mart-w/kanidm
1
0
Fork 0
mirror of https://github.com/kanidm/kanidm.git synced 2025-02-24 21:17:01 +01:00
Code Issues Actions 10 Packages Projects Releases Wiki Activity
kanidm/kanidm_unix_int/src/daemon.rs

436 lines
14 KiB
Rust
Raw Normal View History

195 rel cleanup (#268) Fixes #195 pre release cleanup. This does a LOT, clippy, formatting, and much much more. It fixes a lot of parts of the book, improves server config and more.
2020-06-18 02:30:42 +02:00
#![deny(warnings)]
Cleanup and improve client error handling
2020-08-01 12:31:05 +02:00
#![warn(unused_extern_crates)]
#![deny(clippy::unwrap_used)]
#![deny(clippy::expect_used)]
#![deny(clippy::panic)]
#![deny(clippy::unreachable)]
#![deny(clippy::await_holding_lock)]
#![deny(clippy::needless_pass_by_value)]
#![deny(clippy::trivially_copy_pass_by_ref)]
129 pam nsswitch stage 1 daemon (#179) Implements #129, pam and nsswitch daemon capability. This is stage 1, which adds a localhost unix domain socket resolver, a ssh key client, support to the server for generating unix tokens, an async client lib, and client handles for adding posix extensions to accounts and groups.
2020-02-13 00:43:01 +01:00
#[macro_use]
extern crate log;
Improve server hardening This adds a number of warnings to the server to help administrators make better informed decisions about the security of their environment.
2020-07-28 08:55:58 +02:00
use users::{get_current_gid, get_current_uid, get_effective_gid, get_effective_uid};
use std::fs::metadata;
use std::os::unix::fs::MetadataExt;
use std::path::{Path, PathBuf};
129 pam nsswitch stage 1 daemon (#179) Implements #129, pam and nsswitch daemon capability. This is stage 1, which adds a localhost unix domain socket resolver, a ssh key client, support to the server for generating unix tokens, an async client lib, and client handles for adding posix extensions to accounts and groups.
2020-02-13 00:43:01 +01:00
use bytes::{BufMut, BytesMut};
use futures::SinkExt;
use futures::StreamExt;
129 nsswitch stage 2 groups (#185) Implements #129, adding the libnss_kanidm.so/dylib, and the related caching parts for properly handling these types.
2020-02-15 01:27:25 +01:00
use libc::umask;
129 pam nsswitch stage 1 daemon (#179) Implements #129, pam and nsswitch daemon capability. This is stage 1, which adds a localhost unix domain socket resolver, a ssh key client, support to the server for generating unix tokens, an async client lib, and client handles for adding posix extensions to accounts and groups.
2020-02-13 00:43:01 +01:00
use std::error::Error;
use std::io;
use std::sync::Arc;
use tokio::net::{UnixListener, UnixStream};
use tokio_util::codec::Framed;
use tokio_util::codec::{Decoder, Encoder};
use kanidm_client::KanidmClientBuilder;
use kanidm_unix_common::cache::CacheLayer;
20200218 pam (#189) Add support for unix_password handling, and pam authentication for services.
2020-02-29 05:02:14 +01:00
use kanidm_unix_common::unix_config::KanidmUnixdConfig;
129 pam nsswitch stage 1 daemon (#179) Implements #129, pam and nsswitch daemon capability. This is stage 1, which adds a localhost unix domain socket resolver, a ssh key client, support to the server for generating unix tokens, an async client lib, and client handles for adding posix extensions to accounts and groups.
2020-02-13 00:43:01 +01:00
use kanidm_unix_common::unix_proto::{ClientRequest, ClientResponse};
//=== the codec
struct ClientCodec;
impl Decoder for ClientCodec {
type Item = ClientRequest;
type Error = io::Error;
fn decode(&mut self, src: &mut BytesMut) -> Result<Option<Self::Item>, Self::Error> {
match serde_cbor::from_slice::<ClientRequest>(&src) {
Ok(msg) => {
// Clear the buffer for the next message.
src.clear();
Ok(Some(msg))
}
_ => Ok(None),
}
}
}
Update outdated libraries and add helper make argument.
2020-04-11 02:32:56 +02:00
impl Encoder<ClientResponse> for ClientCodec {
129 pam nsswitch stage 1 daemon (#179) Implements #129, pam and nsswitch daemon capability. This is stage 1, which adds a localhost unix domain socket resolver, a ssh key client, support to the server for generating unix tokens, an async client lib, and client handles for adding posix extensions to accounts and groups.
