From f91a961112ec9796181b42aa52f9c36dfa3c6a99 Mon Sep 17 00:00:00 2001

From: =?UTF-8?q?Jan=20Pokorn=C3=BD?= <jpokorny@redhat.com>

Date: Tue, 2 Apr 2019 10:13:21 +0200

Subject: [PATCH 1/7] High: libservices: fix use-after-free wrt. alert handling

This could possibly lead to unsolicited information disclosure by the

means of standard output of the immediately preceding agent/resource

execution leaking into the log stream under some circumstances.

It was hence assigned CVE-2019-3885.

The provoked pathological state of pacemaker-execd daemon progresses

towards crashing it for hitting segmentation fault.

---

 lib/services/services.c       | 40 +---------------------------------------

 lib/services/services_linux.c | 35 +++++++++++++++++++++++++++++++----

 2 files changed, 32 insertions(+), 43 deletions(-)

diff --git a/lib/services/services.c b/lib/services/services.c

index ef2c5fc..1d06c5d 100644

--- a/lib/services/services.c

+++ b/lib/services/services.c

@@ -450,35 +450,6 @@ services_action_user(svc_action_t *op, const char *user)

     return crm_user_lookup(user, &(op->opaque->uid), &(op->opaque->gid));

 }

-static void

-set_alert_env(gpointer key, gpointer value, gpointer user_data)

-{

-    int rc;

-

-    if (value) {

-        rc = setenv(key, value, 1);

-    } else {

-        rc = unsetenv(key);

-    }

-

-    if (rc < 0) {

-        crm_perror(LOG_ERR, "setenv %s=%s",

-                  (char*)key, (value? (char*)value : ""));

-    } else {

-        crm_trace("setenv %s=%s", (char*)key, (value? (char*)value : ""));

-    }

-}

-

-static void

-unset_alert_env(gpointer key, gpointer value, gpointer user_data)

-{

-    if (unsetenv(key) < 0) {

-        crm_perror(LOG_ERR, "unset %s", (char*)key);

-    } else {

-        crm_trace("unset %s", (char*)key);

-    }

-}

-

 /*!

  * \brief Execute an alert agent action

  *

@@ -493,18 +464,9 @@ unset_alert_env(gpointer key, gpointer value, gpointer user_data)

 gboolean

 services_alert_async(svc_action_t *action, void (*cb)(svc_action_t *op))

 {

-    gboolean responsible;

-

     action->synchronous = false;

     action->opaque->callback = cb;

-    if (action->params) {

-        g_hash_table_foreach(action->params, set_alert_env, NULL);

-    }

-    responsible = services_os_action_execute(action);

-    if (action->params) {

-        g_hash_table_foreach(action->params, unset_alert_env, NULL);

-    }

-    return responsible;

+    return services_os_action_execute(action);

 }

 #if SUPPORT_DBUS

diff --git a/lib/services/services_linux.c b/lib/services/services_linux.c

index 705901e..2047b64 100644

--- a/lib/services/services_linux.c

+++ b/lib/services/services_linux.c

@@ -159,6 +159,25 @@ set_ocf_env_with_prefix(gpointer key, gpointer value, gpointer user_data)

     set_ocf_env(buffer, value, user_data);

 }

+static void

+set_alert_env(gpointer key, gpointer value, gpointer user_data)

+{

+    int rc;

+

+    if (value != NULL) {

+        rc = setenv(key, value, 1);

+    } else {

+        rc = unsetenv(key);

+    }

+

+    if (rc < 0) {

+        crm_perror(LOG_ERR, "setenv %s=%s",

+                  (char*)key, (value? (char*)value : ""));

+    } else {

+        crm_trace("setenv %s=%s", (char*)key, (value? (char*)value : ""));

+    }

+}

+

 /*!

