/*
* Copyright (C) 1994-2021 Altair Engineering, Inc.
* For more information, contact Altair at www.altair.com.
*
* This file is part of both the OpenPBS software ("OpenPBS")
* and the PBS Professional ("PBS Pro") software.
*
* Open Source License Information:
*
* OpenPBS is free software. You can redistribute it and/or modify it under
* the terms of the GNU Affero General Public License as published by the
* Free Software Foundation, either version 3 of the License, or (at your
* option) any later version.
*
* OpenPBS is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU Affero General Public
* License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see .
*
* Commercial License Information:
*
* PBS Pro is commercially licensed software that shares a common core with
* the OpenPBS software. For a copy of the commercial license terms and
* conditions, go to: (http://www.pbspro.com/agreement.html) or contact the
* Altair Legal Department.
*
* Altair's dual-license business model allows companies, individuals, and
* organizations to create proprietary derivative works of OpenPBS and
* distribute them - whether embedded or bundled with other software -
* under a commercial license agreement.
*
* Use of Altair's trademarks, including but not limited to "PBS™",
* "OpenPBS®", "PBS Professional®", and "PBS Pro™" and Altair's logos is
* subject to Altair's trademark licensing policies.
*/
/**
* @file svr_chk_owner.c
*
* @brief
* svr_chk_owner.c - This file contains functions related to authorizing a job request.
*
* Functions included are:
* svr_chk_owner()
* svr_authorize_jobreq()
* svr_get_privilege()
* authenticate_user()
* chk_job_request()
* chk_rescResv_request()
* svr_chk_ownerResv()
* svr_authorize_resvReq()
*/
#include /* the master config generated by configure */
#include
#include
#include "libpbs.h"
#include "string.h"
#include "list_link.h"
#include "attribute.h"
#include "server_limits.h"
#include "server.h"
#include "credential.h"
#include "batch_request.h"
#include "net_connect.h"
#include
#include "job.h"
#include "reservation.h"
#include "pbs_error.h"
#include "log.h"
#include "pbs_nodes.h"
#include "svrfunc.h"
#include "libutil.h"
/* Global Data */
extern char *msg_badstate;
extern char *msg_permlog;
extern char *msg_unkjobid;
extern char *msg_system;
extern char *msg_unkresvID;
extern char *msg_delProgress;
extern time_t time_now;
/* Global functions */
extern int svr_chk_histjob(job *pjob);
/* Non-global functions */
static int svr_authorize_resvReq(struct batch_request *, resc_resv *);
/**
* @brief
* svr_chk_owner - compare a user name from a request and the name of
* the user who owns the job.
*
* @param[in] preq - request structure which contains the user name
* @param[in] pjob - job structure
*
* @return int
* @retval 0 : success
* @retval !0 : user is not the job owner
*/
int
svr_chk_owner(struct batch_request *preq, job *pjob)
{
char owner[PBS_MAXUSER + 1];
char *pu;
char *ph;
char rmtuser[PBS_MAXUSER + PBS_MAXHOSTNAME + 2];
extern int ruserok(const char *rhost, int suser, const char *ruser,
const char *luser);
/* Are the owner and requestor the same? */
snprintf(rmtuser, sizeof(rmtuser), "%s", get_jattr_str(pjob, JOB_ATR_job_owner));
pu = rmtuser;
ph = strchr(rmtuser, '@');
if (!ph)
return -1;
*ph++ = '\0';
if (strcmp(preq->rq_user, pu) == 0) {
/* Avoid the lookup if they match. */
if (strcmp(preq->rq_host, ph) == 0)
return 0;
/* Perform the lookup. */
if (is_same_host(preq->rq_host, ph))
return 0;
}
/* map requestor user@host to "local" name */
pu = site_map_user(preq->rq_user, preq->rq_host);
if (pu == NULL)
return (-1);
(void) strncpy(rmtuser, pu, PBS_MAXUSER);
/*
* Get job owner name without "@host" and then map to "local" name.
