utils/queryauth.sh utils/queryauth-setup.sh: add checkperms helperscheckperm-deferred-authorization

- setup FIFOs for USER and GROUP if not existing - only check for translators if file exists - create the group if needed
author: Arne Babenhauserheide <arne_bab@web.de> 2021-12-30 02:08:54 +0100
committer: Arne Babenhauserheide <arne_bab@web.de> 2021-12-30 02:28:59 +0100
commit: 1b1538c77ffd7ce89709b8cdded0de314f34cbad (patch)
tree: 831aedf3bb06a67003c38d5d12dcee261f33b3cb
parent: 500fe6e0cb1fe3b239dd0be83cd57c73d8c8c9aa (diff)
3 files changed, 176 insertions, 3 deletions
diff --git a/utils/Makefile b/utils/Makefile
index 0cefd27b..7e991603 100644
--- a/utils/Makefile
+++ b/utils/Makefile
@@ -20,13 +20,14 @@ makemode := utilities
 
 targets = shd ps settrans showtrans syncfs fsysopts \
 	storeinfo login w uptime ids loginpr sush vmstat portinfo \
-	devprobe vminfo addauth rmauth unsu setauth ftpcp ftpdir storecat \
+	devprobe vminfo addauth rmauth queryauth queryauth-setup \
+	unsu setauth ftpcp ftpdir storecat \
 	storeread msgport rpctrace mount gcore fakeauth fakeroot remap \
 	umount nullauth rpcscan vmallocate
 