2020-02-13 00:43:01 +01:00
type Error = io::Error;
fn encode(&mut self, msg: ClientResponse, dst: &mut BytesMut) -> Result<(), Self::Error> {
20200218 pam (#189) Add support for unix_password handling, and pam authentication for services.
2020-02-29 05:02:14 +01:00
debug!("Attempting to send response -> {:?} ...", msg);
129 pam nsswitch stage 1 daemon (#179) Implements #129, pam and nsswitch daemon capability. This is stage 1, which adds a localhost unix domain socket resolver, a ssh key client, support to the server for generating unix tokens, an async client lib, and client handles for adding posix extensions to accounts and groups.
2020-02-13 00:43:01 +01:00
let data = serde_cbor::to_vec(&msg).map_err(|e| {
error!("socket encoding error -> {:?}", e);
io::Error::new(io::ErrorKind::Other, "CBOR encode error")
})?;
dst.put(data.as_slice());
Ok(())
}
}
impl ClientCodec {
fn new() -> Self {
ClientCodec
}
}
fn rm_if_exist(p: &str) {
let _ = std::fs::remove_file(p).map_err(|e| {
Improve server hardening This adds a number of warnings to the server to help administrators make better informed decisions about the security of their environment.
2020-07-28 08:55:58 +02:00
warn!("attempting to remove {:?} -> {:?}", p, e);
129 pam nsswitch stage 1 daemon (#179) Implements #129, pam and nsswitch daemon capability. This is stage 1, which adds a localhost unix domain socket resolver, a ssh key client, support to the server for generating unix tokens, an async client lib, and client handles for adding posix extensions to accounts and groups.
2020-02-13 00:43:01 +01:00
});
}
async fn handle_client(
sock: UnixStream,
cachelayer: Arc<CacheLayer>,
) -> Result<(), Box<dyn Error>> {
debug!("Accepted connection");
let mut reqs = Framed::new(sock, ClientCodec::new());
while let Some(Ok(req)) = reqs.next().await {
129 nsswitch stage 2 groups (#185) Implements #129, adding the libnss_kanidm.so/dylib, and the related caching parts for properly handling these types.
2020-02-15 01:27:25 +01:00
let resp = match req {
129 pam nsswitch stage 1 daemon (#179) Implements #129, pam and nsswitch daemon capability. This is stage 1, which adds a localhost unix domain socket resolver, a ssh key client, support to the server for generating unix tokens, an async client lib, and client handles for adding posix extensions to accounts and groups.
2020-02-13 00:43:01 +01:00
ClientRequest::SshKey(account_id) => {
129 nsswitch stage 2 groups (#185) Implements #129, adding the libnss_kanidm.so/dylib, and the related caching parts for properly handling these types.
2020-02-15 01:27:25 +01:00
debug!("sshkey req");
cachelayer
.get_sshkeys(account_id.as_str())
.await
195 rel cleanup (#268) Fixes #195 pre release cleanup. This does a LOT, clippy, formatting, and much much more. It fixes a lot of parts of the book, improves server config and more.
2020-06-18 02:30:42 +02:00
.map(ClientResponse::SshKeys)
129 nsswitch stage 2 groups (#185) Implements #129, adding the libnss_kanidm.so/dylib, and the related caching parts for properly handling these types.
2020-02-15 01:27:25 +01:00
.unwrap_or_else(|_| {
129 pam nsswitch stage 1 daemon (#179) Implements #129, pam and nsswitch daemon capability. This is stage 1, which adds a localhost unix domain socket resolver, a ssh key client, support to the server for generating unix tokens, an async client lib, and client handles for adding posix extensions to accounts and groups.
2020-02-13 00:43:01 +01:00
error!("unable to load keys, returning empty set.");
ClientResponse::SshKeys(vec![])
129 nsswitch stage 2 groups (#185) Implements #129, adding the libnss_kanidm.so/dylib, and the related caching parts for properly handling these types.
2020-02-15 01:27:25 +01:00
})
129 pam nsswitch stage 1 daemon (#179) Implements #129, pam and nsswitch daemon capability. This is stage 1, which adds a localhost unix domain socket resolver, a ssh key client, support to the server for generating unix tokens, an async client lib, and client handles for adding posix extensions to accounts and groups.
2020-02-13 00:43:01 +01:00
}
129 nsswitch stage 2 groups (#185) Implements #129, adding the libnss_kanidm.so/dylib, and the related caching parts for properly handling these types.
