[pve-devel] r4834 - pve-access-control/trunk

svn-commits at proxmox.com svn-commits at proxmox.com
Wed Jun 23 10:10:50 CEST 2010


Author: dietmar
Date: 2010-06-23 08:10:49 +0000 (Wed, 23 Jun 2010)
New Revision: 4834

Added:
   pve-access-control/trunk/pveum
Removed:
   pve-access-control/trunk/pvesh
   pve-access-control/trunk/pveum-pl
   pve-access-control/trunk/pveum.c
Modified:
   pve-access-control/trunk/AccessControl.pm
   pve-access-control/trunk/ChangeLog
   pve-access-control/trunk/Makefile
Log:
* pveum: inplement some simple functions (add user, create ticket) 

* pveum-pl: rename to pveum

* pveum.c: remove suexec code - we will use a daemon instead

* pvesh: removed (dead code)



Modified: pve-access-control/trunk/AccessControl.pm
===================================================================
--- pve-access-control/trunk/AccessControl.pm	2010-06-23 06:33:46 UTC (rev 4833)
+++ pve-access-control/trunk/AccessControl.pm	2010-06-23 08:10:49 UTC (rev 4834)
@@ -8,7 +8,6 @@
 use Crypt::OpenSSL::Random;
 use Crypt::OpenSSL::RSA;
 use MIME::Base64;
-use JSON;
 use Authen::PAM qw(:constants);
 use Data::Dumper; # fixme: remove
 
@@ -88,7 +87,6 @@
 
     my $old_umask;
 
-
     $cmd = [ $cmd ] if !ref($cmd);
 
     my $cmdstr = join (' ', @$cmd);
@@ -428,32 +426,6 @@
     return $username;
 }
 
-sub secure_exec {
-    my ($ticket, $method, $param) = @_;
-
-    my $input = "JSON:PARAM:". encode_json({method => $method, params => $param});
-    my $res;
-    run_command(['/usr/bin/pveum', 'jsoncmd'], 
-		input => $input, 
-		ticket => $ticket, 
-		errmsg => "$method failed",
-		outfunc => sub { 
-		    my $data = shift;
-		    if ($data =~ m/^JSON:RESULT:(.*)$/) {
-			$res = $1;
-		    } else {
-			print "$data\n";
-		    }
-		});
-
-    die "secure_exec: command did not return a result\n" if !defined($res); 
-
-    my $data = decode_json($res);
-    die $data->{error} if $data->{error};
-
-    return $data->{result};
-}
-
 sub create_ticket {
     my ($ticket, @param) = @_;
 
@@ -461,9 +433,30 @@
 }
 
 sub add_user {
-    my ($ticket, @param) = @_;
+    my ($newusername, $passwd) = @_;
 
-    return secure_exec($ticket, 'add_user', [ @param ]);
+    my $domain;
+
+    ($newusername, undef, $domain) = verify_username ($newusername);
+
+    my $usercfg = load_user_config();
+
+    die "user '$newusername' already exists\n" 
+	if $usercfg->{users}->{$newusername};
+
+    if (!$domain) {
+	die "missing password\n" if !$passwd;
+
+	# fixme: store password somewhere into a protected file
+    } else {
+	die "can't set password on auth domain '$domain'\n" if $passwd;
+    }
+
+    warn "add user $newusername, $passwd not implemented\n";
+
+    $usercfg->{users}->{$newusername} = { enabled => 1 };
+
+    save_user_config ($usercfg);
 }
 
 my $valid_privs = {

Modified: pve-access-control/trunk/ChangeLog
===================================================================
--- pve-access-control/trunk/ChangeLog	2010-06-23 06:33:46 UTC (rev 4833)
+++ pve-access-control/trunk/ChangeLog	2010-06-23 08:10:49 UTC (rev 4834)
@@ -1,5 +1,13 @@
 2010-06-23  Proxmox Support Team  <support at proxmox.com>
 
+	* pveum: inplement some simple functions (add user, create ticket) 
+
+	* pveum-pl: rename to pveum
+
+	* pveum.c: remove suexec code - we will use a daemon instead
+
+	* pvesh: removed (dead code)
+	
 	* test/dump-perm.pl: simple script to dump permissions
 
 	* test/: created new directory for test skripts

Modified: pve-access-control/trunk/Makefile
===================================================================
--- pve-access-control/trunk/Makefile	2010-06-23 06:33:46 UTC (rev 4833)
+++ pve-access-control/trunk/Makefile	2010-06-23 08:10:49 UTC (rev 4834)
@@ -22,22 +22,16 @@
 dinstall: deb
 	dpkg -i ${DEB}
 