  * \internal

  * \brief Add environment variables suitable for an action

@@ -168,12 +187,20 @@ set_ocf_env_with_prefix(gpointer key, gpointer value, gpointer user_data)

 static void

 add_action_env_vars(const svc_action_t *op)

 {

-    if (safe_str_eq(op->standard, PCMK_RESOURCE_CLASS_OCF) == FALSE) {

-        return;

+    void (*env_setter)(gpointer, gpointer, gpointer) = NULL;

+    if (op->agent == NULL) {

+        env_setter = set_alert_env;  /* we deal with alert handler */

+

+    } else if (safe_str_eq(op->standard, PCMK_RESOURCE_CLASS_OCF)) {

+        env_setter = set_ocf_env_with_prefix;

     }

-    if (op->params) {

-        g_hash_table_foreach(op->params, set_ocf_env_with_prefix, NULL);

+    if (env_setter != NULL && op->params != NULL) {

+        g_hash_table_foreach(op->params, env_setter, NULL);

+    }

+

+    if (env_setter == NULL || env_setter == set_alert_env) {

+        return;

     }

     set_ocf_env("OCF_RA_VERSION_MAJOR", "1", NULL);

-- 

1.8.3.1

From ab44422fa955c2dff1ac1822521e7ad335d4aab7 Mon Sep 17 00:00:00 2001

From: =?UTF-8?q?Jan=20Pokorn=C3=BD?= <jpokorny@redhat.com>

Date: Mon, 15 Apr 2019 23:19:44 +0200

Subject: [PATCH 2/7] High: pacemakerd vs. IPC/procfs confused deputy

 authenticity issue (0/4)

[0/4: make crm_pid_active more precise as to when detections fail]

It would be bad if the function claimed the process is not active

when the only obstacle in the detection process was that none of the

detection methods worked for a plain lack of permissions to apply

them.  Also, do some other minor cleanup of the function and add its

documentation.  As an additional measure, log spamming is kept at

minimum for repeated queries about the same PID.

---

 include/crm_internal.h | 21 +++++++++++

 lib/common/utils.c     | 96 +++++++++++++++++++++++++++-----------------------

 2 files changed, 73 insertions(+), 44 deletions(-)

diff --git a/include/crm_internal.h b/include/crm_internal.h

index 5692929..0adeb7b 100644

--- a/include/crm_internal.h

+++ b/include/crm_internal.h

@@ -140,6 +140,27 @@ extern int node_score_yellow;

 extern int node_score_infinity;

 /* Assorted convenience functions */

+

+/*!

+ * \internal

+ * \brief Detect if process per PID and optionally exe path (component) exists

+ *

+ * \param[in] pid     PID of process assumed alive, disproving of which to try

+ * \param[in] daemon  exe path (component) to possibly match with procfs entry

+ *

+ * \return -1 on invalid PID specification, -2 when the calling process has no

+ *         (is refused an) ability to (dis)prove the predicate,

+ *         0 if the negation of the predicate is confirmed (check-through-kill

+ *         indicates so, or the subsequent check-through-procfs-match on

+ *         \p daemon when provided and procfs available at the standard path),

+ *         1 if it cannot be disproved (reliably [modulo race conditions]

+ *         when \p daemon provided, procfs available at the standard path

+ *         and the calling process has permissions to access the respective

+ *         procfs location, less so otherwise, since mere check-through-kill

+ *         is exercised without powers to exclude PID recycled in the interim).

+ *

+ * \note This function cannot be used to verify \e authenticity of the process.

+ */

 int crm_pid_active(long pid, const char *daemon);

 void crm_make_daemon(const char *name, gboolean daemonize, const char *pidfile);

diff --git a/lib/common/utils.c b/lib/common/utils.c

index f3f60ed..2ac7901 100644

--- a/lib/common/utils.c

+++ b/lib/common/utils.c

@@ -1,19 +1,10 @@

 /*

- * Copyright (C) 2004 Andrew Beekhof <andrew@beekhof.net>

+ * Copyright 2004-2019 the Pacemaker project contributors

  *

- * This library is free software; you can redistribute it and/or

- * modify it under the terms of the GNU Lesser General Public

- * License as published by the Free Software Foundation; either

- * version 2.1 of the License, or (at your option) any later version.