2020-02-15 01:27:25 +01:00
ClientRequest::NssAccounts => {
debug!("nssaccounts req");
cachelayer
.get_nssaccounts()
V large cleanup
2020-08-04 04:58:11 +02:00
.await
195 rel cleanup (#268) Fixes #195 pre release cleanup. This does a LOT, clippy, formatting, and much much more. It fixes a lot of parts of the book, improves server config and more.
2020-06-18 02:30:42 +02:00
.map(ClientResponse::NssAccounts)
129 nsswitch stage 2 groups (#185) Implements #129, adding the libnss_kanidm.so/dylib, and the related caching parts for properly handling these types.
2020-02-15 01:27:25 +01:00
.unwrap_or_else(|_| {
error!("unable to enum accounts");
ClientResponse::NssAccounts(Vec::new())
})
}
ClientRequest::NssAccountByUid(gid) => {
debug!("nssaccountbyuid req");
cachelayer
.get_nssaccount_gid(gid)
.await
195 rel cleanup (#268) Fixes #195 pre release cleanup. This does a LOT, clippy, formatting, and much much more. It fixes a lot of parts of the book, improves server config and more.
2020-06-18 02:30:42 +02:00
.map(ClientResponse::NssAccount)
129 nsswitch stage 2 groups (#185) Implements #129, adding the libnss_kanidm.so/dylib, and the related caching parts for properly handling these types.
2020-02-15 01:27:25 +01:00
.unwrap_or_else(|_| {
error!("unable to load account, returning empty.");
ClientResponse::NssAccount(None)
})
}
ClientRequest::NssAccountByName(account_id) => {
debug!("nssaccountbyname req");
cachelayer
.get_nssaccount_name(account_id.as_str())
.await
195 rel cleanup (#268) Fixes #195 pre release cleanup. This does a LOT, clippy, formatting, and much much more. It fixes a lot of parts of the book, improves server config and more.
2020-06-18 02:30:42 +02:00
.map(ClientResponse::NssAccount)
129 nsswitch stage 2 groups (#185) Implements #129, adding the libnss_kanidm.so/dylib, and the related caching parts for properly handling these types.
2020-02-15 01:27:25 +01:00
.unwrap_or_else(|_| {
error!("unable to load account, returning empty.");
ClientResponse::NssAccount(None)
})
}
ClientRequest::NssGroups => {
debug!("nssgroups req");
cachelayer
.get_nssgroups()
V large cleanup
2020-08-04 04:58:11 +02:00
.await
195 rel cleanup (#268) Fixes #195 pre release cleanup. This does a LOT, clippy, formatting, and much much more. It fixes a lot of parts of the book, improves server config and more.
2020-06-18 02:30:42 +02:00
.map(ClientResponse::NssGroups)
129 nsswitch stage 2 groups (#185) Implements #129, adding the libnss_kanidm.so/dylib, and the related caching parts for properly handling these types.
2020-02-15 01:27:25 +01:00
.unwrap_or_else(|_| {
error!("unable to enum groups");
ClientResponse::NssGroups(Vec::new())
})
}
ClientRequest::NssGroupByGid(gid) => {
debug!("nssgroupbygid req");
cachelayer
.get_nssgroup_gid(gid)
.await
195 rel cleanup (#268) Fixes #195 pre release cleanup. This does a LOT, clippy, formatting, and much much more. It fixes a lot of parts of the book, improves server config and more.
2020-06-18 02:30:42 +02:00
.map(ClientResponse::NssGroup)
129 nsswitch stage 2 groups (#185) Implements #129, adding the libnss_kanidm.so/dylib, and the related caching parts for properly handling these types.
2020-02-15 01:27:25 +01:00
.unwrap_or_else(|_| {
error!("unable to load group, returning empty.");
ClientResponse::NssGroup(None)
})
}
ClientRequest::NssGroupByName(grp_id) => {
debug!("nssgroupbyname req");
cachelayer
.get_nssgroup_name(grp_id.as_str())
.await
195 rel cleanup (#268) Fixes #195 pre release cleanup. This does a LOT, clippy, formatting, and much much more. It fixes a lot of parts of the book, improves server config and more.
2020-06-18 02:30:42 +02:00
.map(ClientResponse::NssGroup)
129 nsswitch stage 2 groups (#185) Implements #129, adding the libnss_kanidm.so/dylib, and the related caching parts for properly handling these types.
