summaryrefslogtreecommitdiffstats
path: root/plugin/auth_socket
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-05-04 18:07:14 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-05-04 18:07:14 +0000
commita175314c3e5827eb193872241446f2f8f5c9d33c (patch)
treecd3d60ca99ae00829c52a6ca79150a5b6e62528b /plugin/auth_socket
parentInitial commit. (diff)
downloadmariadb-10.5-a175314c3e5827eb193872241446f2f8f5c9d33c.tar.xz
mariadb-10.5-a175314c3e5827eb193872241446f2f8f5c9d33c.zip
Adding upstream version 1:10.5.12.upstream/1%10.5.12upstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'plugin/auth_socket')
-rw-r--r--plugin/auth_socket/CMakeLists.txt110
-rw-r--r--plugin/auth_socket/auth_socket.c149
2 files changed, 259 insertions, 0 deletions
diff --git a/plugin/auth_socket/CMakeLists.txt b/plugin/auth_socket/CMakeLists.txt
new file mode 100644
index 00000000..a3f42d41
--- /dev/null
+++ b/plugin/auth_socket/CMakeLists.txt
@@ -0,0 +1,110 @@
+# Copyright (c) 2010, Oracle and/or its affiliates. All rights reserved.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License as
+# published by the Free Software Foundation; version 2 of the
+# License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1335 USA
+
+CHECK_CXX_SOURCE_COMPILES(
+"#define _GNU_SOURCE
+#include <sys/socket.h>
+int main() {
+ struct ucred cred;
+ getsockopt(0, SOL_SOCKET, SO_PEERCRED, &cred, 0);
+}" HAVE_PEERCRED)
+
+IF (HAVE_PEERCRED)
+ ADD_DEFINITIONS(-DHAVE_PEERCRED)
+ SET(ok 1)
+ELSE()
+
+# Hi, OpenBSD!
+CHECK_CXX_SOURCE_COMPILES(
+"#include <sys/types.h>
+#include <sys/socket.h>
+int main() {
+ struct sockpeercred cred;
+ getsockopt(0, SOL_SOCKET, SO_PEERCRED, &cred, 0);
+ }" HAVE_SOCKPEERCRED)
+
+IF (HAVE_SOCKPEERCRED)
+ ADD_DEFINITIONS(-DHAVE_SOCKPEERCRED)
+ SET(ok 1)
+ELSE()
+
+# FreeBSD, is that you?
+CHECK_CXX_SOURCE_COMPILES(
+"#include <sys/types.h>
+#include <sys/socket.h>
+#include <sys/un.h>
+#include <sys/ucred.h>
+int main() {
+ struct xucred cred;
+ getsockopt(0, 0, LOCAL_PEERCRED, &cred, 0);
+ }" HAVE_XUCRED)
+
+IF (HAVE_XUCRED)
+ ADD_DEFINITIONS(-DHAVE_XUCRED)
+ SET(ok 1)
+ELSE()
+
+# illumos, is that you?
+CHECK_CXX_SOURCE_COMPILES(
+"#include <ucred.h>
+int main() {
+ ucred_t *cred = NULL;
+ getpeerucred(0, &cred);
+ }" HAVE_GETPEERUCRED)
+
+# Depending on the flags set in the compilation environment, illumos will have
+# either the POSIX.1c draft 6 or POSIX.1c final implementation of getpwuid_r()
+# Check that defining _POSIX_PTHREAD_SEMANTICS provides the final standard
+# version.
+
+CHECK_CXX_SOURCE_COMPILES(
+"#define _POSIX_PTHREAD_SEMANTICS
+#include <pwd.h>
+int main() {
+ getpwuid_r(0, NULL, NULL, 0, NULL);
+ }" HAVE_GETPWUID_POSIX_FINAL)
+
+IF (HAVE_GETPEERUCRED AND HAVE_GETPWUID_POSIX_FINAL)
+ ADD_DEFINITIONS(-DHAVE_GETPEERUCRED)
+ ADD_DEFINITIONS(-D_POSIX_PTHREAD_SEMANTICS)
+ SET(ok 1)
+ELSE()
+
+# AIX also!
+CHECK_CXX_SOURCE_COMPILES(
+"#include <sys/socket.h>
+int main() {
+ struct peercred_struct cred;
+ getsockopt(0, SOL_SOCKET, SO_PEERID, &cred, 0);
+ }" HAVE_PEERCRED_STRUCT)
+
+IF (HAVE_PEERCRED_STRUCT)
+ ADD_DEFINITIONS(-DHAVE_PEERCRED_STRUCT)
+ SET(ok 1)
+ELSE()
+
+# Who else? Anyone?
+# C'mon, show your creativity, be different! ifdef's are fun, aren't they?
