Re: Solaris ident authentication using unix domain sockets

Hi,
I have a patch that I have been using to support postgresql's
notion of ident authentication when using unix domain sockets on
Solaris. This patch basically just adds support for using
getupeercred() on Solaris so unix sockets and ident auth works just
like it does on Linux and elsewhere.

This was my first attempt wrestling with automake. I've
tested it builds properly after it is applied and autoreconf is run
on RHEL4/Linux/x86. I am using the patch currently on Solaris 10 /
x86.

Garick

diff -cr postgresql_CVS/configure.in postgresql/configure.in
*** postgresql_CVS/configure.in Tue Jun 24 15:52:30 2008
--- postgresql/configure.in Tue Jun 24 15:57:22 2008
***************
*** 1095,1101 ****
AC_FUNC_ACCEPT_ARGTYPES
PGAC_FUNC_GETTIMEOFDAY_1ARG

! AC_CHECK_FUNCS([cbrt dlopen fcvt fdatasync getpeereid getrlimit memmove poll pstat readlink setproctitle setsid sigprocmask symlink sysconf towlower utime utimes waitpid wcstombs])

AC_CHECK_DECLS(fdatasync, [], [], [#include <unistd.h>])
AC_CHECK_DECLS(posix_fadvise, [], [], [#include <fcntl.h>])
--- 1095,1101 ----
AC_FUNC_ACCEPT_ARGTYPES
PGAC_FUNC_GETTIMEOFDAY_1ARG

! AC_CHECK_FUNCS([getpeerucred cbrt dlopen fcvt fdatasync getpeereid getrlimit memmove poll pstat readlink setproctitle setsid sigprocmask symlink sysconf towlower utime utimes waitpid wcstombs])

AC_CHECK_DECLS(fdatasync, [], [], [#include <unistd.h>])
AC_CHECK_DECLS(posix_fadvise, [], [], [#include <fcntl.h>])
diff -cr postgresql_CVS/src/backend/libpq/hba.c postgresql/src/backend/libpq/hba.c
*** postgresql_CVS/src/backend/libpq/hba.c Tue Jun 24 15:52:32 2008
--- postgresql/src/backend/libpq/hba.c Tue Jun 24 15:53:00 2008
***************
*** 25,30 ****
--- 25,33 ----
#include <sys/uio.h>
#include <sys/ucred.h>
#endif
+ #if defined(HAVE_GETPEERUCRED)
+ #include <ucred.h>
+ #endif
#include <netinet/in.h>
#include <arpa/inet.h>
#include <unistd.h>
***************
*** 1500,1505 ****
--- 1503,1539 ----
strlcpy(ident_user, pass->pw_name, IDENT_USERNAME_MAX + 1);

return true;
+ #elif defined(HAVE_GETPEERUCRED) /* Solaris > 10 */
+ uid_t uid;
+ gid_t gid;
+ struct passwd *pass;
+ int ucred_ok=1;
+ ucred_t *ucred = NULL;
+ if (getpeerucred(sock, &ucred) == -1)
+ ucred_ok = 0;
+ if (ucred_ok && (uid = ucred_geteuid(ucred)) == -1 )
+ ucred_ok = 0;
+ if (ucred_ok && (gid = ucred_getrgid(ucred)) == -1 )
+ ucred_ok = 0;
+ if (ucred)
+ ucred_free(ucred);
+ if (!ucred_ok) {
+ /* We didn't get a valid credentials struct. */
+ ereport(LOG, (
+ "could not get peer credentials: %s",
+ strerror(errno)));
+ return false;
+ }
+ pass = getpwuid(uid);
+ if (pass == NULL)
+ {
+ ereport(LOG,
+ (errmsg("local user with ID %d does not exist",
+ (int) uid)));
+ return false;
+ }
+ strlcpy(ident_user, pass->pw_name, IDENT_USERNAME_MAX + 1);
+ return true;
#elif defined(HAVE_STRUCT_CMSGCRED) || defined(HAVE_STRUCT_FCRED) || (defined(HAVE_STRUCT_SOCKCRED) && defined(LOCAL_CREDS))
struct msghdr msg;

Garick Hamlin <ghamlin(at)isc(dot)upenn(dot)edu> writes:
> I have a patch that I have been using to support postgresql's
> notion of ident authentication when using unix domain sockets on
> Solaris. This patch basically just adds support for using
> getupeercred() on Solaris so unix sockets and ident auth works just
> like it does on Linux and elsewhere.