+ * The version control history for this file may have further details.

  *

- * This library is distributed in the hope that it will be useful,

- * but WITHOUT ANY WARRANTY; without even the implied warranty of

- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU

- * Lesser General Public License for more details.

- *

- * You should have received a copy of the GNU Lesser General Public

- * License along with this library; if not, write to the Free Software

- * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA

+ * This source code is licensed under the GNU Lesser General Public License

+ * version 2.1 or later (LGPLv2.1+) WITHOUT ANY WARRANTY.

  */

 #include <crm_internal.h>

@@ -717,16 +708,21 @@ crm_abort(const char *file, const char *function, int line,

 int

 crm_pid_active(long pid, const char *daemon)

 {

+    static int last_asked_pid = 0;  /* log spam prevention */

+#if SUPPORT_PROCFS

     static int have_proc_pid = 0;

+#else

+    static int have_proc_pid = -1;

+#endif

+    int rc = 0;

-    if(have_proc_pid == 0) {

+    if (have_proc_pid == 0) {

+        /* evaluation of /proc/PID/exe applicability via self-introspection */

         char proc_path[PATH_MAX], exe_path[PATH_MAX];

-

-        /* check to make sure pid hasn't been reused by another process */

-        snprintf(proc_path, sizeof(proc_path), "/proc/%lu/exe", (long unsigned int)getpid());

-

+        snprintf(proc_path, sizeof(proc_path), "/proc/%lu/exe",

+                 (long unsigned int) getpid());

         have_proc_pid = 1;

-        if(readlink(proc_path, exe_path, PATH_MAX - 1) < 0) {

+        if (readlink(proc_path, exe_path, sizeof(exe_path) - 1) < 0) {

             have_proc_pid = -1;

         }

     }

@@ -734,40 +730,52 @@ crm_pid_active(long pid, const char *daemon)

     if (pid <= 0) {

         return -1;

-    } else if (kill(pid, 0) < 0 && errno == ESRCH) {

-        return 0;

+    } else if ((rc = kill(pid, 0)) < 0 && errno == ESRCH) {

+        return 0;  /* no such PID detected */

-    } else if(daemon == NULL || have_proc_pid == -1) {

-        return 1;

+    } else if (rc < 0 && have_proc_pid == -1) {

+        if (last_asked_pid != pid) {

+            crm_info("Cannot examine PID %ld: %s", pid, strerror(errno));

+            last_asked_pid = pid;

+        }

+        return -2;  /* errno != ESRCH */

+

+    } else if (rc == 0 && (daemon == NULL || have_proc_pid == -1)) {

+        return 1;  /* kill as the only indicator, cannot double check */

     } else {

-        int rc = 0;

+        /* make sure PID hasn't been reused by another process

+           XXX: might still be just a zombie, which could confuse decisions */

+        bool checked_through_kill = (rc == 0);

         char proc_path[PATH_MAX], exe_path[PATH_MAX], myexe_path[PATH_MAX];

-

-        /* check to make sure pid hasn't been reused by another process */

-        snprintf(proc_path, sizeof(proc_path), "/proc/%lu/exe", pid);

-

-        rc = readlink(proc_path, exe_path, PATH_MAX - 1);

-        if (rc < 0 && errno == EACCES) {

-            crm_perror(LOG_INFO, "Could not read from %s", proc_path);

-            return 1;

+        snprintf(proc_path, sizeof(proc_path), "/proc/%ld/exe", pid);

+

+        rc = readlink(proc_path, exe_path, sizeof(exe_path) - 1);

+        if ((rc < 0) && (errno == EACCES)) {

+            if (last_asked_pid != pid) {

+                crm_info("Could not read from %s: %s", proc_path,

+                         strerror(errno));

+                last_asked_pid = pid;

+            }

+            return checked_through_kill ? 1 : -2;