+
+ENDIF()
+ENDIF()
+ENDIF()
+ENDIF()
+ENDIF()
+
+IF(ok)
+ MYSQL_ADD_PLUGIN(auth_socket auth_socket.c DEFAULT)
+ENDIF()
diff --git a/plugin/auth_socket/auth_socket.c b/plugin/auth_socket/auth_socket.c
new file mode 100644
index 00000000..c20defed
--- /dev/null
+++ b/plugin/auth_socket/auth_socket.c
@@ -0,0 +1,149 @@
+/* Copyright (C) 2010 Sergei Golubchik and Monty Program Ab
+ Copyright (c) 2010, 2011, Oracle and/or its affiliates.
+
+ This program is free software; you can redistribute it and/or
+ modify it under the terms of the GNU General Public License as
+ published by the Free Software Foundation; version 2 of the
+ License.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program; if not, write to the Free Software
+ Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1335 USA */
+
+/**
+ @file
+
+ auth_socket authentication plugin.
+
+ Authentication is successful if the connection is done via a unix socket and
+ the owner of the client process matches the user name that was used when
+ connecting to mysqld.
+*/
+#define _GNU_SOURCE 1 /* for struct ucred */
+
+#include <mysql/plugin_auth.h>
+#include <string.h>
+#include <pwd.h>
+#include <sys/socket.h>
+#include <sys/types.h>
+
+#ifdef HAVE_PEERCRED
+#define level SOL_SOCKET
+
+#elif defined HAVE_SOCKPEERCRED
+#define level SOL_SOCKET
+#define ucred sockpeercred
+
+#elif defined HAVE_XUCRED
+#include <sys/un.h>
+#include <sys/ucred.h>
+#define level 0
+#define SO_PEERCRED LOCAL_PEERCRED
+#define uid cr_uid
+#define ucred xucred
+
+#elif defined HAVE_GETPEERUCRED
+#include <ucred.h>
+
+#elif defined HAVE_PEERCRED_STRUCT
+#define level SOL_SOCKET
+#define SO_PEERCRED SO_PEERID
+#define uid euid
+#define ucred peercred_struct
+
+#else
+#error impossible
+#endif
+
+/**
+ perform the unix socket based authentication
+
+ This authentication callback performs a unix socket based authentication -
+ it gets the uid of the client process and considers the user authenticated
+ if it uses username of this uid. That is - if the user is already
+ authenticated to the OS (if she is logged in) - she can use MySQL as herself
+*/
+
+static int socket_auth(MYSQL_PLUGIN_VIO *vio, MYSQL_SERVER_AUTH_INFO *info)
+{
+ unsigned char *pkt;
+ MYSQL_PLUGIN_VIO_INFO vio_info;
+#ifdef HAVE_GETPEERUCRED
+ ucred_t *cred = NULL;
+#else
+ struct ucred cred;
+ socklen_t cred_len= sizeof(cred);
+#endif
+ struct passwd pwd_buf, *pwd;
+ char buf[1024];
+ uid_t u;
+
+ /* no user name yet ? read the client handshake packet with the user name */
+ if (info->user_name == 0)
+ {
+ if (vio->read_packet(vio, &pkt) < 0)
+ return CR_ERROR;
+ }
+
+ info->password_used= PASSWORD_USED_NO_MENTION;
+
+ vio->info(vio, &vio_info);
+ if (vio_info.protocol != MYSQL_VIO_SOCKET)
+ return CR_ERROR;
+
+ /* get the UID of the client process */
+#ifdef HAVE_GETPEERUCRED
+ if (getpeerucred(vio_info.socket, &cred) != 0)
+ return CR_ERROR;
+ u = ucred_geteuid(cred);
+ ucred_free(cred);
+#else
+ if (getsockopt(vio_info.socket, level, SO_PEERCRED, &cred, &cred_len))
+ return CR_ERROR;
+
+ if (cred_len != sizeof(cred))
+ return CR_ERROR;
+
+ u = cred.uid;
+#endif
+
+ /* and find the username for this uid */
+ getpwuid_r(u, &pwd_buf, buf, sizeof(buf), &pwd);
+ if (pwd == NULL)
+ return CR_ERROR;
+
+ /* now it's simple as that */
+ return strcmp(pwd->pw_name, info->user_name) ? CR_ERROR : CR_OK;
+}
+
+static struct st_mysql_auth socket_auth_handler=
+{
+ MYSQL_AUTHENTICATION_INTERFACE_VERSION,
+ 0,
+ socket_auth,
+ NULL, NULL /* no PASSWORD() */
+};
+
+maria_declare_plugin(auth_socket)
+{
+ MYSQL_AUTHENTICATION_PLUGIN,
+ &socket_auth_handler,
+ "unix_socket",
+ "Sergei Golubchik",
+ "Unix Socket based authentication",
+ PLUGIN_LICENSE_GPL,
+ NULL,
+ NULL,
+ 0x0100,
+ NULL,
+ NULL,
+ "1.0",
+ MariaDB_PLUGIN_MATURITY_STABLE
+}
+maria_declare_plugin_end;
+