Cool.

> + #if defined(HAVE_GETPEERUCRED)
> + #include <ucred.h>
> + #endif

But this is not cool. There might be systems out there that have
getpeerucred() but not <ucred.h>, and this coding would cause a compile
failure (even if they actually wouldn't be trying to use getpeerucred()
because they have some other way to do it). You need an explicit
configure probe for the header file too, I think.

Also, what is the rationale for putting this before the
HAVE_STRUCT_CMSGCRED case instead of after? Again, that seems like it
could cause unexpected behavioral changes on platforms that work fine
now (consider possibility that getpeerucred is there but broken).

regards, tom lane

On Thu, Jul 03, 2008 at 02:01:22PM -0400, Tom Lane wrote:
> Garick Hamlin <ghamlin(at)isc(dot)upenn(dot)edu> writes:
> > I have a patch that I have been using to support postgresql's
> > notion of ident authentication when using unix domain sockets on
> > Solaris. This patch basically just adds support for using
> > getupeercred() on Solaris so unix sockets and ident auth works just
> > like it does on Linux and elsewhere.
>
> Cool.
>
> > + #if defined(HAVE_GETPEERUCRED)
> > + #include <ucred.h>
> > + #endif
>
> But this is not cool. There might be systems out there that have
> getpeerucred() but not <ucred.h>, and this coding would cause a compile
> failure (even if they actually wouldn't be trying to use getpeerucred()
> because they have some other way to do it). You need an explicit
> configure probe for the header file too, I think.
Ok, I can fix that.
>
> Also, what is the rationale for putting this before the
> HAVE_STRUCT_CMSGCRED case instead of after? Again, that seems like it
> could cause unexpected behavioral changes on platforms that work fine
> now (consider possibility that getpeerucred is there but broken).
Good Point, It should be the other way.
>
> regards, tom lane

Thanks,

Garick

On Thursday 03 July 2008 14:01:22 Tom Lane wrote:
> Garick Hamlin <ghamlin(at)isc(dot)upenn(dot)edu> writes:
> > I have a patch that I have been using to support postgresql's
> > notion of ident authentication when using unix domain sockets on
> > Solaris. This patch basically just adds support for using
> > getupeercred() on Solaris so unix sockets and ident auth works just
> > like it does on Linux and elsewhere.
>
> Cool.
>

Hmm... I've always been told that Solaris didn't support this because the
Solaris developers feel that IDENT is inherently insecure. If that is more
than just a philosphical opinion, I wonder if there should be additional
hurdles in place to enable this on that platform. Note that isn't an
objection from me, though I'm curious if any of the Sun guys want to chime in
on this.

--
Robert Treat
Build A Brighter LAMP :: Linux Apache {middleware} PostgreSQL

Robert Treat wrote:
> On Thursday 03 July 2008 14:01:22 Tom Lane wrote:
>
>> Garick Hamlin <ghamlin(at)isc(dot)upenn(dot)edu> writes:
>>
>>> I have a patch that I have been using to support postgresql's
>>> notion of ident authentication when using unix domain sockets on
>>> Solaris. This patch basically just adds support for using
>>> getupeercred() on Solaris so unix sockets and ident auth works just
>>> like it does on Linux and elsewhere.
>>>
>> Cool.
>>
>>
>
> Hmm... I've always been told that Solaris didn't support this because the
> Solaris developers feel that IDENT is inherently insecure. If that is more
> than just a philosphical opinion, I wonder if there should be additional
> hurdles in place to enable this on that platform. Note that isn't an
> objection from me, though I'm curious if any of the Sun guys want to chime in
> on this.
>
>

We don't actually use the Ident protocol for Unix sockets on any
platform. AIUI, this patch just implements what we do on platforms like
Linux or *BSD.

cheers

andrew

Andrew Dunstan <andrew(at)dunslane(dot)net> writes:
> Robert Treat wrote:
>> Hmm... I've always been told that Solaris didn't support this because the
>> Solaris developers feel that IDENT is inherently insecure.