         } else if (rc < 0) {

-            crm_perror(LOG_ERR, "Could not read from %s", proc_path);

-            return 0;

+            if (last_asked_pid != pid) {

+                crm_err("Could not read from %s: %s (%d)", proc_path,

+                        strerror(errno), errno);

+                last_asked_pid = pid;

+            }

+            return 0;  /* most likely errno == ENOENT */

         }

-        

+        exe_path[rc] = '\0';

-        exe_path[rc] = 0;

-

-        if(daemon[0] != '/') {

-            rc = snprintf(myexe_path, sizeof(proc_path), CRM_DAEMON_DIR"/%s", daemon);

-            myexe_path[rc] = 0;

+        if (daemon[0] != '/') {

+            rc = snprintf(myexe_path, sizeof(myexe_path), CRM_DAEMON_DIR"/%s",

+                          daemon);

         } else {

-            rc = snprintf(myexe_path, sizeof(proc_path), "%s", daemon);

-            myexe_path[rc] = 0;

+            rc = snprintf(myexe_path, sizeof(myexe_path), "%s", daemon);

         }

-        

-        if (strcmp(exe_path, myexe_path) == 0) {

+

+        if (rc > 0 && rc < sizeof(myexe_path) && !strcmp(exe_path, myexe_path)) {

             return 1;

         }

     }

-- 

1.8.3.1

From 6888aaf3ad365ef772f8189c9958f58b85ec62d4 Mon Sep 17 00:00:00 2001

From: =?UTF-8?q?Jan=20Pokorn=C3=BD?= <jpokorny@redhat.com>

Date: Mon, 15 Apr 2019 23:20:42 +0200

Subject: [PATCH 3/7] High: pacemakerd vs. IPC/procfs confused deputy

 authenticity issue (1/4)

[1/4: new helpers to allow IPC client side to authenticate the server]

The title problem here could possibly lead to local privilege escalation

up to the root's level (and implicitly unguarded by some additional

protection layers like SELinux unless the defaults constrained further).

Main problem is that the authenticity assumptions were built on two,

seemingly mutually supporting legs leading to two CVEs assigned:

* procfs (mere process existence and right path to binary check)

  used to verify (this part was assigned CVE-2018-16878), and

* one-way only client-server authentication, putting the client

  here at the mercy of the server not necessarily cross-verified

  per the above point if at all (this part was assigned

  CVE-2018-16877)

whereas these two were in fact orthogonal, tearing security

assumptions about the "passive influencers" in the pacemaker's daemon

resilience-friendly constellation (orchestrated by the main of them,

pacemakerd) apart.  Moreover, procfs-based approach is discouraged

for other reasons.

The layout of the basic fix is as follows:

* 1/4: new helpers to allow IPC client side to authenticate the server

       (this commit, along with unifying subsequent solution for

       both CVEs)

* 2/4: pacemakerd to trust pre-existing processes via new checks instead

       (along with unifying solution for both CVEs)

* 3/4: other daemons to authenticate IPC servers of fellow processes

       (along with addressing CVE-2018-16877 alone, for parts of

       pacemaker not covered earlier)

* 4/4: CPG users to be careful about now-more-probable rival processes

       (this is merely to mitigate corner case fallout from the new

       approaches taken to face CVE-2018-16878 in particular;

       courtesy of Yan Gao of SUSE for reporting this)

With "basic", it is meant that it constitutes a self-contained best

effort solution with some compromises that can only be overcome with the

assistance of IPC library, libqb, as is also elaborated in messages of

remaining "fix" commits.  Beside that, also conventional encapsulation

of server-by-client authentication would be useful, but lack thereof

is not an obstacle (more so should there by any security related

neglectations on the IPC client side and its connection initiating

arrangement within libqb that has a potential to strike as early as

when the authenticity of the server side is yet to be examined).

