m 0755 pveum ${DESTDIR}${SBINDIR}
install -D -m 0644 AccessControl.pm ${DESTDIR}${PERLDIR}/PVE/AccessControl.pm
install -d ${DESTDIR}/usr/share/man/man1
- pod2man -n pveum -s 1 -r "proxmox 2.0" -c "Proxmox Documentation" <pveum-pl | gzip -9 > ${DESTDIR}/usr/share/man/man1/pveum.1.gz
- pod2man -n pvesh -s 1 -r "proxmox 2.0" -c "Proxmox Documentation" <pvesh | gzip -9 > ${DESTDIR}/usr/share/man/man1/pvesh.1.gz
+ pod2man -n pveum -s 1 -r "proxmox 2.0" -c "Proxmox Documentation" <pveum | gzip -9 > ${DESTDIR}/usr/share/man/man1/pveum.1.gz
.PHONY: deb
-deb ${DEB}: pveum pveum-pl AccessControl.pm control.in copyright changelog.Debian ChangeLog
+deb ${DEB}: pveum AccessControl.pm control.in copyright changelog.Debian ChangeLog
rm -rf debian
mkdir debian
make DESTDIR=debian install
@@ -55,7 +49,7 @@
.PHONY: clean
clean:
- rm -rf debian pveum *~ *.deb ${PACKAGE}-*.tar.gz
+ rm -rf debian *~ *.deb ${PACKAGE}-*.tar.gz
.PHONY: distclean
distclean: clean
Deleted: pve-access-control/trunk/pvesh
===================================================================
--- pve-access-control/trunk/pvesh 2010-06-23 06:33:46 UTC (rev 4833)
+++ pve-access-control/trunk/pvesh 2010-06-23 08:10:49 UTC (rev 4834)
@@ -1,35 +0,0 @@
-#!/usr/bin/perl -w
-
-use strict;
-use Term::ReadLine;
-use PVE::AccessControl;
-
-die "PVETICKET is already set\n" if $ENV{PVETICKET};
-
-my $term = new Term::ReadLine ('pvesh');
-
-my $username = $term->readline('username: ');
-die "no username specified\n" if !$username;
-
-my $attribs = $term->Attribs;
-$attribs->{redisplay_function} = $attribs->{shadow_redisplay};
-my $password = $term->readline("password: ");
-
-$ENV{PVETICKET} = PVE::AccessControl::create_ticket(undef, $username, $password);
-exec($ENV{SHELL});
-
-exit(0);
-
-__END__
-
-=head1 NAME
-
-pveum - PVE Shell
-
-=head1 SYNOPSIS
-
- pvesh
-
-=head1 DESCRIPTION
-
-no description available
Added: pve-access-control/trunk/pveum
===================================================================
--- pve-access-control/trunk/pveum (rev 0)
+++ pve-access-control/trunk/pveum 2010-06-23 08:10:49 UTC (rev 4834)
@@ -0,0 +1,102 @@
+#!/usr/bin/perl -w
+
+use strict;
+use Getopt::Long;
+use PVE::AccessControl;
+use File::Path qw(make_path remove_tree);
+use Term::ReadLine;
+
+use Data::Dumper; # fixme: remove
+use Time::HiRes qw( usleep ualarm gettimeofday tv_interval ); # fixme: remove
+
+$ENV{'PATH'} = '/sbin:/bin:/usr/sbin:/usr/bin';
+
+#fixme: logging?