2020-02-15 01:27:25 +01:00
.unwrap_or_else(|_| {
error!("unable to load group, returning empty.");
ClientResponse::NssGroup(None)
})
}
20200218 pam (#189) Add support for unix_password handling, and pam authentication for services.
2020-02-29 05:02:14 +01:00
ClientRequest::PamAuthenticate(account_id, cred) => {
debug!("pam authenticate");
cachelayer
.pam_account_authenticate(account_id.as_str(), cred.as_str())
.await
195 rel cleanup (#268) Fixes #195 pre release cleanup. This does a LOT, clippy, formatting, and much much more. It fixes a lot of parts of the book, improves server config and more.
2020-06-18 02:30:42 +02:00
.map(ClientResponse::PamStatus)
20200218 pam (#189) Add support for unix_password handling, and pam authentication for services.
2020-02-29 05:02:14 +01:00
.unwrap_or(ClientResponse::Error)
}
ClientRequest::PamAccountAllowed(account_id) => {
debug!("pam account allowed");
cachelayer
.pam_account_allowed(account_id.as_str())
.await
195 rel cleanup (#268) Fixes #195 pre release cleanup. This does a LOT, clippy, formatting, and much much more. It fixes a lot of parts of the book, improves server config and more.
2020-06-18 02:30:42 +02:00
.map(ClientResponse::PamStatus)
20200218 pam (#189) Add support for unix_password handling, and pam authentication for services.
2020-02-29 05:02:14 +01:00
.unwrap_or(ClientResponse::Error)
}
129 nsswitch stage 2 groups (#185) Implements #129, adding the libnss_kanidm.so/dylib, and the related caching parts for properly handling these types.
2020-02-15 01:27:25 +01:00
ClientRequest::InvalidateCache => {
debug!("invalidate cache");
cachelayer
.invalidate()
V large cleanup
2020-08-04 04:58:11 +02:00
.await
129 nsswitch stage 2 groups (#185) Implements #129, adding the libnss_kanidm.so/dylib, and the related caching parts for properly handling these types.
2020-02-15 01:27:25 +01:00
.map(|_| ClientResponse::Ok)
.unwrap_or(ClientResponse::Error)
}
ClientRequest::ClearCache => {
debug!("clear cache");
cachelayer
.clear_cache()
V large cleanup
2020-08-04 04:58:11 +02:00
.await
129 nsswitch stage 2 groups (#185) Implements #129, adding the libnss_kanidm.so/dylib, and the related caching parts for properly handling these types.
2020-02-15 01:27:25 +01:00
.map(|_| ClientResponse::Ok)
.unwrap_or(ClientResponse::Error)
}
ClientRequest::Status => {
debug!("status check");
if cachelayer.test_connection().await {
ClientResponse::Ok
} else {
ClientResponse::Error
}
}
};
reqs.send(resp).await?;
reqs.flush().await?;
debug!("flushed response!");
129 pam nsswitch stage 1 daemon (#179) Implements #129, pam and nsswitch daemon capability. This is stage 1, which adds a localhost unix domain socket resolver, a ssh key client, support to the server for generating unix tokens, an async client lib, and client handles for adding posix extensions to accounts and groups.
2020-02-13 00:43:01 +01:00
}
// Disconnect them
debug!("Disconnecting client ...");
Ok(())
}
314 improve async (#316) this completely removes actix and actix-web from the codebase, replacing it with tokio and http-rs/tide. Due to a current temporary limit in tokio parts with openssl/libressl, rustls is used for the webserver, but I'll change this back once that issue is resolved. For now there are likely some other clippy issues, but the next step now is that I can finally run cargo outdated and update this and the other kanidm/* deps to be up to date due to no longer being held back on versions by actix. So following this, I need to finish clippy warnings, and run cargo outdated and cargo audit.
2020-09-06 00:44:35 +02:00
#[tokio::main(core_threads = 1, max_threads = 1)]
129 pam nsswitch stage 1 daemon (#179) Implements #129, pam and nsswitch daemon capability. This is stage 1, which adds a localhost unix domain socket resolver, a ssh key client, support to the server for generating unix tokens, an async client lib, and client handles for adding posix extensions to accounts and groups.
2020-02-13 00:43:01 +01:00
async fn main() {
Improve server hardening This adds a number of warnings to the server to help administrators make better informed decisions about the security of their environment.