One extra kludge that's introduced for FreeBSD lacking Unix socket to

remote peer PID mapping is masquerading such an unspecified PID with

value of 1, since that shall always be around as "init" task and,

deferring to proof by contradiction, cannot be pacemakerd-spawned

child either even if PID 1 was pacemakerd (and running such a child

alone is rather nonsensical).  The code making decisions based on that

value must acknowledge this craze and refrain from killing/signalling

the underlying process on this platform (but shall in general follow

the same elsewhere, keep in mind systemd socket-based activation for

instance, which would end up in such a situation easily!).

---

 configure.ac                      |  43 +++++++++++

 include/crm/common/Makefile.am    |   7 +-

 include/crm/common/ipc.h          |  55 +++++++++----

 include/crm/common/ipc_internal.h |  69 +++++++++++++++++

 lib/common/ipc.c                  | 158 ++++++++++++++++++++++++++++++++++----

 5 files changed, 303 insertions(+), 29 deletions(-)

 create mode 100644 include/crm/common/ipc_internal.h

diff --git a/configure.ac b/configure.ac

index ed51f67..ce02777 100644

--- a/configure.ac

+++ b/configure.ac

@@ -465,6 +465,48 @@ do

   fi

 done

+us_auth=

+AC_CHECK_HEADER([sys/socket.h], [

+    AC_CHECK_DECL([SO_PEERCRED], [

+        # Linux

+        AC_CHECK_TYPE([struct ucred], [

+            us_auth=peercred_ucred;

+            AC_DEFINE([US_AUTH_PEERCRED_UCRED], [1],

+                      [Define if Unix socket auth method is

+                       getsockopt(s, SO_PEERCRED, &ucred, ...)])

+        ], [

+            # OpenBSD

+            AC_CHECK_TYPE([struct sockpeercred], [

+                us_auth=localpeercred_sockepeercred;

+                AC_DEFINE([US_AUTH_PEERCRED_SOCKPEERCRED], [1],

+                          [Define if Unix socket auth method is

+                           getsockopt(s, SO_PEERCRED, &sockpeercred, ...)])

+            ], [], [[#include <sys/socket.h>]])

+        ], [[#define _GNU_SOURCE

+             #include <sys/socket.h>]])

+    ], [], [[#include <sys/socket.h>]])

+])

+

+if test -z "${us_auth}"; then

+    # FreeBSD

+    AC_CHECK_DECL([getpeereid], [

+        us_auth=getpeereid;

+        AC_DEFINE([US_AUTH_GETPEEREID], [1],

+                  [Define if Unix socket auth method is

+                   getpeereid(s, &uid, &gid)])

+    ], [

+        # Solaris/OpenIndiana

+        AC_CHECK_DECL([getpeerucred], [

+            us_auth=getpeerucred;

+            AC_DEFINE([US_AUTH_GETPEERUCRED], [1],

+                      [Define if Unix socket auth method is

+                       getpeercred(s, &ucred)])

+        ], [

+            AC_MSG_ERROR([No way to authenticate a Unix socket peer])

+        ], [[#include <ucred.h>]])

+    ])

+fi

+

 dnl This OS-based decision-making is poor autotools practice;

 dnl feature-based mechanisms are strongly preferred.

 dnl

@@ -2179,3 +2221,4 @@ AC_MSG_RESULT([  LDFLAGS_HARDENED_EXE     = ${LDFLAGS_HARDENED_EXE}])

 AC_MSG_RESULT([  LDFLAGS_HARDENED_LIB     = ${LDFLAGS_HARDENED_LIB}])

 AC_MSG_RESULT([  Libraries                = ${LIBS}])

 AC_MSG_RESULT([  Stack Libraries          = ${CLUSTERLIBS}])

+AC_MSG_RESULT([  Unix socket auth method  = ${us_auth}])

diff --git a/include/crm/common/Makefile.am b/include/crm/common/Makefile.am

index b90ac79..aacb6ff 100644

--- a/include/crm/common/Makefile.am

+++ b/include/crm/common/Makefile.am

@@ -1,5 +1,7 @@

 #

-# Copyright 2004-2019 Andrew Beekhof <andrew@beekhof.net>

+# Copyright 2004-2019 the Pacemaker project contributors

+#

+# The version control history for this file may have further details.