+
+# my $euid = $>; my $ruid = $<; print STDERR "EUID $euid UID $ruid\n";
+
+die "please run as root\n" if $> != 0;
+
+# autmatically generate the private key if it does not already exists
+my $authdir = PVE::AccessControl::auth_data_dir();
+if (! -f "$authdir/authkey.key") {
+ mkdir $authdir;
+
+ my $cmd = "openssl genrsa -out '$authdir/authkey.key' 1024";
+ PVE::AccessControl::run_command($cmd, umask => 0177);
+ $cmd = "openssl rsa -in '$authdir/authkey.key' -pubout -out '$authdir/authkey.pub'";
+ PVE::AccessControl::run_command($cmd, umask => 0133)
+}
+
+sub print_usage {
+ my $msg = shift;
+
+ print STDERR "ERROR: $msg\n" if $msg;
+ print STDERR "USAGE: pveum <COMMAND> [OPTIONS]\n";
+}
+
+if (!scalar (@ARGV)) {
+ print_usage ("no command specified");
+ exit (-1);
+}
+
+sub read_password {
+
+ my $term = new Term::ReadLine ('pveum');
+ my $attribs = $term->Attribs;
+ $attribs->{redisplay_function} = $attribs->{shadow_redisplay};
+ my $input = $term->readline('password: ');
+ return $input;
+}
+
+my $cmd = shift;
+
+if ($cmd eq 'ticket') {
+
+ my $username = shift;
+
+ die "no username specified\n" if !$username;
+
+ my $passwd = read_password();
+
+ my $user = PVE::AccessControl::authenticate_user($username, $passwd);
+ my $ticket = PVE::AccessControl::assemble_ticket($user);
+
+ print "$ticket\n";
+
+ exit (0);
+
+} elsif ($cmd eq 'adduser') {
+
+ my $username = shift;
+
+ die "no username specified\n" if !$username;
+
+ my $passwd = read_password();
+
+ PVE::AccessControl::add_user($username, $passwd);
+
+ exit(0);
+
+} else {
+
+ print_usage("unknown command '$cmd'");
+ exit(-1);
+
+}
+
+exit 0;
+
+__END__
+
+=head1 NAME
+
+pveum - PVE User Manager
+
+=head1 SYNOPSIS
+
+ pveum <COMMAND> [OPTIONS]
+
+=head1 DESCRIPTION
+
+no description available
Property changes on: pve-access-control/trunk/pveum
___________________________________________________________________
Added: svn:executable
+ *
Deleted: pve-access-control/trunk/pveum-pl
===================================================================
--- pve-access-control/trunk/pveum-pl 2010-06-23 06:33:46 UTC (rev 4833)
+++ pve-access-control/trunk/pveum-pl 2010-06-23 08:10:49 UTC (rev 4834)
@@ -1,211 +0,0 @@
-#!/usr/bin/perl -w -T
-
-use strict;
-use Getopt::Long;
-use JSON;
-use PVE::AccessControl;
-use File::Path qw(make_path remove_tree);
-
-use Data::Dumper; # fixme: remove
-use Time::HiRes qw( usleep ualarm gettimeofday tv_interval ); # fixme: remove
-
-$ENV{'PATH'} = '/sbin:/bin:/usr/sbin:/usr/bin';
-
-#fixme: logging?
-
-# my $euid = $>; my $ruid = $<; print STDERR "EUID $euid UID $ruid\n";
-
-die "please run as root\n" if $> != 0;
-
-# autmatically generate the private key if it does not already exists
-my $authdir = PVE::AccessControl::auth_data_dir();
-if (! -f "$authdir/authkey.key") {
- mkdir $authdir;
-
- my $cmd = "openssl genrsa -out '$authdir/authkey.key' 1024";
- PVE::AccessControl::run_command($cmd, umask => 0177);
- $cmd = "openssl rsa -in '$authdir/authkey.key' -pubout -out '$authdir/authkey.pub'";
- PVE::AccessControl::run_command($cmd, umask => 0133)
-}
-
-sub print_usage {
- my $msg = shift;
-
- print STDERR "ERROR: $msg\n" if $msg;
- print STDERR "USAGE: pveum <COMMAND> [OPTIONS]\n";
-}
-
-if (!scalar (@ARGV)) {
- print_usage ("no command specified");
- exit (-1);
-}
-
-my $cmd = shift;
-
-my $ticket = $ENV{PVETICKET};
-
-# fixme: check if this is secure?
