diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-05-04 18:07:14 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-05-04 18:07:14 +0000 |
commit | a175314c3e5827eb193872241446f2f8f5c9d33c (patch) | |
tree | cd3d60ca99ae00829c52a6ca79150a5b6e62528b /plugin/auth_socket | |
parent | Initial commit. (diff) | |
download | mariadb-10.5-upstream.tar.xz mariadb-10.5-upstream.zip |
Adding upstream version 1:10.5.12.upstream/1%10.5.12upstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'plugin/auth_socket')
-rw-r--r-- | plugin/auth_socket/CMakeLists.txt | 110 | ||||
-rw-r--r-- | plugin/auth_socket/auth_socket.c | 149 |
2 files changed, 259 insertions, 0 deletions
diff --git a/plugin/auth_socket/CMakeLists.txt b/plugin/auth_socket/CMakeLists.txt new file mode 100644 index 00000000..a3f42d41 --- /dev/null +++ b/plugin/auth_socket/CMakeLists.txt @@ -0,0 +1,110 @@ +# Copyright (c) 2010, Oracle and/or its affiliates. All rights reserved. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License as +# published by the Free Software Foundation; version 2 of the +# License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1335 USA + +CHECK_CXX_SOURCE_COMPILES( +"#define _GNU_SOURCE +#include <sys/socket.h> +int main() { + struct ucred cred; + getsockopt(0, SOL_SOCKET, SO_PEERCRED, &cred, 0); +}" HAVE_PEERCRED) + +IF (HAVE_PEERCRED) + ADD_DEFINITIONS(-DHAVE_PEERCRED) + SET(ok 1) +ELSE() + +# Hi, OpenBSD! +CHECK_CXX_SOURCE_COMPILES( +"#include <sys/types.h> +#include <sys/socket.h> +int main() { + struct sockpeercred cred; + getsockopt(0, SOL_SOCKET, SO_PEERCRED, &cred, 0); + }" HAVE_SOCKPEERCRED) + +IF (HAVE_SOCKPEERCRED) + ADD_DEFINITIONS(-DHAVE_SOCKPEERCRED) + SET(ok 1) +ELSE() + +# FreeBSD, is that you? +CHECK_CXX_SOURCE_COMPILES( +"#include <sys/types.h> +#include <sys/socket.h> +#include <sys/un.h> +#include <sys/ucred.h> +int main() { + struct xucred cred; + getsockopt(0, 0, LOCAL_PEERCRED, &cred, 0); + }" HAVE_XUCRED) + +IF (HAVE_XUCRED) + ADD_DEFINITIONS(-DHAVE_XUCRED) + SET(ok 1) +ELSE() + +# illumos, is that you? +CHECK_CXX_SOURCE_COMPILES( +"#include <ucred.h> +int main() { + ucred_t *cred = NULL; + getpeerucred(0, &cred); + }" HAVE_GETPEERUCRED) + +# Depending on the flags set in the compilation environment, illumos will have +# either the POSIX.1c draft 6 or POSIX.1c final implementation of getpwuid_r() +# Check that defining _POSIX_PTHREAD_SEMANTICS provides the final standard +# version. + +CHECK_CXX_SOURCE_COMPILES( +"#define _POSIX_PTHREAD_SEMANTICS +#include <pwd.h> +int main() { + getpwuid_r(0, NULL, NULL, 0, NULL); + }" HAVE_GETPWUID_POSIX_FINAL) + +IF (HAVE_GETPEERUCRED AND HAVE_GETPWUID_POSIX_FINAL) + ADD_DEFINITIONS(-DHAVE_GETPEERUCRED) + ADD_DEFINITIONS(-D_POSIX_PTHREAD_SEMANTICS) + SET(ok 1) +ELSE() + +# AIX also! +CHECK_CXX_SOURCE_COMPILES( +"#include <sys/socket.h> +int main() { + struct peercred_struct cred; + getsockopt(0, SOL_SOCKET, SO_PEERID, &cred, 0); + }" HAVE_PEERCRED_STRUCT) + +IF (HAVE_PEERCRED_STRUCT) + ADD_DEFINITIONS(-DHAVE_PEERCRED_STRUCT) + SET(ok 1) +ELSE() + +# Who else? Anyone? +# C'mon, show your creativity, be different! ifdef's are fun, aren't they? + +ENDIF() +ENDIF() +ENDIF() +ENDIF() +ENDIF() + +IF(ok) + MYSQL_ADD_PLUGIN(auth_socket auth_socket.c DEFAULT) +ENDIF() diff --git a/plugin/auth_socket/auth_socket.c b/plugin/auth_socket/auth_socket.c new file mode 100644 index 00000000..c20defed --- /dev/null +++ b/plugin/auth_socket/auth_socket.c @@ -0,0 +1,149 @@ +/* Copyright (C) 2010 Sergei Golubchik and Monty Program Ab + Copyright (c) 2010, 2011, Oracle and/or its affiliates. + + This program is free software; you can redistribute it and/or + modify it under the terms of the GNU General Public License as + published by the Free Software Foundation; version 2 of the + License. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1335 USA */ + +/** + @file + + auth_socket authentication plugin. + + Authentication is successful if the connection is done via a unix socket and + the owner of the client process matches the user name that was used when + connecting to mysqld. +*/ +#define _GNU_SOURCE 1 /* for struct ucred */ + +#include <mysql/plugin_auth.h> +#include <string.h> +#include <pwd.h> +#include <sys/socket.h> +#include <sys/types.h> + +#ifdef HAVE_PEERCRED +#define level SOL_SOCKET + +#elif defined HAVE_SOCKPEERCRED +#define level SOL_SOCKET +#define ucred sockpeercred + +#elif defined HAVE_XUCRED +#include <sys/un.h> +#include <sys/ucred.h> +#define level 0 +#define SO_PEERCRED LOCAL_PEERCRED +#define uid cr_uid +#define ucred xucred + +#elif defined HAVE_GETPEERUCRED +#include <ucred.h> + +#elif defined HAVE_PEERCRED_STRUCT +#define level SOL_SOCKET +#define SO_PEERCRED SO_PEERID +#define uid euid +#define ucred peercred_struct + +#else +#error impossible +#endif + +/** + perform the unix socket based authentication + + This authentication callback performs a unix socket based authentication - + it gets the uid of the client process and considers the user authenticated + if it uses username of this uid. That is - if the user is already + authenticated to the OS (if she is logged in) - she can use MySQL as herself +*/ + +static int socket_auth(MYSQL_PLUGIN_VIO *vio, MYSQL_SERVER_AUTH_INFO *info) +{ + unsigned char *pkt; + MYSQL_PLUGIN_VIO_INFO vio_info; +#ifdef HAVE_GETPEERUCRED + ucred_t *cred = NULL; +#else + struct ucred cred; + socklen_t cred_len= sizeof(cred); +#endif + struct passwd pwd_buf, *pwd; + char buf[1024]; + uid_t u; + + /* no user name yet ? read the client handshake packet with the user name */ + if (info->user_name == 0) + { + if (vio->read_packet(vio, &pkt) < 0) + return CR_ERROR; + } + + info->password_used= PASSWORD_USED_NO_MENTION; + + vio->info(vio, &vio_info); + if (vio_info.protocol != MYSQL_VIO_SOCKET) + return CR_ERROR; + + /* get the UID of the client process */ +#ifdef HAVE_GETPEERUCRED + if (getpeerucred(vio_info.socket, &cred) != 0) + return CR_ERROR; + u = ucred_geteuid(cred); + ucred_free(cred); +#else + if (getsockopt(vio_info.socket, level, SO_PEERCRED, &cred, &cred_len)) + return CR_ERROR; + + if (cred_len != sizeof(cred)) + return CR_ERROR; + + u = cred.uid; +#endif + + /* and find the username for this uid */ + getpwuid_r(u, &pwd_buf, buf, sizeof(buf), &pwd); + if (pwd == NULL) + return CR_ERROR; + + /* now it's simple as that */ + return strcmp(pwd->pw_name, info->user_name) ? CR_ERROR : CR_OK; +} + +static struct st_mysql_auth socket_auth_handler= +{ + MYSQL_AUTHENTICATION_INTERFACE_VERSION, + 0, + socket_auth, + NULL, NULL /* no PASSWORD() */ +}; + +maria_declare_plugin(auth_socket) +{ + MYSQL_AUTHENTICATION_PLUGIN, + &socket_auth_handler, + "unix_socket", + "Sergei Golubchik", + "Unix Socket based authentication", + PLUGIN_LICENSE_GPL, + NULL, + NULL, + 0x0100, + NULL, + NULL, + "1.0", + MariaDB_PLUGIN_MATURITY_STABLE +} +maria_declare_plugin_end; + |