 #

 # This source code is licensed under the GNU General Public License version 2

 # or later (GPLv2+) WITHOUT ANY WARRANTY.

@@ -11,7 +13,8 @@ headerdir=$(pkgincludedir)/crm/common

 header_HEADERS = xml.h ipc.h util.h iso8601.h mainloop.h logging.h \

 		 nvpair.h

-noinst_HEADERS = ipcs.h internal.h remote_internal.h xml_internal.h

+noinst_HEADERS = ipcs.h internal.h remote_internal.h xml_internal.h \

+		 ipc_internal.h

 if BUILD_CIBSECRETS

 noinst_HEADERS += cib_secrets.h

 endif

diff --git a/include/crm/common/ipc.h b/include/crm/common/ipc.h

index 8722252..df56bbe 100644

--- a/include/crm/common/ipc.h

+++ b/include/crm/common/ipc.h

@@ -1,19 +1,10 @@

 /*

- * Copyright (C) 2013 Andrew Beekhof <andrew@beekhof.net>

+ * Copyright 2013-2019 the Pacemaker project contributors

  *

- * This program is free software; you can redistribute it and/or

- * modify it under the terms of the GNU Lesser General Public

- * License as published by the Free Software Foundation; either

- * version 2 of the License, or (at your option) any later version.

+ * The version control history for this file may have further details.

  *

- * This software is distributed in the hope that it will be useful,

- * but WITHOUT ANY WARRANTY; without even the implied warranty of

- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU

- * General Public License for more details.

- *

- * You should have received a copy of the GNU Lesser General Public

- * License along with this library; if not, write to the Free Software

- * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA

+ * This source code is licensed under the GNU Lesser General Public License

+ * version 2.1 or later (LGPLv2.1+) WITHOUT ANY WARRANTY.

  */

 #ifndef CRM_COMMON_IPC__H

 #  define CRM_COMMON_IPC__H

@@ -77,6 +68,44 @@ uint32_t crm_ipc_buffer_flags(crm_ipc_t * client);

 const char *crm_ipc_name(crm_ipc_t * client);

 unsigned int crm_ipc_default_buffer_size(void);

+/*!

+ * \brief Check the authenticity of the IPC socket peer process

+ *

+ * If everything goes well, peer's authenticity is verified by the means

+ * of comparing against provided referential UID and GID (either satisfies),

+ * and the result of this check can be deduced from the return value.

+ * As an exception, detected UID of 0 ("root") satisfies arbitrary

+ * provided referential daemon's credentials.

+ *

+ * \param[in]  sock    IPC related, connected Unix socket to check peer of

+ * \param[in]  refuid  referential UID to check against

+ * \param[in]  refgid  referential GID to check against

+ * \param[out] gotpid  to optionally store obtained PID of the peer

+ *                     (not available on FreeBSD, special value of 1

+ *                     used instead, and the caller is required to

+ *                     special case this value respectively)

+ * \param[out] gotuid  to optionally store obtained UID of the peer

+ * \param[out] gotgid  to optionally store obtained GID of the peer

+ *

+ * \return 0 if IPC related socket's peer is not authentic given the

+ *         referential credentials (see above), 1 if it is,

+ *         negative value on error (generally expressing -errno unless

+ *         it was zero even on nonhappy path, -pcmk_err_generic is

+ *         returned then; no message is directly emitted)

+ *

+ * \note While this function is tolerant on what constitutes authorized

+ *       IPC daemon process (its effective user matches UID=0 or \p refuid,

+ *       or at least its group matches \p refroup), either or both (in case

+ *       of UID=0) mismatches on the expected credentials of such peer

+ *       process \e shall be investigated at the caller when value of 1

+ *       gets returned there, since higher-than-expected privileges in

+ *       respect to the expected/intended credentials possibly violate

+ *       the least privilege principle and may pose an additional risk

+ *       (i.e. such accidental inconsistency shall be eventually fixed).