2020-07-28 08:55:58 +02:00
let cuid = get_current_uid();
let ceuid = get_effective_uid();
let cgid = get_current_gid();
let cegid = get_effective_gid();
if cuid == 0 || ceuid == 0 || cgid == 0 || cegid == 0 {
eprintln!("Refusing to run - this process must not operate as root.");
std::process::exit(1);
}
Update to disable debug logging
2020-02-16 00:29:48 +01:00
// ::std::env::set_var("RUST_LOG", "kanidm=debug,kanidm_client=debug");
129 pam nsswitch stage 1 daemon (#179) Implements #129, pam and nsswitch daemon capability. This is stage 1, which adds a localhost unix domain socket resolver, a ssh key client, support to the server for generating unix tokens, an async client lib, and client handles for adding posix extensions to accounts and groups.
2020-02-13 00:43:01 +01:00
env_logger::init();
Improve server hardening This adds a number of warnings to the server to help administrators make better informed decisions about the security of their environment.
2020-07-28 08:55:58 +02:00
let cfg_path = Path::new("/etc/kanidm/config");
Xxx clippy outdated (#318) This finishes some of the outstanding clippy issues that existed. Additionally, we updated all the project deps and updated libraries we could in the project. A bug exists currently in cargo outdated that is preventing further updates to this however, but that's a bit out of my hands.
2020-09-08 04:46:10 +02:00
let cfg_path_str = match cfg_path.to_str() {
Some(cps) => cps,
None => {
error!("Unable to turn cfg_path to str");
std::process::exit(1);
}
};
Improve server hardening This adds a number of warnings to the server to help administrators make better informed decisions about the security of their environment.
2020-07-28 08:55:58 +02:00
if cfg_path.exists() {
let cfg_meta = match metadata(&cfg_path) {
Ok(v) => v,
Err(e) => {
Xxx clippy outdated (#318) This finishes some of the outstanding clippy issues that existed. Additionally, we updated all the project deps and updated libraries we could in the project. A bug exists currently in cargo outdated that is preventing further updates to this however, but that's a bit out of my hands.
2020-09-08 04:46:10 +02:00
error!("Unable to read metadata for {} - {:?}", cfg_path_str, e);
Improve server hardening This adds a number of warnings to the server to help administrators make better informed decisions about the security of their environment.
2020-07-28 08:55:58 +02:00
std::process::exit(1);
}
};
if !cfg_meta.permissions().readonly() {
warn!("permissions on {} may not be secure. Should be readonly to running uid. This could be a security risk ...",
Xxx clippy outdated (#318) This finishes some of the outstanding clippy issues that existed. Additionally, we updated all the project deps and updated libraries we could in the project. A bug exists currently in cargo outdated that is preventing further updates to this however, but that's a bit out of my hands.
2020-09-08 04:46:10 +02:00
cfg_path_str
);
Improve server hardening This adds a number of warnings to the server to help administrators make better informed decisions about the security of their environment.
2020-07-28 08:55:58 +02:00
}
if cfg_meta.uid() == cuid || cfg_meta.uid() == ceuid {
warn!("WARNING: {} owned by the current uid, which may allow file permission changes. This could be a security risk ...",
Xxx clippy outdated (#318) This finishes some of the outstanding clippy issues that existed. Additionally, we updated all the project deps and updated libraries we could in the project. A bug exists currently in cargo outdated that is preventing further updates to this however, but that's a bit out of my hands.
2020-09-08 04:46:10 +02:00
cfg_path_str
Improve server hardening This adds a number of warnings to the server to help administrators make better informed decisions about the security of their environment.
2020-07-28 08:55:58 +02:00
);
}
}
Fix for unixd
2020-10-01 07:31:39 +02:00
let unixd_path = Path::new("/etc/kanidm/unixd");
Xxx clippy outdated (#318) This finishes some of the outstanding clippy issues that existed. Additionally, we updated all the project deps and updated libraries we could in the project. A bug exists currently in cargo outdated that is preventing further updates to this however, but that's a bit out of my hands.
2020-09-08 04:46:10 +02:00
let unixd_path_str = match unixd_path.to_str() {
Some(cps) => cps,
None => {
error!("Unable to turn unixd_path to str");
std::process::exit(1);
}
};
Improve server hardening This adds a number of warnings to the server to help administrators make better informed decisions about the security of their environment.
2020-07-28 08:55:58 +02:00
if unixd_path.exists() {
let unixd_meta = match metadata(&unixd_path) {
Ok(v) => v,
Err(e) => {
Xxx clippy outdated (#318) This finishes some of the outstanding clippy issues that existed. Additionally, we updated all the project deps and updated libraries we could in the project. A bug exists currently in cargo outdated that is preventing further updates to this however, but that's a bit out of my hands.
