diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-05-04 18:00:34 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-05-04 18:00:34 +0000 |
commit | 3f619478f796eddbba6e39502fe941b285dd97b1 (patch) | |
tree | e2c7b5777f728320e5b5542b6213fd3591ba51e2 /plugin/auth_socket/auth_socket.c | |
parent | Initial commit. (diff) | |
download | mariadb-upstream.tar.xz mariadb-upstream.zip |
Adding upstream version 1:10.11.6.upstream/1%10.11.6upstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'plugin/auth_socket/auth_socket.c')
-rw-r--r-- | plugin/auth_socket/auth_socket.c | 156 |
1 files changed, 156 insertions, 0 deletions
diff --git a/plugin/auth_socket/auth_socket.c b/plugin/auth_socket/auth_socket.c new file mode 100644 index 00000000..3a933b6a --- /dev/null +++ b/plugin/auth_socket/auth_socket.c @@ -0,0 +1,156 @@ +/* Copyright (C) 2010 Sergei Golubchik and Monty Program Ab + Copyright (c) 2010, 2011, Oracle and/or its affiliates. + + This program is free software; you can redistribute it and/or + modify it under the terms of the GNU General Public License as + published by the Free Software Foundation; version 2 of the + License. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1335 USA */ + +/** + @file + + auth_socket authentication plugin. + + Authentication is successful if the connection is done via a unix socket and + the owner of the client process matches the user name that was used when + connecting to mysqld. +*/ +#define _GNU_SOURCE 1 /* for struct ucred */ + +#include <mysql/plugin_auth.h> +#include <string.h> +#include <pwd.h> +#include <sys/socket.h> +#include <sys/types.h> + +#ifdef HAVE_PEERCRED +#define level SOL_SOCKET + +#elif defined HAVE_SOCKPEERCRED +#define level SOL_SOCKET +#define ucred sockpeercred + +#elif defined HAVE_XUCRED +#include <sys/un.h> +#include <sys/ucred.h> +#define level 0 +#define SO_PEERCRED LOCAL_PEERCRED +#define uid cr_uid +#define ucred xucred + +#elif defined HAVE_UNPCBID +#include <sys/un.h> +#define level 0 +#define SO_PEERCRED LOCAL_PEEREID +#define uid unp_euid +#define ucred unpcbid + +#elif defined HAVE_GETPEERUCRED +#include <ucred.h> + +#elif defined HAVE_PEERCRED_STRUCT +#define level SOL_SOCKET +#define SO_PEERCRED SO_PEERID +#define uid euid +#define ucred peercred_struct + +#else +#error impossible +#endif + +/** + perform the unix socket based authentication + + This authentication callback performs a unix socket based authentication - + it gets the uid of the client process and considers the user authenticated + if it uses username of this uid. That is - if the user is already + authenticated to the OS (if she is logged in) - she can use MySQL as herself +*/ + +static int socket_auth(MYSQL_PLUGIN_VIO *vio, MYSQL_SERVER_AUTH_INFO *info) +{ + unsigned char *pkt; + MYSQL_PLUGIN_VIO_INFO vio_info; +#ifdef HAVE_GETPEERUCRED + ucred_t *cred = NULL; +#else + struct ucred cred; + socklen_t cred_len= sizeof(cred); +#endif + struct passwd pwd_buf, *pwd; + char buf[1024]; + uid_t u; + + /* no user name yet ? read the client handshake packet with the user name */ + if (info->user_name == 0) + { + if (vio->read_packet(vio, &pkt) < 0) + return CR_ERROR; + } + + info->password_used= PASSWORD_USED_NO_MENTION; + + vio->info(vio, &vio_info); + if (vio_info.protocol != MYSQL_VIO_SOCKET) + return CR_ERROR; + + /* get the UID of the client process */ +#ifdef HAVE_GETPEERUCRED + if (getpeerucred(vio_info.socket, &cred) != 0) + return CR_ERROR; + u = ucred_geteuid(cred); + ucred_free(cred); +#else + if (getsockopt(vio_info.socket, level, SO_PEERCRED, &cred, &cred_len)) + return CR_ERROR; + + if (cred_len != sizeof(cred)) + return CR_ERROR; + + u = cred.uid; +#endif + + /* and find the username for this uid */ + getpwuid_r(u, &pwd_buf, buf, sizeof(buf), &pwd); + if (pwd == NULL) + return CR_ERROR; + + /* now it's simple as that */ + return strcmp(pwd->pw_name, info->user_name) ? CR_ERROR : CR_OK; +} + +static struct st_mysql_auth socket_auth_handler= +{ + MYSQL_AUTHENTICATION_INTERFACE_VERSION, + 0, + socket_auth, + NULL, NULL /* no PASSWORD() */ +}; + +maria_declare_plugin(auth_socket) +{ + MYSQL_AUTHENTICATION_PLUGIN, + &socket_auth_handler, + "unix_socket", + "Sergei Golubchik", + "Unix Socket based authentication", + PLUGIN_LICENSE_GPL, + NULL, + NULL, + 0x0100, + NULL, + NULL, + "1.0", + MariaDB_PLUGIN_MATURITY_STABLE +} +maria_declare_plugin_end; + |