-# auto generate ticket for local users (ident auth)
-if (!$ticket) {
- my $login = getpwuid($<);
- my $username = ($< == 0) ? 'root' : "$login\@localhost";
- my $usercfg = PVE::AccessControl::load_user_config();
- if (PVE::AccessControl::user_enabled($usercfg, $username)) {
- $ticket = PVE::AccessControl::assemble_ticket($username);
- }
-}
-
-if ($cmd eq 'ticket') {
-
- my $new_ticket;
-
- my $input = PVE::AccessControl::safe_read_from(\*STDIN, 4096, 1);
-
- if ($input =~ m/^USER:(\S+):(.*)$/) {
- my $username = $1;
- my $passwd = $2;
-
- $new_ticket = create_ticket($ticket, $username, $passwd);
-
- } else {
- die "syntax error - can't parse input\n";
- }
-
- print "${new_ticket}\n";
-
- exit (0);
-}
-
-# all other commands need a valid ticket
-my $ticket_username = PVE::AccessControl::verify_ticket($ticket);
-
-if ($cmd eq 'jsoncmd') {
-
- # we use this insead of a daemon - this way we can execute functions
- # with 'root' priviledges (because this program use setuid root)
-
- my $result;
-
- eval {
-
- my $input = PVE::AccessControl::safe_read_from(\*STDIN);
-
- die "unable to parse input\n"
- if ! ($input =~ s/^JSON:PARAM://);
-
- my $data = decode_json($input);
-
- my $valid_cmds = {
- create_ticket => 1,
- add_user => 1,
- };
-
- my $method = $data->{method} || die "no command specified\n";
-
- die "unknown method '$method'\n" if !$valid_cmds->{$method};
-
- my $func = __PACKAGE__->can($method) || die "internal error\n";
-
- my $env = {
- ticket => $ticket,
- username => $ticket_username,
- };
-
- $result = &$func($env, @{$data->{params}});
- };
- my $error = $@ || undef;
-
- my $json = encode_json({ result => $result, error => $error});
-
- print "JSON:RESULT:$json\n";
-
- exit (0);
-}
-
-if ($cmd eq 'adduser') {
-
- my $input = PVE::AccessControl::safe_read_from(\*STDIN, 4096, 1);
-
- if ($input =~ m/^USER:(\S+):(.*)$/) {
- my $username = $1;
- my $passwd = $2;
-
- PVE::AccessControl::add_user($ticket, $username, $passwd);
-
- } else {
- die "syntax error - can't parse input\n";
- }
-
-} else {
- print_usage ("unknown command '$cmd'");
- exit(-1);
-}
-
-exit 0;
-
-sub create_ticket {
- my ($env, $username, $passwd) = @_;
-
- $username = PVE::AccessControl::verify_username ($username);
-
- my $user;
- if ($env->{ticket} && !$passwd) {
- die "missing parameter '$username'\n" if !$username;
-
- $user = PVE::AccessControl::verify_ticket($env->{ticket});
- die "permission denied - username does not match\n" if $user ne $username;
- } else {
- $user = PVE::AccessControl::authenticate_user($username, $passwd);
- }
-
- return PVE::AccessControl::assemble_ticket($user);
-}
-
-sub add_user {
- my ($env, $newusername, $passwd) = @_;
-
- my $domain;
-
- ($newusername, undef, $domain) = PVE::AccessControl::verify_username ($newusername);
-
- my $usercfg = PVE::AccessControl::load_user_config();
-
- die "user '$newusername' already exists\n"
- if $usercfg->{users}->{$newusername};
-
- my $perm = PVE::AccessControl::permission ($usercfg, $env->{username}, '/users');
-
- #print "PERMISSIONS: " . Dumper($perm) . "\n";;
-
- die "no permissions\n" if !$perm->{'SetPermissions'};
-
- if (!$domain) {
- die "missing password\n" if !$passwd;
-
- # fixme: store password somewhere into a protected file
- } else {
- die "can't set password on auth domain '$domain'\n" if $passwd;
- }
-
- print STDERR "real add user $newusername, $passwd\n";
-
- $usercfg->{users}->{$newusername} = { enabled => 1 };
-
- PVE::AccessControl::save_user_config($usercfg);
-}
-
-exit (0);
-
-__END__
-
-=head1 NAME
-
-pveum - PVE User Manager
-
-=head1 SYNOPSIS
-
- pveum <COMMAND> [OPTIONS]
-
-=head1 DESCRIPTION
-
-no description available
Deleted: pve-access-control/trunk/pveum.c
===================================================================
--- pve-access-control/trunk/pveum.c 2010-06-23 06:33:46 UTC (rev 4833)
+++ pve-access-control/trunk/pveum.c 2010-06-23 08:10:49 UTC (rev 4834)
@@ -1,7 +0,0 @@
-
-#define REAL_PATH "/usr/sbin/pveum-pl"
-main(ac, av)
-char **av;
-{
- execv(REAL_PATH, av);
-}
More information about the pve-devel
mailing list