2020-09-08 04:46:10 +02:00
error!("Unable to read metadata for {} - {:?}", unixd_path_str, e);
Improve server hardening This adds a number of warnings to the server to help administrators make better informed decisions about the security of their environment.
2020-07-28 08:55:58 +02:00
std::process::exit(1);
}
};
if !unixd_meta.permissions().readonly() {
warn!("permissions on {} may not be secure. Should be readonly to running uid. This could be a security risk ...",
Xxx clippy outdated (#318) This finishes some of the outstanding clippy issues that existed. Additionally, we updated all the project deps and updated libraries we could in the project. A bug exists currently in cargo outdated that is preventing further updates to this however, but that's a bit out of my hands.
2020-09-08 04:46:10 +02:00
unixd_path_str);
Improve server hardening This adds a number of warnings to the server to help administrators make better informed decisions about the security of their environment.
2020-07-28 08:55:58 +02:00
}
if unixd_meta.uid() == cuid || unixd_meta.uid() == ceuid {
warn!("WARNING: {} owned by the current uid, which may allow file permission changes. This could be a security risk ...",
Xxx clippy outdated (#318) This finishes some of the outstanding clippy issues that existed. Additionally, we updated all the project deps and updated libraries we could in the project. A bug exists currently in cargo outdated that is preventing further updates to this however, but that's a bit out of my hands.
2020-09-08 04:46:10 +02:00
unixd_path_str
Improve server hardening This adds a number of warnings to the server to help administrators make better informed decisions about the security of their environment.
2020-07-28 08:55:58 +02:00
);
}
}
129 pam nsswitch stage 1 daemon (#179) Implements #129, pam and nsswitch daemon capability. This is stage 1, which adds a localhost unix domain socket resolver, a ssh key client, support to the server for generating unix tokens, an async client lib, and client handles for adding posix extensions to accounts and groups.
2020-02-13 00:43:01 +01:00
// setup
Improve server hardening This adds a number of warnings to the server to help administrators make better informed decisions about the security of their environment.
2020-07-28 08:55:58 +02:00
let cb = match KanidmClientBuilder::new().read_options_from_optional_config(cfg_path) {
Ok(v) => v,
Err(_) => {
Xxx clippy outdated (#318) This finishes some of the outstanding clippy issues that existed. Additionally, we updated all the project deps and updated libraries we could in the project. A bug exists currently in cargo outdated that is preventing further updates to this however, but that's a bit out of my hands.
2020-09-08 04:46:10 +02:00
error!("Failed to parse {}", cfg_path_str);
Improve server hardening This adds a number of warnings to the server to help administrators make better informed decisions about the security of their environment.
2020-07-28 08:55:58 +02:00
std::process::exit(1);
}
};
129 pam nsswitch stage 1 daemon (#179) Implements #129, pam and nsswitch daemon capability. This is stage 1, which adds a localhost unix domain socket resolver, a ssh key client, support to the server for generating unix tokens, an async client lib, and client handles for adding posix extensions to accounts and groups.
2020-02-13 00:43:01 +01:00
Improve server hardening This adds a number of warnings to the server to help administrators make better informed decisions about the security of their environment.
2020-07-28 08:55:58 +02:00
let cfg = match KanidmUnixdConfig::new().read_options_from_optional_config(unixd_path) {
Ok(v) => v,
Err(_) => {
Xxx clippy outdated (#318) This finishes some of the outstanding clippy issues that existed. Additionally, we updated all the project deps and updated libraries we could in the project. A bug exists currently in cargo outdated that is preventing further updates to this however, but that's a bit out of my hands.
2020-09-08 04:46:10 +02:00
error!("Failed to parse {}", unixd_path_str);
Improve server hardening This adds a number of warnings to the server to help administrators make better informed decisions about the security of their environment.
2020-07-28 08:55:58 +02:00
std::process::exit(1);
}
};
20200218 pam (#189) Add support for unix_password handling, and pam authentication for services.
2020-02-29 05:02:14 +01:00
rm_if_exist(cfg.sock_path.as_str());
let cb = cb.connect_timeout(cfg.conn_timeout);
129 pam nsswitch stage 1 daemon (#179) Implements #129, pam and nsswitch daemon capability. This is stage 1, which adds a localhost unix domain socket resolver, a ssh key client, support to the server for generating unix tokens, an async client lib, and client handles for adding posix extensions to accounts and groups.