+ */

+int crm_ipc_is_authentic_process(int sock, uid_t refuid, gid_t refgid,

+                                 pid_t *gotpid, uid_t *gotuid, gid_t *gotgid);

+

 /* Utils */

 xmlNode *create_hello_message(const char *uuid, const char *client_name,

                               const char *major_version, const char *minor_version);

diff --git a/include/crm/common/ipc_internal.h b/include/crm/common/ipc_internal.h

new file mode 100644

index 0000000..41a6653

--- /dev/null

+++ b/include/crm/common/ipc_internal.h

@@ -0,0 +1,69 @@

+/*

+ * Copyright 2019 the Pacemaker project contributors

+ *

+ * The version control history for this file may have further details.

+ *

+ * This source code is licensed under the GNU Lesser General Public License

+ * version 2.1 or later (LGPLv2.1+) WITHOUT ANY WARRANTY.

+ */

+

+#ifndef PCMK__IPC_INTERNAL_H

+#define PCMK__IPC_INTERNAL_H

+

+#include <sys/types.h>

+

+#include <crm_config.h>  /* US_AUTH_GETPEEREID */

+

+

+/* denotes "non yieldable PID" on FreeBSD, or actual PID1 in scenarios that

+   require a delicate handling anyway (socket-based activation with systemd);

+   we can be reasonably sure that this PID is never possessed by the actual

+   child daemon, as it gets taken either by the proper init, or by pacemakerd

+   itself (i.e. this precludes anything else); note that value of zero

+   is meant to carry "unset" meaning, and better not to bet on/conditionalize

+   over signedness of pid_t */

+#define PCMK__SPECIAL_PID  1

+

+#if defined(US_AUTH_GETPEEREID)

+/* on FreeBSD, we don't want to expose "non-yieldable PID" (leading to

+   "IPC liveness check only") as its nominal representation, which could

+   cause confusion -- this is unambiguous as long as there's no

+   socket-based activation like with systemd (very improbable) */

+#define PCMK__SPECIAL_PID_AS_0(p)  (((p) == PCMK__SPECIAL_PID) ? 0 : (p))

+#else

+#define PCMK__SPECIAL_PID_AS_0(p)  (p)

+#endif

+

+/*!

+ * \internal

+ * \brief Check the authenticity and liveness of the process via IPC end-point

+ *

+ * When IPC daemon under given IPC end-point (name) detected, its authenticity

+ * is verified by the means of comparing against provided referential UID and

+ * GID, and the result of this check can be deduced from the return value.

+ * As an exception, referential UID of 0 (~ root) satisfies arbitrary

+ * detected daemon's credentials.

+ *

+ * \param[in]  name    IPC name to base the search on

+ * \param[in]  refuid  referential UID to check against

+ * \param[in]  refgid  referential GID to check against

+ * \param[out] gotpid  to optionally store obtained PID of the found process

+ *                     upon returning 1 or -2

+ *                     (not available on FreeBSD, special value of 1,

+ *                     see PCMK__SPECIAL_PID, used instead, and the caller

+ *                     is required to special case this value respectively)

+ *

+ * \return 0 if no trace of IPC peer's liveness detected, 1 if it was,

+ *         -1 on error, and -2 when the IPC blocked with unauthorized

+ *         process (log message emitted in both latter cases)

+ *

+ * \note This function emits a log message also in case there isn't a perfect

+ *       match in respect to \p reguid and/or \p refgid, for a possible

+ *       least privilege principle violation.