> We don't actually use the Ident protocol for Unix sockets on any
> platform.

Indeed. If the Solaris folk feel that getupeercred() is insecure,
they had better explain why their kernel is that broken. This is
entirely unrelated to the known shortcomings of the "ident" IP
protocol.

regards, tom lane

Tom,

> Indeed. If the Solaris folk feel that getupeercred() is insecure,
> they had better explain why their kernel is that broken. This is
> entirely unrelated to the known shortcomings of the "ident" IP
> protocol.

The Solaris security & kernel folks do, actually. However, there's no
question that TRUST is inherently insecure, and that's what people are going
to use if they can't get IDENT to work.

--
Josh Berkus
PostgreSQL @ Sun
San Francisco

Josh Berkus wrote:
> Tom,
>
>
>> Indeed. If the Solaris folk feel that getupeercred() is insecure,
>> they had better explain why their kernel is that broken. This is
>> entirely unrelated to the known shortcomings of the "ident" IP
>> protocol.
>>
>
> The Solaris security & kernel folks do, actually. However, there's no
> question that TRUST is inherently insecure, and that's what people are going
> to use if they can't get IDENT to work.
>
>

I think I'd pose a slightly different question from Tom. Do the Solaris
devs think that their getupeercred() is more insecure than the more or
less equivalent calls that we are doing on Linux and *BSD for example? I
suspect they probably don't ;-)

cheers

andrew

Josh Berkus wrote:
> Tom,
>
>> Indeed. If the Solaris folk feel that getupeercred() is insecure,
>> they had better explain why their kernel is that broken. This is
>> entirely unrelated to the known shortcomings of the "ident" IP
>> protocol.
>
> The Solaris security & kernel folks do, actually. However, there's
> no question that TRUST is inherently insecure, and that's what people
> are going to use if they can't get IDENT to work.

I'd be *very* interested in how they come to that assessment. I'd have
thought that the only alternative to getpeereid/getupeercred is
password-based or certificate-based authenticated - which seem *less*
secure because a) they also rely on the client having the correct uid
or gid (to read the password/private key), plus b) the risk of the
password/private key getting into the wrong hands.

How is that sort of authenticated handled by services shipping with solaris?

regards, Florian Pflug, hoping to be enlightened beyond his limited
posix-ish view of the world...

Florian,

> I'd be *very* interested in how they come to that assessment. I'd have
> thought that the only alternative to getpeereid/getupeercred is
> password-based or certificate-based authenticated - which seem *less*
> secure because a) they also rely on the client having the correct uid
> or gid (to read the password/private key), plus b) the risk of the
> password/private key getting into the wrong hands.

*shrug* don't ask me. I don't agree with the policy, I can hardly
defend it.

--Josh

Garick Hamlin wrote:
> On Thu, Jul 03, 2008 at 02:01:22PM -0400, Tom Lane wrote:
> > Garick Hamlin <ghamlin(at)isc(dot)upenn(dot)edu> writes:
> > > I have a patch that I have been using to support postgresql's
> > > notion of ident authentication when using unix domain sockets on
> > > Solaris. This patch basically just adds support for using
> > > getupeercred() on Solaris so unix sockets and ident auth works just
> > > like it does on Linux and elsewhere.
> >
> > Cool.
> >
> > > + #if defined(HAVE_GETPEERUCRED)
> > > + #include <ucred.h>
> > > + #endif
> >
> > But this is not cool. There might be systems out there that have
> > getpeerucred() but not <ucred.h>, and this coding would cause a compile
> > failure (even if they actually wouldn't be trying to use getpeerucred()
> > because they have some other way to do it). You need an explicit
> > configure probe for the header file too, I think.
> Ok, I can fix that.

Garick, have you made any progress on an updated patch?

--
Bruce Momjian <bruce(at)momjian(dot)us> http://momjian.us
EnterpriseDB http://enterprisedb.com

+ If your life is a hard drive, Christ can be your backup. +

Garick Hamlin wrote:
> I have a patch that I have been using to support postgresql's
> notion of ident authentication when using unix domain sockets on
> Solaris. This patch basically just adds support for using
> getupeercred() on Solaris so unix sockets and ident auth works just
> like it does on Linux and elsewhere.

I have committed a refined patch based on yours.