2020-02-13 00:43:01 +01:00
Xxx clippy outdated (#318) This finishes some of the outstanding clippy issues that existed. Additionally, we updated all the project deps and updated libraries we could in the project. A bug exists currently in cargo outdated that is preventing further updates to this however, but that's a bit out of my hands.
2020-09-08 04:46:10 +02:00
let rsclient = match cb.build_async() {
Ok(rsc) => rsc,
Err(_e) => {
error!("Failed to build async client");
std::process::exit(1);
}
};
129 pam nsswitch stage 1 daemon (#179) Implements #129, pam and nsswitch daemon capability. This is stage 1, which adds a localhost unix domain socket resolver, a ssh key client, support to the server for generating unix tokens, an async client lib, and client handles for adding posix extensions to accounts and groups.
2020-02-13 00:43:01 +01:00
Improve server hardening This adds a number of warnings to the server to help administrators make better informed decisions about the security of their environment.
2020-07-28 08:55:58 +02:00
// Check the pb path will be okay.
if cfg.db_path != "" {
let db_path = PathBuf::from(cfg.db_path.as_str());
// We only need to check the parent folder path permissions as the db itself may not
// exist yet.
if let Some(db_parent_path) = db_path.parent() {
if !db_parent_path.exists() {
error!(
"Refusing to run, DB folder {} does not exist",
Xxx clippy outdated (#318) This finishes some of the outstanding clippy issues that existed. Additionally, we updated all the project deps and updated libraries we could in the project. A bug exists currently in cargo outdated that is preventing further updates to this however, but that's a bit out of my hands.
2020-09-08 04:46:10 +02:00
db_parent_path
.to_str()
.unwrap_or_else(|| "<db_parent_path invalid>")
Improve server hardening This adds a number of warnings to the server to help administrators make better informed decisions about the security of their environment.
2020-07-28 08:55:58 +02:00
);
std::process::exit(1);
}
let db_par_path_buf = db_parent_path.to_path_buf();
let i_meta = match metadata(&db_par_path_buf) {
Ok(v) => v,
Err(e) => {
error!(
"Unable to read metadata for {} - {:?}",
Xxx clippy outdated (#318) This finishes some of the outstanding clippy issues that existed. Additionally, we updated all the project deps and updated libraries we could in the project. A bug exists currently in cargo outdated that is preventing further updates to this however, but that's a bit out of my hands.
2020-09-08 04:46:10 +02:00
db_par_path_buf
.to_str()
.unwrap_or_else(|| "<db_par_path_buf invalid>"),
Improve server hardening This adds a number of warnings to the server to help administrators make better informed decisions about the security of their environment.
2020-07-28 08:55:58 +02:00
e
);
std::process::exit(1);
}
};
if !i_meta.is_dir() {
error!(
"Refusing to run - DB folder {} may not be a directory",
Xxx clippy outdated (#318) This finishes some of the outstanding clippy issues that existed. Additionally, we updated all the project deps and updated libraries we could in the project. A bug exists currently in cargo outdated that is preventing further updates to this however, but that's a bit out of my hands.
2020-09-08 04:46:10 +02:00
db_par_path_buf
.to_str()
.unwrap_or_else(|| "<db_par_path_buf invalid>")
Improve server hardening This adds a number of warnings to the server to help administrators make better informed decisions about the security of their environment.
2020-07-28 08:55:58 +02:00
);
std::process::exit(1);
}
if i_meta.permissions().readonly() {
Xxx clippy outdated (#318) This finishes some of the outstanding clippy issues that existed. Additionally, we updated all the project deps and updated libraries we could in the project. A bug exists currently in cargo outdated that is preventing further updates to this however, but that's a bit out of my hands.
2020-09-08 04:46:10 +02:00
warn!("WARNING: DB folder permissions on {} indicate it may not be RW. This could cause the server start up to fail!", db_par_path_buf.to_str()
.unwrap_or_else(|| "<db_par_path_buf invalid>")
);
Improve server hardening This adds a number of warnings to the server to help administrators make better informed decisions about the security of their environment.
2020-07-28 08:55:58 +02:00
}
if i_meta.mode() & 0o007 != 0 {
Xxx clippy outdated (#318) This finishes some of the outstanding clippy issues that existed. Additionally, we updated all the project deps and updated libraries we could in the project. A bug exists currently in cargo outdated that is preventing further updates to this however, but that's a bit out of my hands.