-pveum: pveum.c
-	gcc pveum.c -o pveum
-
-install: pveum pveum-pl AccessControl.pm 
+install: pveum AccessControl.pm 
 	install -d ${DESTDIR}${BINDIR}
 	install -d ${DESTDIR}${SBINDIR}
-	install -s -m 4755 pveum ${DESTDIR}${BINDIR}
-	install -m 0755 pveum-pl ${DESTDIR}${SBINDIR}
-	install -m 0755 pvesh ${DESTDIR}${BINDIR}
+	install -m 0755 pveum ${DESTDIR}${SBINDIR}
 	install -D -m 0644 AccessControl.pm ${DESTDIR}${PERLDIR}/PVE/AccessControl.pm
 	install -d ${DESTDIR}/usr/share/man/man1
-	pod2man -n pveum -s 1 -r "proxmox 2.0" -c "Proxmox Documentation" <pveum-pl | gzip -9 > ${DESTDIR}/usr/share/man/man1/pveum.1.gz
-	pod2man -n pvesh -s 1 -r "proxmox 2.0" -c "Proxmox Documentation" <pvesh | gzip -9 > ${DESTDIR}/usr/share/man/man1/pvesh.1.gz
+	pod2man -n pveum -s 1 -r "proxmox 2.0" -c "Proxmox Documentation" <pveum | gzip -9 > ${DESTDIR}/usr/share/man/man1/pveum.1.gz
 
 .PHONY: deb
-deb ${DEB}: pveum pveum-pl AccessControl.pm control.in copyright changelog.Debian ChangeLog
+deb ${DEB}: pveum AccessControl.pm control.in copyright changelog.Debian ChangeLog
 	rm -rf debian
 	mkdir debian
 	make DESTDIR=debian install
@@ -55,7 +49,7 @@
 
 .PHONY: clean
 clean: 	
-	rm -rf debian pveum *~ *.deb ${PACKAGE}-*.tar.gz
+	rm -rf debian *~ *.deb ${PACKAGE}-*.tar.gz
 
 .PHONY: distclean
 distclean: clean

Deleted: pve-access-control/trunk/pvesh
===================================================================
--- pve-access-control/trunk/pvesh	2010-06-23 06:33:46 UTC (rev 4833)
+++ pve-access-control/trunk/pvesh	2010-06-23 08:10:49 UTC (rev 4834)
@@ -1,35 +0,0 @@
-#!/usr/bin/perl -w
-
-use strict;
-use Term::ReadLine;
-use PVE::AccessControl;
-
-die "PVETICKET is already set\n" if $ENV{PVETICKET};
-
-my $term = new Term::ReadLine ('pvesh');
-
-my $username = $term->readline('username: ');
-die "no username specified\n" if !$username;
-
-my $attribs = $term->Attribs;
-$attribs->{redisplay_function} = $attribs->{shadow_redisplay};
-my $password = $term->readline("password: ");
-
-$ENV{PVETICKET} = PVE::AccessControl::create_ticket(undef, $username, $password);
-exec($ENV{SHELL}); 
-
-exit(0);
-
-__END__
-
-=head1 NAME
-
-pveum - PVE Shell
-
-=head1 SYNOPSIS
-
-    pvesh
-
-=head1 DESCRIPTION
-
-no description available

