From f52991303bbbbc9132b0587d2a92ad2763e40ecf Mon Sep 17 00:00:00 2001 From: Rick van Rein Date: Thu, 24 Jun 2021 09:30:07 +0000 Subject: [PATCH 1/3] Issue #40, install as SETGID where appropriate - Use a _dedicated_ group a2ruledb - Running as that group, we fully control how the data is accessible - It is possible to setup the database accessible to that group only - Note: LD_LIBRARY_PATH cannot be used anymore due to SETGID --- doc/man/a2rule.man | 17 +++++++++++++--- src/tool/CMakeLists.txt | 44 +++++++++++++++++++++++++++++++++++++++++ 2 files changed, 58 insertions(+), 3 deletions(-) diff --git a/doc/man/a2rule.man b/doc/man/a2rule.man index fc6145d..05270bc 100644 --- a/doc/man/a2rule.man +++ b/doc/man/a2rule.man @@ -164,6 +164,18 @@ expected to be problematic in practice. The administrator account should be protected from dumping those environment variables; online services should not set them and at most configure a Service Key. +.TP +\fBARPA2_SERVICEKEY\fR +holds the Service Key in hexadecimal form. This may be setup +in an environment that runs a particular service, be it a +large daemon or a partial program on its behalf. It is used +in the \fBruleset\fR subcommand. +.br +This variable may change or disappear in future versions, +because its value varies with Access Domain and Access Type, +but neither have to be provided and therefore a single +variable name is used. This reduces the practical use of +this variable. .PP While running .BR a2rule , @@ -547,9 +559,8 @@ for interaction with Policy Rules: .TP .BI "servicekey " hexkey provides the Service Key available to the service for which -the request is being made. When not present, an attempt -will be made to locate an environment variable instead, -named \fBARPA2_SERVICEKEY\fR. +the request is being made. When not present, it will be +loaded from an environment variable \fBARPA2_SERVICEKEY\fR. .TP .BI "name " rules_name provides the Rules Name, which is an UTF-8 string with a diff --git a/src/tool/CMakeLists.txt b/src/tool/CMakeLists.txt index 3bf0f79..d2f3293 100644 --- a/src/tool/CMakeLists.txt +++ b/src/tool/CMakeLists.txt @@ -20,3 +20,47 @@ target_link_libraries(a2rule PRIVATE identity access util_static) install (TARGETS a2id-keygen a2id-loadkey a2rule RUNTIME DESTINATION ${CMAKE_INSTALL_BINDIR}) + +# +# CMake installs to owner/group 0, but the group should be one +# dedicated to the ARPA2 Policy Rules database, "a2ruledb". +# We do that here as a post-install fix. +# +# We install a2rule with SETGID to the a2ruledb group, to control +# that changes to the database are only made by a2rule. Do not +# let programs or users into this group unless they are trusted +# to always update the database poperly, starting from whatever +# key they have been assigned, or from a password. +# +# Using no password means that any user can change any rule. +# Still, that only applies to the password-less portion; there +# is a distinct tree of Policy Rules for distinct passwords. +# +# Starting with a password allows users to create their own +# section in the database of Policy Rules. Starting from a +# Domain Key (for domain admins) or Service Key (for services) +# allows the entry into a controlled part of password-protected +# trees of Policy Rules. +# +# See: https://gitlab.com/arpa2/arpa2common/-/issues/40 +# +set (POST_INSTALL ) +if (WIN32) + message (STATUS "Windows has no control over proper access to the Rules DB") +else (WIN32) + execute_process (COMMAND getent passwd a2ruledb OUTPUT_QUIET RESULT_VARIABLE _EXIT_PASSWD) + execute_process (COMMAND getent group a2ruledb OUTPUT_QUIET RESULT_VARIABLE _EXIT_GROUP ) + if (${_EXIT_PASSWD} EQUAL 0 AND ${_EXIT_GROUP} EQUAL 0) + #MANUAL_BY_ADMIN# list (APPEND POST_INSTALL "useradd --system a2ruledb") + list (APPEND POST_INSTALL "execute_process(COMMAND chown a2ruledb:a2ruledb $ENV{DESTDIR}${CMAKE_INSTALL_PREFIX}/${CMAKE_INSTALL_BINDIR}/a2rule)") + list (APPEND POST_INSTALL "execute_process(COMMAND chmod g+s $ENV{DESTDIR}${CMAKE_INSTALL_PREFIX}/${CMAKE_INSTALL_BINDIR}/a2rule)") + else () + message (STATUS "Installing without the protection of a dedicated userid and group \"a2ruledb\" for the RuleDB") + endif () +endif (WIN32) + +foreach (_CMD ${POST_INSTALL}) + message (STATUS "Will run ${_CMD} during installation") + install (CODE ${_CMD}) +endforeach (_CMD in POST_INSTALL) + -- GitLab From ee238c2cc19c6d1a080f401bedc47266f7466eb8 Mon Sep 17 00:00:00 2001 From: Rick van Rein Date: Thu, 24 Jun 2021 22:33:17 +0000 Subject: [PATCH 2/3] Fixed flawed "a2rule docu" parsing - Combinations were wickedly mixed up - Clash between "domainkey" and "domain" keywords [known limitation] - Renamed "domainkey" and "servicekey" to "dbdomkey" and "dbsvckey" --- doc/man/a2rule.man | 8 +-- src/tool/a2rule.c | 166 +++++++++++++++++++++++--------------------- src/tool/grammar.h | 19 +++-- src/util/cmdparse.c | 3 + 4 files changed, 100 insertions(+), 96 deletions(-) diff --git a/doc/man/a2rule.man b/doc/man/a2rule.man index 05270bc..197279f 100644 --- a/doc/man/a2rule.man +++ b/doc/man/a2rule.man @@ -60,7 +60,7 @@ remote \fIremote@domain\fR .RE .PP .B a2rule -rules add|set [ \fIdbsetup\fR ] servicekey \fIservicekey\fR +rules add|set [ \fIdbsetup\fR ] dbsvckey \fIhexkey\fR .RS [type \fIrules_type\fR] name \fIrules_name\fR .br @@ -68,7 +68,7 @@ rules add|set [ \fIdbsetup\fR ] servicekey \fIservicekey\fR .RE .PP .B a2rule -rules get|del [ \fIdbsetup\fR ] servicekey \fIservicekey\fR +rules get|del [ \fIdbsetup\fR ] dbsvckey \fIhexkey\fR .RS [type \fIrules_type\fR] name \fIrules_name\fR .br @@ -126,7 +126,7 @@ certain source without hampering any others. The default trunk number 0 is advised for manual operations. .TP -.BI "domainkey " hexkey +.BI "dbdomkey " hexkey provides the Domain Key from which domain admins may access settings for their domain without seeing those in others. This is a lesser grant than the \fBdbsecret\fR provides. @@ -557,7 +557,7 @@ a level where a Service Key must be presented. The following arguments can be provided on the commandline for interaction with Policy Rules: .TP -.BI "servicekey " hexkey +.BI "dbsvckey " hexkey provides the Service Key available to the service for which the request is being made. When not present, it will be loaded from an environment variable \fBARPA2_SERVICEKEY\fR. diff --git a/src/tool/a2rule.c b/src/tool/a2rule.c index ee61a60..4b800be 100644 --- a/src/tool/a2rule.c +++ b/src/tool/a2rule.c @@ -55,9 +55,9 @@ static const char ruleset_addset_usage [] = "[dbtrunk NUM] servicekey SECRET\n" "[type TYPE] name NAME [selector ARPA2SEL] rule RULE"; static