2020-09-08 04:46:10 +02:00
warn!("WARNING: DB folder {} has 'everyone' permission bits in the mode. This could be a security risk ...", db_par_path_buf.to_str()
.unwrap_or_else(|| "<db_par_path_buf invalid>")
);
Improve server hardening This adds a number of warnings to the server to help administrators make better informed decisions about the security of their environment.
2020-07-28 08:55:58 +02:00
}
}
}
Xxx clippy outdated (#318) This finishes some of the outstanding clippy issues that existed. Additionally, we updated all the project deps and updated libraries we could in the project. A bug exists currently in cargo outdated that is preventing further updates to this however, but that's a bit out of my hands.
2020-09-08 04:46:10 +02:00
let cl_inner = match CacheLayer::new(
cfg.db_path.as_str(), // The sqlite db path
cfg.cache_timeout,
rsclient,
cfg.pam_allowed_login_groups.clone(),
cfg.default_shell.clone(),
cfg.home_prefix.clone(),
cfg.home_attr,
cfg.uid_attr_map,
cfg.gid_attr_map,
)
.await
{
Ok(c) => c,
Err(_e) => {
error!("Failed to build cache layer.");
std::process::exit(1);
}
};
let cachelayer = Arc::new(cl_inner);
129 pam nsswitch stage 1 daemon (#179) Implements #129, pam and nsswitch daemon capability. This is stage 1, which adds a localhost unix domain socket resolver, a ssh key client, support to the server for generating unix tokens, an async client lib, and client handles for adding posix extensions to accounts and groups.
2020-02-13 00:43:01 +01:00
129 nsswitch stage 2 groups (#185) Implements #129, adding the libnss_kanidm.so/dylib, and the related caching parts for properly handling these types.
2020-02-15 01:27:25 +01:00
// Set the umask while we open the path
let before = unsafe { umask(0) };
Xxx clippy outdated (#318) This finishes some of the outstanding clippy issues that existed. Additionally, we updated all the project deps and updated libraries we could in the project. A bug exists currently in cargo outdated that is preventing further updates to this however, but that's a bit out of my hands.
2020-09-08 04:46:10 +02:00
let mut listener = match UnixListener::bind(cfg.sock_path.as_str()) {
Ok(l) => l,
Err(_e) => {
error!("Failed to bind unix socket.");
std::process::exit(1);
}
};
129 nsswitch stage 2 groups (#185) Implements #129, adding the libnss_kanidm.so/dylib, and the related caching parts for properly handling these types.
2020-02-15 01:27:25 +01:00
// Undo it.
let _ = unsafe { umask(before) };
129 pam nsswitch stage 1 daemon (#179) Implements #129, pam and nsswitch daemon capability. This is stage 1, which adds a localhost unix domain socket resolver, a ssh key client, support to the server for generating unix tokens, an async client lib, and client handles for adding posix extensions to accounts and groups.
2020-02-13 00:43:01 +01:00
Unixd - NXCache of unknown items (#338) Previously we would only cache "hits" - items that kanidm is aware of and did know about. However, this mean querying a raw uid/gid number that was not known to files or kanidm would result in kanidm doing an online check each request. This adds a NXcache to cache misses, so they can be served as misses, faster, and to reduce load on the main kanidm servers. Fixes #336
2020-12-28 00:41:16 +01:00
// TODO: Setup a task that handles pre-fetching here.
129 pam nsswitch stage 1 daemon (#179) Implements #129, pam and nsswitch daemon capability. This is stage 1, which adds a localhost unix domain socket resolver, a ssh key client, support to the server for generating unix tokens, an async client lib, and client handles for adding posix extensions to accounts and groups.
2020-02-13 00:43:01 +01:00
let server = async move {
let mut incoming = listener.incoming();
while let Some(socket_res) = incoming.next().await {
match socket_res {
Ok(socket) => {
let cachelayer_ref = cachelayer.clone();
Fix format error, fix CI
2020-05-08 02:44:31 +02:00
tokio::spawn(async move {
if let Err(e) = handle_client(socket, cachelayer_ref.clone()).await {
error!("an error occured; error = {:?}", e);
}
});
129 pam nsswitch stage 1 daemon (#179) Implements #129, pam and nsswitch daemon capability. This is stage 1, which adds a localhost unix domain socket resolver, a ssh key client, support to the server for generating unix tokens, an async client lib, and client handles for adding posix extensions to accounts and groups.
2020-02-13 00:43:01 +01:00
}
Err(err) => {
error!("Accept error -> {:?}", err);
}
}
}
};
info!("Server started ...");
server.await;
}
Reference in a new issue Copy permalink