Added: pve-access-control/trunk/pveum
===================================================================
--- pve-access-control/trunk/pveum	                        (rev 0)
+++ pve-access-control/trunk/pveum	2010-06-23 08:10:49 UTC (rev 4834)
@@ -0,0 +1,102 @@
+#!/usr/bin/perl -w 
+
+use strict;
+use Getopt::Long;
+use PVE::AccessControl;
+use File::Path qw(make_path remove_tree);
+use Term::ReadLine;
+
+use Data::Dumper; # fixme: remove
+use Time::HiRes qw( usleep ualarm gettimeofday tv_interval ); # fixme: remove
+
+$ENV{'PATH'} = '/sbin:/bin:/usr/sbin:/usr/bin';
+
+#fixme: logging?
+
+# my $euid = $>; my $ruid = $<; print STDERR "EUID $euid UID $ruid\n";
+
+die "please run as root\n" if $> != 0;
+
+# autmatically generate the private key if it does not already exists
+my $authdir = PVE::AccessControl::auth_data_dir();
+if (! -f "$authdir/authkey.key") {
+    mkdir $authdir;
+ 
+    my $cmd = "openssl genrsa -out '$authdir/authkey.key' 1024";
+    PVE::AccessControl::run_command($cmd, umask => 0177);
+    $cmd = "openssl rsa -in '$authdir/authkey.key' -pubout -out '$authdir/authkey.pub'";
+    PVE::AccessControl::run_command($cmd, umask => 0133)
+}
+
+sub print_usage {
+    my $msg = shift;
+
+    print STDERR "ERROR: $msg\n" if $msg;
+    print STDERR "USAGE: pveum <COMMAND> [OPTIONS]\n";
+}
+
+if (!scalar (@ARGV)) {
+    print_usage ("no command specified");
+    exit (-1);
+}
+
+sub read_password {
+
+    my $term = new Term::ReadLine ('pveum');
+    my $attribs = $term->Attribs;
+    $attribs->{redisplay_function} = $attribs->{shadow_redisplay};
+    my $input = $term->readline('password: ');
+    return $input;
+}
+
+my $cmd = shift;
+
+if ($cmd eq 'ticket') {
+
+    my $username = shift;
+
+    die "no username specified\n" if !$username;
+
+    my $passwd = read_password();
+	
+    my $user = PVE::AccessControl::authenticate_user($username, $passwd);
+    my $ticket = PVE::AccessControl::assemble_ticket($user);
+
+    print "$ticket\n";
+
+    exit (0);
+
+} elsif ($cmd eq 'adduser') {
+
+    my $username = shift;
+
+    die "no username specified\n" if !$username;
+
+    my $passwd = read_password();
+	
+    PVE::AccessControl::add_user($username, $passwd);
+
+    exit(0);
+
+} else {
+
+    print_usage("unknown command '$cmd'");
+    exit(-1);
+
+}
+
+exit 0;
+
+__END__
+
+=head1 NAME
+
+pveum - PVE User Manager
+
+=head1 SYNOPSIS
+
+    pveum <COMMAND> [OPTIONS]
+
+=head1 DESCRIPTION
+
+no description available


Property changes on: pve-access-control/trunk/pveum
___________________________________________________________________
Added: svn:executable
   + *