const uint32_t ruleset_addset_combis [] = { - /* Require SERVICEKEY, NAME and RULE */ - FLAG_SERVICEKEY | FLAG_NAME | FLAG_RULE, - FLAG_SERVICEKEY | FLAG_NAME | FLAG_RULE, + /* Require DBSVCKEY, NAME and RULE */ + FLAG_DBSVCKEY | FLAG_NAME | FLAG_RULE, + FLAG_DBSVCKEY | FLAG_NAME | FLAG_RULE, /* end marker */ 0 }; @@ -68,7 +68,7 @@ static const struct cmdparse_grammar ruleset_addset_grammar = { // NO_dbname "dbtrunk", // dbtrunk NULL, // dbsecret - NULL, // domainkey + NULL, // dbdomkey "servicekey", // servicekey // NO_objtype "name", // local @@ -91,9 +91,9 @@ static const char ruleset_delget_usage [] = "[dbtrunk NUM] servicekey SECRET\n" "[type TYPE] name NAME [selector ARPA2SEL] [rule RULE]"; static const uint32_t ruleset_delget_combis [] = { - /* Require SERVICEKEY and NAME */ - FLAG_SERVICEKEY | FLAG_NAME, - FLAG_SERVICEKEY | FLAG_NAME, + /* Require DBSVCKEY and NAME */ + FLAG_DBSVCKEY | FLAG_NAME, + FLAG_DBSVCKEY | FLAG_NAME, /* end marker */ 0 }; @@ -104,7 +104,7 @@ static const struct cmdparse_grammar ruleset_delget_grammar = { // NO_dbname "dbtrunk", // dbtrunk NULL, // dbsecret - NULL, // domainkey + NULL, // dbdomkey "servicekey", // servicekey // NO_objtype "name", // local @@ -130,16 +130,16 @@ static const char comm_usage [] = "... Manages Communication Access:\n" "comm get ... Retrieve the rules that match the attributes\n" "comm del ... Delete those rules that match the attributes"; -static const char comm_addset_usage [] = "[dbtrunk NUM] [domainkey SECRET]\n" +static const char comm_addset_usage [] = "[dbtrunk NUM] [dbdomkey SECRET]\n" "local ARPA2ID remote ARPA2SEL (list LIST|rights LETTERS)\n" "[alias|endalias ALIAS] [signflags LETTERS]\n" - "[newuserid USERID] [newalias ALIAS] [actorid ACTORID]"; + "[newuserid NEWUSERID] [newalias ALIAS] [actorid ACTORID]"; static const uint32_t comm_addset_combis [] = { - /* Allow DBSECRET or DOMAINKEY, but not both */ - FLAG_DBSECRET | FLAG_DOMAINKEY, 0, - FLAG_DBSECRET | FLAG_DOMAINKEY, FLAG_DBSECRET, - FLAG_DBSECRET | FLAG_DOMAINKEY, FLAG_DOMAINKEY, + /* Allow DBSECRET or DBDOMKEY, but not both */ + FLAG_DBSECRET | FLAG_DBDOMKEY, 0, + FLAG_DBSECRET | FLAG_DBDOMKEY, FLAG_DBSECRET, + FLAG_DBSECRET | FLAG_DBDOMKEY, FLAG_DBDOMKEY, /* Require LOCAL, REMOTE */ FLAG_LOCAL | FLAG_REMOTE, FLAG_LOCAL | FLAG_REMOTE, /* Allow ALIAS or ENDALIAS, but not both */ @@ -159,7 +159,7 @@ static const struct cmdparse_grammar comm_addset_grammar = { // NO_dbname "dbtrunk", // dbtrunk "dbsecret", // dbsecret - "domainkey", // domainkey + "dbdomkey", // dbdomkey NULL, // servicekey // NO_objtype "local", // local @@ -178,14 +178,14 @@ static const struct cmdparse_grammar comm_addset_grammar = { .combinations = comm_addset_combis, }; -static const char comm_delget_usage [] = "[dbtrunk NUM] [domainkey SECRET]\n" +static const char comm_delget_usage [] = "[dbtrunk NUM] [dbdomkey SECRET]\n" "local ARPA2ID remote ARPA2SEL [alias|endalias ALIAS] [signflags LETTERS]"; static const uint32_t comm_delget_combis [] = { - /* Allow DBSECRET or DOMAINKEY, but not both */ - FLAG_DBSECRET | FLAG_DOMAINKEY, 0, - FLAG_DBSECRET | FLAG_DOMAINKEY, FLAG_DBSECRET, - FLAG_DBSECRET | FLAG_DOMAINKEY, FLAG_DOMAINKEY, + /* Allow DBSECRET or DBDOMKEY, but not both */ + FLAG_DBSECRET | FLAG_DBDOMKEY, 0, + FLAG_DBSECRET | FLAG_DBDOMKEY, FLAG_DBSECRET, + FLAG_DBSECRET | FLAG_DBDOMKEY, FLAG_DBDOMKEY, /* Require LOCAL, REMOTE */ FLAG_LOCAL | FLAG_REMOTE, FLAG_LOCAL | FLAG_REMOTE, /* Allow ALIAS or ENDALIAS, but not both */ @@ -202,7 +202,7 @@ static const struct cmdparse_grammar comm_delget_grammar = { // NO_dbname "dbtrunk", // dbtrunk "dbsecret", // dbsecret - "domainkey", // domainkey + "dbdomkey", // dbdomkey NULL, // servicekey // NO_objtype "local", // local @@ -228,16 +228,16 @@ static const struct cmdparse_grammar comm_delget_grammar = { * remote * rights [actorid ] * - * a2rule docu add|set domain volume - * [user ] [path ] + * a2rule docu add|set domain + * volume [path ] * remote * rights [actorid ] * * a2rule docu del|get domain collection * remote * - * a2rule docu del|get domain volume - * [userid ] [path ] + * a2rule docu del|get domain + * volume [path ] * remote */ @@ -247,24 +247,25 @@ static const char docu_usage [] = "... Manages Document Access:\n" "docu get ... Retrieve access information for a remote to a document\n" "docu del ... Delete access information for a remote on a document"; -static const char docu_addset_usage [] = "[dbtrunk NUM] [domainkey SECRET]\n" - "domain LOCAL.DOMAIN ( collection UUID |\n" - " volume VOLUME [userid USERID] [path PATH] )\n" +static const char docu_addset_usage [] = "[dbtrunk NUM] [dbdomkey SECRET]\n" + "domain LOCAL.DOMAIN ( collection UUID | volume VOLUME [path PATH] )\n" "remote RUSER@REMOTE.DOMAIN rights RIGHTS [actorid ACTORID]"; static const uint32_t docu_addset_combis [] = { - /* Allow DBSECRET or DOMAINKEY, but not both */ - FLAG_DBSECRET | FLAG_DOMAINKEY, 0, - FLAG_DBSECRET | FLAG_DOMAINKEY, FLAG_DBSECRET, - FLAG_DBSECRET | FLAG_DOMAINKEY, FLAG_DOMAINKEY, + /* Allow DBSECRET or DBDOMKEY, but not both */ + FLAG_DBSECRET | FLAG_DBDOMKEY, 0, + FLAG_DBSECRET | FLAG_DBDOMKEY, FLAG_DBSECRET, + FLAG_DBSECRET | FLAG_DBDOMKEY, FLAG_DBDOMKEY, /* always require DOMAIN, REMOTE, RIGHTS */ FLAG_DOMAIN | FLAG_REMOTE | FLAG_RIGHTS, FLAG_DOMAIN | FLAG_REMOTE | FLAG_RIGHTS, - /* require COLLECTION or VOLUME. COLLECTION forbids USERID, PATH */ - FLAG_COLLECTION | FLAG_VOLUME | FLAG_USERID | FLAG_PATH, - FLAG_COLLECTION, - FLAG_COLLECTION | FLAG_VOLUME, - FLAG_VOLUME, + /* require COLLECTION or VOLUME. COLLECTION forbids PATH */ + FLAG_COLLECTION | FLAG_VOLUME | FLAG_PATH, + FLAG_COLLECTION , + FLAG_COLLECTION | FLAG_VOLUME | FLAG_PATH, + FLAG_VOLUME , + FLAG_COLLECTION | FLAG_VOLUME | FLAG_PATH, + FLAG_VOLUME | FLAG_PATH, /* end marker */ 0 }; @@ -275,7 +276,7 @@ static const struct cmdparse_grammar docu_addset_grammar = { // NO_dbname "dbtrunk", // dbtrunk "dbsecret", // dbsecret - "domainkey", // domainkey + "dbdomkey", // dbdomkey NULL, // servicekey // NO_objtype "domain", // local==domain @@ -283,7 +284,7 @@ static const struct cmdparse_grammar docu_addset_grammar = { "collection", // iterate==collection "rights", // rights NULL, // list - "userid", // alias==userid + NULL, // alias NULL, // endalias "path", // signflags==path NULL, // newuserid @@ -294,25 +295,31 @@ static const struct cmdparse_grammar docu_addset_grammar = { .combinations = docu_addset_combis, }; -static const char docu_delget_usage [] = "[dbtrunk NUM] [domainkey SECRET]\n" - "domain LOCAL.DOMAIN ( collection UUID |\n" - " volume VOLUME [userid USERID] [path