+ *

+ * \see crm_ipc_is_authentic_process

+ */

+int pcmk__ipc_is_authentic_process_active(const char *name, uid_t refuid,

+                                          gid_t refgid, pid_t *gotpid);

+

+#endif

diff --git a/lib/common/ipc.c b/lib/common/ipc.c

index 3258bcb..5b47dd6 100644

--- a/lib/common/ipc.c

+++ b/lib/common/ipc.c

@@ -1,23 +1,25 @@

 /*

- * Copyright (C) 2004 Andrew Beekhof <andrew@beekhof.net>

+ * Copyright 2004-2019 the Pacemaker project contributors

  *

- * This library is free software; you can redistribute it and/or

- * modify it under the terms of the GNU Lesser General Public

- * License as published by the Free Software Foundation; either

- * version 2.1 of the License, or (at your option) any later version.

+ * The version control history for this file may have further details.

  *

- * This library is distributed in the hope that it will be useful,

- * but WITHOUT ANY WARRANTY; without even the implied warranty of

- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU

- * Lesser General Public License for more details.

- *

- * You should have received a copy of the GNU Lesser General Public

- * License along with this library; if not, write to the Free Software

- * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA

+ * This source code is licensed under the GNU Lesser General Public License

+ * version 2.1 or later (LGPLv2.1+) WITHOUT ANY WARRANTY.

  */

 #include <crm_internal.h>

+#if defined(US_AUTH_PEERCRED_UCRED) || defined(US_AUTH_PEERCRED_SOCKPEERCRED)

+#  ifdef US_AUTH_PEERCRED_UCRED

+#    ifndef _GNU_SOURCE

+#      define _GNU_SOURCE

+#    endif

+#  endif

+#  include <sys/socket.h>

+#elif defined(US_AUTH_GETPEERUCRED)

+#  include <ucred.h>

+#endif

+

 #include <sys/param.h>

 #include <stdio.h>

@@ -30,11 +32,13 @@

 #include <fcntl.h>

 #include <bzlib.h>

-#include <crm/crm.h>

+#include <crm/crm.h>   /* indirectly: pcmk_err_generic */

 #include <crm/msg_xml.h>

 #include <crm/common/ipc.h>

 #include <crm/common/ipcs.h>

+#include <crm/common/ipc_internal.h>  /* PCMK__SPECIAL_PID* */

+

 #define PCMK_IPC_VERSION 1

 /* Evict clients whose event queue grows this large (by default) */

@@ -1375,6 +1379,132 @@ crm_ipc_send(crm_ipc_t * client, xmlNode * message, enum crm_ipc_flags flags, in

     return rc;

 }

+int

+crm_ipc_is_authentic_process(int sock, uid_t refuid, gid_t refgid,

+                             pid_t *gotpid, uid_t *gotuid, gid_t *gotgid) {

+    int ret = 0;

+    pid_t found_pid = 0; uid_t found_uid = 0; gid_t found_gid = 0;

+#if defined(US_AUTH_PEERCRED_UCRED)

+    struct ucred ucred;

+    socklen_t ucred_len = sizeof(ucred);

+

+    if (!getsockopt(sock, SOL_SOCKET, SO_PEERCRED,

+                    &ucred, &ucred_len)

+                && ucred_len == sizeof(ucred)) {

+        found_pid = ucred.pid; found_uid = ucred.uid; found_gid = ucred.gid;

+

+#elif defined(US_AUTH_PEERCRED_SOCKPEERCRED)

+    struct sockpeercred sockpeercred;

+    socklen_t sockpeercred_len = sizeof(sockpeercred);

+

+    if (!getsockopt(sock, SOL_SOCKET, SO_PEERCRED,

+                    &sockpeercred, &sockpeercred_len)

+                && sockpeercred_len == sizeof(sockpeercred_len)) {

+        found_pid = sockpeercred.pid;

+        found_uid = sockpeercred.uid; found_gid = sockpeercred.gid;

+

+#elif defined(US_AUTH_GETPEEREID)

+    if (!getpeereid(sock, &found_uid, &found_gid)) {

+        found_pid = PCMK__SPECIAL_PID;  /* cannot obtain PID (FreeBSD) */

+

+#elif defined(US_AUTH_GETPEERUCRED)

+    ucred_t *ucred;

+    if (!getpeerucred(sock, &ucred)) {