Deleted: pve-access-control/trunk/pveum-pl
===================================================================
--- pve-access-control/trunk/pveum-pl	2010-06-23 06:33:46 UTC (rev 4833)
+++ pve-access-control/trunk/pveum-pl	2010-06-23 08:10:49 UTC (rev 4834)
@@ -1,211 +0,0 @@
-#!/usr/bin/perl -w -T
-
-use strict;
-use Getopt::Long;
-use JSON;
-use PVE::AccessControl;
-use File::Path qw(make_path remove_tree);
-
-use Data::Dumper; # fixme: remove
-use Time::HiRes qw( usleep ualarm gettimeofday tv_interval ); # fixme: remove
-
-$ENV{'PATH'} = '/sbin:/bin:/usr/sbin:/usr/bin';
-
-#fixme: logging?
-
-# my $euid = $>; my $ruid = $<; print STDERR "EUID $euid UID $ruid\n";
-
-die "please run as root\n" if $> != 0;
-
-# autmatically generate the private key if it does not already exists
-my $authdir = PVE::AccessControl::auth_data_dir();
-if (! -f "$authdir/authkey.key") {
-    mkdir $authdir;
- 
-    my $cmd = "openssl genrsa -out '$authdir/authkey.key' 1024";
-    PVE::AccessControl::run_command($cmd, umask => 0177);
-    $cmd = "openssl rsa -in '$authdir/authkey.key' -pubout -out '$authdir/authkey.pub'";
-    PVE::AccessControl::run_command($cmd, umask => 0133)
-}
-
-sub print_usage {
-    my $msg = shift;
-
-    print STDERR "ERROR: $msg\n" if $msg;
-    print STDERR "USAGE: pveum <COMMAND> [OPTIONS]\n";
-}
-
-if (!scalar (@ARGV)) {
-    print_usage ("no command specified");
-    exit (-1);
-}
-
-my $cmd = shift;
-
-my $ticket =  $ENV{PVETICKET};
-
-# fixme: check if this is secure?
-# auto generate ticket for local users (ident auth)
-if (!$ticket) {
-    my $login = getpwuid($<);
-    my $username = ($< == 0) ? 'root' : "$login\@localhost";
-    my $usercfg = PVE::AccessControl::load_user_config();
-    if (PVE::AccessControl::user_enabled($usercfg, $username)) {
-	$ticket = PVE::AccessControl::assemble_ticket($username);
-    }
-}
-
-if ($cmd eq 'ticket') {
-
-    my $new_ticket;
-
-    my $input = PVE::AccessControl::safe_read_from(\*STDIN, 4096, 1);
-
-    if ($input =~ m/^USER:(\S+):(.*)$/) {
-	my $username = $1;
-	my $passwd = $2;
-	
-	$new_ticket = create_ticket($ticket, $username, $passwd);
-
-    } else {
-	die "syntax error - can't parse input\n";
-    }
-
-    print "${new_ticket}\n";
-
-    exit (0);
-}
-
-# all other commands need a valid ticket
-my $ticket_username = PVE::AccessControl::verify_ticket($ticket);
-
-if ($cmd eq 'jsoncmd') {
-
-    # we use this insead of a daemon - this way we can execute functions 
-    # with 'root' priviledges (because this program use setuid root)
-
-    my $result;
-
-    eval { 
-
-	my $input =  PVE::AccessControl::safe_read_from(\*STDIN);
-
-	die "unable to parse input\n"
-	    if ! ($input =~ s/^JSON:PARAM://);
-
-	my $data = decode_json($input);
-
-	my $valid_cmds = { 
-	    create_ticket => 1,
-	    add_user => 1,
-	};
-
-	my $method = $data->{method} || die "no command specified\n";
-
-	die "unknown method '$method'\n" if !$valid_cmds->{$method};
-
-	my $func = __PACKAGE__->can($method) || die "internal error\n";
-
-	my $env = {
-	    ticket => $ticket,
-	    username => $ticket_username,
-	};
-
-	$result = &$func($env, @{$data->{params}}); 
-    };
-    my $error = $@ || undef;
-
-    my $json = encode_json({ result => $result, error => $error});
-
-    print "JSON:RESULT:$json\n";
- 
-    exit (0);
-}
-
-if ($cmd eq 'adduser') {
-
-    my $input = PVE::AccessControl::safe_read_from(\*STDIN, 4096, 1);
- 
-    if ($input =~ m/^USER:(\S+):(.*)$/) {
-	my $username = $1;
-	my $passwd = $2;
-
-	PVE::AccessControl::add_user($ticket, $username, $passwd);
-
-    } else {
-	die "syntax error - can't parse input\n";
-    }
-
-} else {
-    print_usage ("unknown command '$cmd'");
-    exit(-1);
-}
-
-exit 0;
-
-sub create_ticket {
-    my ($env, $username, $passwd) = @_;
-
-    $username = PVE::AccessControl::verify_username ($username);
-
-    my $user;
-    if ($env->{ticket} && !$passwd) {
-	die "missing parameter '$username'\n" if !$username;
-
-	$user = PVE::AccessControl::verify_ticket($env->{ticket});
-	die "permission denied - username does not match\n" if $user ne $username;
-    } else {
-	$user = PVE::AccessControl::authenticate_user($username, $passwd);
-    }
-    
-    return PVE::AccessControl::assemble_ticket($user);
-}
-
-sub add_user {
-    my ($env, $newusername, $passwd) = @_;
-
-    my $domain;
-
-    ($newusername, undef, $domain) = PVE::AccessControl::verify_username ($newusername);
-
-    my $usercfg = PVE::AccessControl::load_user_config();
-
-    die "user '$newusername' already exists\n" 
-	if $usercfg->{users}->{$newusername};
-
-    my $perm = PVE::AccessControl::permission ($usercfg, $env->{username}, '/users');
-
-    #print "PERMISSIONS: " . Dumper($perm) . "\n";;
-
-    die "no permissions\n" if !$perm->{'SetPermissions'};
-
-    if (!$domain) {
-	die "missing password\n" if !$passwd;
-
-	# fixme: store password somewhere into a protected file
-    } else {
-	die "can't set password on auth domain '$domain'\n" if $passwd;
-    }
-
-    print STDERR "real add user $newusername, $passwd\n";
-
-    $usercfg->{users}->{$newusername} = { enabled => 1 };
-
-    PVE::AccessControl::save_user_config($usercfg);
-}
-
-exit (0);
-
-__END__
-
-=head1 NAME
-
-pveum - PVE User Manager
-
-=head1 SYNOPSIS
-
-    pveum <COMMAND> [OPTIONS]
-
-=head1 DESCRIPTION
-
-no description available

Deleted: pve-access-control/trunk/pveum.c
===================================================================
--- pve-access-control/trunk/pveum.c	2010-06-23 06:33:46 UTC (rev 4833)
+++ pve-access-control/trunk/pveum.c	2010-06-23 08:10:49 UTC (rev 4834)
@@ -1,7 +0,0 @@
-
-#define REAL_PATH "/usr/sbin/pveum-pl"
-main(ac, av)
-char **av;
-{
-	execv(REAL_PATH, av);
-}




More information about the pve-devel mailing list