PATH] )\n" +static const char docu_delget_usage [] = "[dbtrunk NUM] [dbdomkey SECRET]\n" + "domain LOCAL.DOMAIN ( collection UUID | volume VOLUME [path PATH] )\n" "remote RUSER@REMOTE.DOMAIN"; static const uint32_t docu_delget_combis [] = { - /* Allow DBSECRET or DOMAINKEY, but not both */ - FLAG_DBSECRET | FLAG_DOMAINKEY, 0, - FLAG_DBSECRET | FLAG_DOMAINKEY, FLAG_DBSECRET, - FLAG_DBSECRET | FLAG_DOMAINKEY, FLAG_DOMAINKEY, + /* Allow DBSECRET or DBDOMKEY, but not both */ + FLAG_DBSECRET | FLAG_DBDOMKEY, 0, + FLAG_DBSECRET | FLAG_DBDOMKEY, FLAG_DBSECRET, + FLAG_DBSECRET | FLAG_DBDOMKEY, FLAG_DBDOMKEY, /* always require DOMAIN, REMOTE */ FLAG_DOMAIN | FLAG_REMOTE, FLAG_DOMAIN | FLAG_REMOTE, - /* require COLLECTION or VOLUME. COLLECTION forbids USERID, PATH */ - FLAG_COLLECTION | FLAG_VOLUME | FLAG_USERID | FLAG_PATH, - FLAG_COLLECTION, - FLAG_COLLECTION | FLAG_VOLUME, - FLAG_VOLUME, + /* require COLLECTION or VOLUME. COLLECTION forbids PATH */ + FLAG_COLLECTION | FLAG_VOLUME | FLAG_PATH, + FLAG_COLLECTION , + FLAG_COLLECTION | FLAG_VOLUME | FLAG_PATH, + FLAG_VOLUME , + FLAG_COLLECTION | FLAG_VOLUME | FLAG_PATH, + FLAG_VOLUME | FLAG_PATH, + /* and, because we added PATH to the goal, allow it in any form */ + FLAG_PATH, + 0, + FLAG_PATH, + FLAG_PATH, /* end marker */ 0 }; @@ -323,7 +330,7 @@ static const struct cmdparse_grammar docu_delget_grammar = { // NO_dbname "dbtrunk", // dbtrunk "dbsecret", // dbsecret - "domainkey", // domainkey + "dbdomkey", // dbdomkey NULL, // servicekey // NO_objtype "domain", // local==domain @@ -331,7 +338,7 @@ static const struct cmdparse_grammar docu_delget_grammar = { "collection", // iterate==collection NULL, // rights NULL, // list - "userid", // alias==userid + NULL, // alias NULL, // endalias "path", // signflags==path NULL, // newuserid @@ -362,14 +369,14 @@ static const char group_usage [] = "... Manages Members of ARPA2 Groups:\n" "group get ... Retrieve the member that matches the attributes\n" "group del ... Delete those member that matches the attributes"; -static const char group_addset_usage [] = "[dbtrunk NUM] [domainkey SECRET]\n" +static const char group_addset_usage [] = "[dbtrunk NUM] [dbdomkey SECRET]\n" "member GROUP+MEMBER@DOMAIN identity RUSER@REMOTE.DOMAIN marks MARKS"; static const uint32_t group_addset_combis [] = { - /* Allow DBSECRET or DOMAINKEY, but not both */ - FLAG_DBSECRET | FLAG_DOMAINKEY, 0, - FLAG_DBSECRET | FLAG_DOMAINKEY, FLAG_DBSECRET, - FLAG_DBSECRET | FLAG_DOMAINKEY, FLAG_DOMAINKEY, + /* Allow DBSECRET or DBDOMKEY, but not both */ + FLAG_DBSECRET | FLAG_DBDOMKEY, 0, + FLAG_DBSECRET | FLAG_DBDOMKEY, FLAG_DBSECRET, + FLAG_DBSECRET | FLAG_DBDOMKEY, FLAG_DBDOMKEY, /* Require MEMBER and IDENTITY */ FLAG_MEMBER | FLAG_IDENTITY, FLAG_MEMBER | FLAG_IDENTITY, /* Require MARKS */ @@ -384,7 +391,7 @@ static const struct cmdparse_grammar group_addset_grammar = { // NO_dbname "dbtrunk", // dbtrunk "dbsecret", // dbsecret - "domainkey", // domainkey + "dbdomkey", // dbdomkey NULL, // servicekey // NO_objtype "member", // local==member @@ -404,14 +411,14 @@ static const struct cmdparse_grammar group_addset_grammar = { }; -static const char group_delget_usage [] = "[dbtrunk NUM] [domainkey SECRET]\n" +static const char group_delget_usage [] = "[dbtrunk NUM] [dbdomkey SECRET]\n" "member