-special-targets = loginpr sush uptime fakeroot remap
+special-targets = loginpr sush uptime fakeroot remap queryauth queryauth-setup
 SRCS = shd.c ps.c settrans.c syncfs.c showtrans.c addauth.c rmauth.c \
-	fsysopts.c storeinfo.c login.c loginpr.sh sush.sh w.c \
+	queryauth.sh queryauth-setup.sh fsysopts.c storeinfo.c login.c loginpr.sh sush.sh w.c \
 	uptime.sh psout.c ids.c vmstat.c portinfo.c devprobe.c vminfo.c \
 	parse.c frobauth.c frobauth-mod.c setauth.c pids.c nonsugid.c \
 	unsu.c ftpcp.c ftpdir.c storeread.c storecat.c msgport.c \
diff --git a/utils/queryauth-setup.sh b/utils/queryauth-setup.sh
new file mode 100644
index 00000000..d796553f
--- /dev/null
+++ b/utils/queryauth-setup.sh
@@ -0,0 +1,89 @@
+#!/bin/bash
+# Setup checkperms translator and authorization query program.
+#
+# Copyright (C) 2002, 2013 Free Software Foundation, Inc.
+#
+# This file is part of the GNU Hurd.
+#
+# The GNU Hurd is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License as
+# published by the Free Software Foundation; either version 2, or (at
+# your option) any later version.
+#
+# The GNU Hurd is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+#
+
+USAGE="Usage: $0 [OPTION...] FILE GROUP [PROGRAM]"
+DOC="Setup checkperms translator on FILE for the current user, guarded by GROUP, using the authorization query PROGRAM (queryauth if not given)"
+
+while :; do
+  case "$1" in
+    --help|"-?")
+      echo "$USAGE"
+      echo "$DOC"
+      echo ""
+      echo "  -?, --help                 Give this help list"
+      echo "      --usage                Give a short usage message"
+      echo "  -V, --version              Print program version"
+      exit 0;;
+    --usage)
+      echo "Usage: $0 [-V?] [--help] [--usage] [--version] FILE GROUP [PROGRAM]"
+      exit 0;;
+    --version|-V)
+      echo "STANDARD_HURD_VERSION_queryauth-setup_"; exit 0;;
+    --)
+      shift
+      break;;
+    -*)
+      echo 1>&2 "$0: unrecognized option \`$1'"
+      echo 1>&2 "Try \`$0 --help' or \`$0 --usage' for more information";
+      exit 1;;
+    *)
+      break;;
+  esac
+done
+
+if [ $# -lt 1 ]; then
+    echo missing FILE
+    if [ $# -lt 2 ]; then
+        echo missing GROUP
+    fi
+    echo $USAGE
+    exit 1
+fi
+
+USER=$(whoami)
+FILE=$1
+GROUP=$2
+PROGRAM=$3
+if [ -z $PROGRAM ]; then
+    PROGRAM=queryauth
+fi
+
+# do not replace an exitsing translator
+if [ -e $FILE ] && showtrans $FILE | grep -q checkperms; then
+    echo there is already a passive checkperms translator running on $FILE.
+    echo Remove it with
+    echo settrans -g $FILE
+    echo if you want to replace it. Existing translator:
+    echo -n "    "
+    showtrans $FILE
+    exit 1
+fi
+
+# create the controlling group if needed
+groupadd $GROUP 2>/dev/null
+
+# setup the translator
+settrans -cg $FILE /hurd/checkperms --groupname=$GROUP
+
+echo Setting up interactive authorization granting program via "'$PROGRAM $GROUP'"
+
+$PROGRAM $GROUP
diff --git a/utils/queryauth.sh b/utils/queryauth.sh
new file mode 100644
index 00000000..069ab517
--- /dev/null
+++ b/utils/queryauth.sh
@@ -0,0 +1,83 @@
+#!/bin/bash
+# Query whether to grant authorization when a process accesses a file guarded by the checkperms translator.
+#
+# Copyright (C) 2002, 2013 Free Software Foundation, Inc.
+#
+# This file is part of the GNU Hurd.
+#
+# The GNU Hurd is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License as
+# published by the Free Software Foundation; either version 2, or (at
+# your option) any later version.
+#
+# The GNU Hurd is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+#
+
+USAGE="Usage: $0 [OPTION...] GROUP"
+DOC="Query whether to grant authorization when a process accesses a file guarded by the checkperms translator for the GROUP."
+
+while :; do
+  case "$1" in
+    --help|"-?")
+      echo "$USAGE"
+      echo "$DOC"
+      echo ""
+      echo "  -?, --help                 Give this help list"
+      echo "      --usage                Give a short usage message"
+      echo "  -V, --version              Print program version"
+      exit 0;;
+    --usage)
+      echo "Usage: $0 [-V?] [--help] [--usage] [--version]"
+      exit 0;;
+    --version|-V)
+      echo "STANDARD_HURD_VERSION_queryauth_"; exit 0;;
+    --)
+      shift
+      break;;
+    -*)
+      echo 1>&2 "$0: unrecognized option \`$1'"
+      echo 1>&2 "Try \`$0 --help' or \`$0 --usage' for more information";
+      exit 1;;
+    *)
+      break;;
+  esac
+done
+
+if [ $# -eq 0 ]; then
+  echo missing GROUP
+  echo $USAGE
+  exit 1
+fi
+
+USER=$(whoami)
+GROUP=$1
+
+# create the controlling FIFOs, if needed
+if [ ! -e /run/$USER/request-permission/$GROUP ]; then
+    mkdir -p /run/$USER/request-permission 2>/dev/null
+    mkfifo /run/$USER/request-permission/$GROUP
+fi
+if [ ! -e /run/$USER/grant-permission/$GROUP ]; then
+    mkdir -p /run/$USER/grant-permission 2>/dev/null
+    mkfifo /run/$USER/grant-permission/$GROUP
+fi    
+
+while true; do
+    PID="$(cat /run/$USER/request-permission/$GROUP)"
+    echo Process "'"$PID"'" tries to access file guarded by the checkperms translator, but is not in the required group "'"$GROUP"'".
+    ps-hurd -p $PID -aeux
+    if [[ "$(read -e -p 'Grant permission and add group "'$GROUP'" for 5 minutes? [y/N]> '; echo $REPLY)" == [Yy]* ]]; then
+        addauth -p $PID -g $GROUP
+        echo 0 > /run/$USER/grant-permission/$GROUP
+        (sleep 300 && rmauth -p $PID -g $GROUP 2>/dev/null) &
+    else
+        echo 1 > /run/$USER/grant-permission/$GROUP
+    fi
+done
author	Arne Babenhauserheide <arne_bab@web.de>	2021-12-30 02:08:54 +0100
committer	Arne Babenhauserheide <arne_bab@web.de>	2021-12-30 02:28:59 +0100
commit	1b1538c77ffd7ce89709b8cdded0de314f34cbad (patch)
tree	831aedf3bb06a67003c38d5d12dcee261f33b3cb
parent	500fe6e0cb1fe3b239dd0be83cd57c73d8c8c9aa (diff)