GROUP+MEMBER@DOMAIN"; static const uint32_t group_delget_combis [] = { - /* Allow DBSECRET or DOMAINKEY, but not both */ - FLAG_DBSECRET | FLAG_DOMAINKEY, 0, - FLAG_DBSECRET | FLAG_DOMAINKEY, FLAG_DBSECRET, - FLAG_DBSECRET | FLAG_DOMAINKEY, FLAG_DOMAINKEY, + /* Allow DBSECRET or DBDOMKEY, but not both */ + FLAG_DBSECRET | FLAG_DBDOMKEY, 0, + FLAG_DBSECRET | FLAG_DBDOMKEY, FLAG_DBSECRET, + FLAG_DBSECRET | FLAG_DBDOMKEY, FLAG_DBDOMKEY, /* Require MEMBER */ FLAG_MEMBER, FLAG_MEMBER, /* end marker */ @@ -424,7 +431,7 @@ static const struct cmdparse_grammar group_delget_grammar = { // NO_dbname "dbtrunk", // dbtrunk "dbsecret", // dbsecret - "domainkey", // domainkey + "dbdomkey", // dbdomkey NULL, // servicekey // NO_objtype "member", // local==member @@ -562,8 +569,8 @@ bool a2rule_dbopen (struct rules_db *rdb, // Take in the Database Secret, Domain Key or Service Key char *dbsecret = prs->VAL_DBSECRET; unsigned dbsecretlen = (dbsecret != NULL) ? strlen (dbsecret) : 0; - char *domain_key = prs->VAL_DOMAINKEY; - char *service_key = prs->VAL_SERVICEKEY; + char *domain_key = prs->VAL_DBDOMKEY; + char *service_key = prs->VAL_DBSVCKEY; // // Fallback on ARPA2_DOMAINKEY_ for the Domain Key if ((dbsecret == NULL) && (domain_key == NULL) && (service_key == NULL)) { @@ -1017,8 +1024,8 @@ bool match_comm (cbrulematchdata_t *cbdata, char *rule) { * * The other elements of documents have been confirmed via * database lookup; the domain, the colloction or volume with - * optional userid and optional path, as well as the full - * full remote selector have been incorporated. + * optional path, as well as the full full remote selector have + * been incorporated. */ bool match_docu (cbrulematchdata_t *cbdata, char *rule) { return true; @@ -1120,9 +1127,9 @@ bool ruleset_ops (opcode_t opcode, struct cmdparser *prs, const char *usage, int } // // Parse the Service Key, or get it from the environment - if (prs->VAL_SERVICEKEY == NULL) { - prs->VAL_SERVICEKEY = getenv (svckey_envvar); - if (prs->VAL_SERVICEKEY == NULL) { + if (prs->VAL_DBSVCKEY == NULL) { + prs->VAL_DBSVCKEY = getenv (svckey_envvar); + if (prs->VAL_DBSVCKEY == NULL) { fprintf (stderr, "Service Key not in $%s\n", svckey_envvar); return false; } @@ -1429,6 +1436,7 @@ bool docu_ops (opcode_t opcode, struct cmdparser *prs, const char *usage, int ar bool ok = true; // // Parse argv[] +#if 0 if (opcode <= OPCODE_LAST_CREATOR) { ok = ok && comm_list2rights (prs); } @@ -1436,6 +1444,7 @@ bool docu_ops (opcode_t opcode, struct cmdparser *prs, const char *usage, int ar cmdparse_usage (usage, 2, argv); return false; } +#endif // // The Access Name is for a collection or a volume unsigned namelen = 10; @@ -1460,10 +1469,7 @@ bool docu_ops (opcode_t opcode, struct cmdparser *prs, const char *usage, int ar // Count the volume name namelen += strlen (prs->VAL_VOLUME); // - // Count the optional user and path - if (prs->VAL_USERID != NULL) { - namelen += strlen (prs->VAL_USERID); - } + // Count the optional path if (prs->VAL_PATH != NULL) { namelen += strlen (prs->VAL_PATH); } @@ -1493,10 +1499,8 @@ bool docu_ops (opcode_t opcode, struct cmdparser *prs, const char *usage, int ar } } // - // The form is "//[@]/" - namelen = sprintf ("//%s%s%s/%s", - (prs->VAL_USERID != NULL) ? prs->VAL_USERID : "", - (prs->VAL_USERID != NULL) ? "@" : "", + // The form is "///" + namelen = sprintf (namebuf, "//%s/%s", prs->VAL_VOLUME , (prs->VAL_PATH != NULL) ? prs->VAL_PATH : ""); } @@ -1663,7 +1667,7 @@ bool group_ops (opcode_t opcode, struct cmdparser *prs, const char *usage, int a unsigned memberlen = member.ofs [A2ID_OFS_PLUS_SIG] - member.ofs [A2ID_OFS_ALIASES]; char *domain = member.txt + member.ofs [A2ID_OFS_DOMAIN]; // - // Open ACLdb, using dbtrunk, dbsecret, domainkey as needed + // Open ACLdb, using dbtrunk, dbsecret, dbdomkey as needed struct rules_db ruledb; MDB_val olddata; if (!a2rule_dbopen (&ruledb, opcode, diff --git a/src/tool/grammar.h b/src/tool/grammar.h index 48afee5..2f92774 100644 --- a/src/tool/grammar.h +++ b/src/tool/grammar.h @@ -13,8 +13,8 @@ enum parse_variables { //NO_DBNAME, /* Database name in envdir, default NULL */ VAR_DBTRUNK, /* Default 0, overlay database versions for DUP_SORT */ VAR_DBSECRET, /* Scatter/encryption key, default none */ - VAR_DOMAINKEY, /* Domain Key, used by domain admins instead DBsecret */ - VAR_SERVICEKEY, /* Service Key, used by service providers */ + VAR_DBDOMKEY, /* Domain Key, used by domain admins instead DBsecret */ + VAR_DBSVCKEY, /* Service Key, used by service providers */ /* For selecting the database lookup keys: */ //NO_OBJTYPE, /* For instance "communication" (or abbreviations) */ @@ -45,7 +45,6 @@ enum parse_variables { /* Changes for documents */ #define VAR_DOMAIN VAR_LOCAL #define VAR_COLLECTION VAR_ITERATE -#define VAR_USERID VAR_ALIAS #define VAR_PATH VAR_SIGNFLAGS #define VAR_VOLUME VAR_NEWALIAS @@ -72,8 +71,8 @@ enum parse_variables { // #define VAL_DBNAME values [VAR_DBNAME] #define VAL_DBTRUNK values [VAR_DBTRUNK] #define VAL_DBSECRET values [VAR_DBSECRET] -#define VAL_DOMAINKEY values [VAR_DOMAINKEY] -#define VAL_SERVICEKEY values [VAR_SERVICEKEY] +#define VAL_DBDOMKEY values [VAR_DBDOMKEY] +#define VAL_DBSVCKEY values [VAR_DBSVCKEY] // #define VAL_OBJTYPE values [VAR_OBJTYPE] #define VAL_LOCAL values [VAR_LOCAL] #define VAL_REMOTE values [VAR_REMOTE] @@ -93,9 +92,8 @@ enum parse_variables { #define VAL_MARKS values [VAR_RIGHTS] /* Changes for documents */ -#define VAL_DOMAIN values [VAR_LOCAL] -#define VAL_COLLECTION values [VAR_ITERATE] -#define VAL_USERID values [VAR_ALIAS] +#define VAL_DOMAIN values [VAR_DOMAIN] +#define VAL_COLLECTION values [VAR_COLLECTION] #define VAL_PATH values [VAR_SIGNFLAGS] #define VAL_VOLUME values [VAR_NEWALIAS] @@ -111,8 +109,8 @@ enum parse_variables { // #define FLAG_DBNAME (1 << VAR_DBNAME ) #define FLAG_DBTRUNK (1 << VAR_DBTRUNK ) #define FLAG_DBSECRET (1 << VAR_DBSECRET ) -#define FLAG_DOMAINKEY (1 << VAR_DOMAINKEY) -#define FLAG_SERVICEKEY (1 << VAR_SERVICEKEY) +#define FLAG_DBDOMKEY (1 << VAR_DBDOMKEY ) +#define FLAG_DBSVCKEY (1 << VAR_DBSVCKEY ) // #define FLAG_OBJTYPE (1 << VAR_OBJTYPE ) #define FLAG_LOCAL (1 << VAR_LOCAL ) #define FLAG_REMOTE (1 << VAR_REMOTE ) @@ -134,7 +132,6 @@ enum parse_variables { /* Changes for documents */ #define FLAG_DOMAIN (1 << VAR_DOMAIN ) #define FLAG_COLLECTION (1 << VAR_COLLECTION) -#define FLAG_USERID (1 << VAR_USERID ) #define FLAG_PATH (1 << VAR_PATH ) #define FLAG_VOLUME (1 << VAR_VOLUME ) diff --git a/src/util/cmdparse.c b/src/util/cmdparse.c index 89f9d9a..fe252f3 100644 --- a/src/util/cmdparse.c +++ b/src/util/cmdparse.c @@ -108,7 +108,9 @@ bool cmdparse_combinations (struct cmdparser *prs) { // // Iterate over mask/value pairs (if any given) if (pairs != NULL) { + log_debug ("Combinations: have = %08x", prs->combination); while (*pairs != 0) { + log_debug ("Combinations: mask = %08x, value = %08x", pairs [0], pairs [1]); // // Take note of the mask as a goal goal |= pairs [0]; @@ -117,6 +119,7 @@ bool cmdparse_combinations (struct cmdparser *prs) { if ((prs->combination & pairs [0]) == pairs [1]) { score |= pairs [0]; } + log_debug ("Combinations: goal = %08x, score = %08x", goal, score); // // Next mask/value pair pairs += 2; -- GitLab From bb43c98f7144ae820759c3c76d787f19d42d7846 Mon Sep 17 00:00:00 2001 From: Rick van Rein Date: Thu, 24 Jun 2021 22:41:06 +0000 Subject: [PATCH 3/3] Allow setting the dedicated group/username - Usually "a2ruledb" --- CMakeLists.txt | 5 +++++ src/tool/CMakeLists.txt | 14 +++++++------- 2 files changed, 12 insertions(+), 7 deletions(-) diff --git a/CMakeLists.txt b/CMakeLists.txt index 2c691ec..2a0b908 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -116,6 +116,11 @@ feature_summary( FATAL_ON_MISSING_REQUIRED_PACKAGES QUIET_ON_EMPTY) +if(NOT WIN32) + set(A2RULEDB_DEDICATED_GROUP "a2dbrule" CACHE STRING + "Dedicated group/username for ARPA2 Rule DB access (create before installing)") +endif(NOT WIN32) + ### LIBRARIES AND EXECUTABLE # # diff --git a/src/tool/CMakeLists.txt b/src/tool/CMakeLists.txt index d2f3293..0b2efe1 100644 --- a/src/tool/CMakeLists.txt +++ b/src/tool/CMakeLists.txt @@ -45,17 +45,17 @@ install (TARGETS a2id-keygen a2id-loadkey a2rule # See: https://gitlab.com/arpa2/arpa2common/-/issues/40 # set (POST_INSTALL ) -if (WIN32) - message (STATUS "Windows has no control over proper access to the Rules DB") +if (WIN32 OR NOT A2RULEDB_DEDICATED_GROUP) + message (STATUS "Skipping control over dedicated-group access to the Rules DB") else (WIN32) - execute_process (COMMAND getent passwd a2ruledb OUTPUT_QUIET RESULT_VARIABLE _EXIT_PASSWD) - execute_process (COMMAND getent group a2ruledb OUTPUT_QUIET RESULT_VARIABLE _EXIT_GROUP ) + execute_process (COMMAND getent passwd ${A2RULEDB_DEDICATED_GROUP} OUTPUT_QUIET RESULT_VARIABLE _EXIT_PASSWD) + execute_process (COMMAND getent group ${A2RULEDB_DEDICATED_GROUP} OUTPUT_QUIET RESULT_VARIABLE _EXIT_GROUP ) if (${_EXIT_PASSWD} EQUAL 0 AND ${_EXIT_GROUP} EQUAL 0) - #MANUAL_BY_ADMIN# list (APPEND POST_INSTALL "useradd --system a2ruledb") - list (APPEND POST_INSTALL "execute_process(COMMAND chown a2ruledb:a2ruledb $ENV{DESTDIR}${CMAKE_INSTALL_PREFIX}/${CMAKE_INSTALL_BINDIR}/a2rule)") + #MANUAL_BY_ADMIN# list (APPEND POST_INSTALL "useradd --system ${A2RULEDB_DEDICATED_GROUP}") + list (APPEND POST_INSTALL "execute_process(COMMAND chown ${A2RULEDB_DEDICATED_GROUP}:${A2RULEDB_DEDICATED_GROUP} $ENV{DESTDIR}${CMAKE_INSTALL_PREFIX}/${CMAKE_INSTALL_BINDIR}/a2rule)") list (APPEND POST_INSTALL "execute_process(COMMAND chmod g+s $ENV{DESTDIR}${CMAKE_INSTALL_PREFIX}/${CMAKE_INSTALL_BINDIR}/a2rule)") else () - message (STATUS "Installing without the protection of a dedicated userid and group \"a2ruledb\" for the RuleDB") + message (STATUS "Installing without the protection of a dedicated userid and group \"${A2RULEDB_DEDICATED_GROUP}\" for the RuleDB") endif () endif (WIN32) -- GitLab