*/
get_jobowner(get_jattr_str(pjob, JOB_ATR_job_owner), owner);
pu = site_map_user(owner, get_hostPart(get_jattr_str(pjob, JOB_ATR_job_owner)));
if (get_sattr_long(SVR_ATR_FlatUID)) {
/* with flatuid, all that must match is user names */
return (strcmp(rmtuser, pu));
} else {
/* non-flatuid space, must validate rmtuser vs owner */
return (ruserok(preq->rq_host, 0, rmtuser, pu));
}
}
/**
* @brief
* svr_authorize_jobreq - determine if requestor is authorized to make
* request against the job. This is only called for batch requests
* against jobs, not manager requests against queues or the server.
*
* @param[in] preq - request structure which contains the user name
* @param[in] pjob - job structure
*
* @return int
* @retval 0 : if authorized (job owner, operator, administrator)
* @retval !0 : not authorized.
*/
int
svr_authorize_jobreq(struct batch_request *preq, job *pjob)
{
/* Is requestor special privileged? */
if ((preq->rq_perm & (ATR_DFLAG_OPRD | ATR_DFLAG_OPWR |
ATR_DFLAG_MGRD | ATR_DFLAG_MGWR)) != 0)
return (0);
/* if not, see if requestor is the job owner */
else if (svr_chk_owner(preq, pjob) == 0)
return (0);
else
return (-1);
}
/**
* @brief
* svr_get_privilege - get privilege level of a user.
*
* Privilege is granted to a user at a host. A user is automatically
* granted "user" privilege. The user@host pair must appear in
* the server's administrator attribute list to be granted "manager"
* privilege and/or appear in the operators attribute list to be
* granted "operator" privilege. If either acl is unset, then root
* on the server machine is granted that privilege.
*
* If "PBS_ROOT_ALWAYS_ADMIN" is defined, then root always has privilege
* even if not in the list.
*
* The returns are based on the access permissions of attributes, see
* attribute.h.
*
* @param[in] user - user in user@host pair
* @param[in] host - host in user@host pair
*
* @return int
* @retval access privilage of the user
*/
int
svr_get_privilege(char *user, char *host)
{
int is_root = 0;
int priv = (ATR_DFLAG_USRD | ATR_DFLAG_USWR);
char uh[PBS_MAXUSER + PBS_MAXHOSTNAME + 2];
(void) strcpy(uh, user);
(void) strcat(uh, "@");
(void) strcat(uh, host);
if (strcmp(user, PBS_DEFAULT_ADMIN) == 0) {
char myhostname[PBS_MAXHOSTNAME + 1];
/* First try without DNS lookup. */
if (strcasecmp(host, server_host) == 0) {
is_root = 1;
} else if (strcasecmp(host, LOCALHOST_SHORTNAME) == 0) {
is_root = 1;
} else if (strcasecmp(host, LOCALHOST_FULLNAME) == 0) {
is_root = 1;
} else {
if (gethostname(myhostname, (sizeof(myhostname) - 1)) == -1) {
myhostname[0] = '\0';
}
if (strcasecmp(host, myhostname) == 0) {
is_root = 1;
}
}
if (is_root == 0) {
/* Now try with DNS lookup. */
if (is_same_host(host, server_host)) {
is_root = 1;
} else if (is_same_host(host, myhostname)) {
is_root = 1;
}
}
}
#if defined(PBS_SECURITY) && (PBS_SECURITY == KRB5)
char *privil_auth_user = pbs_conf.pbs_privileged_auth_user ? pbs_conf.pbs_privileged_auth_user : NULL;
if (privil_auth_user &&
is_string_in_arr(pbs_conf.supported_auth_methods, AUTH_GSS_NAME)) {
if (strcmp(uh, privil_auth_user) == 0) {
is_root = 1;
}
}
#endif
#ifdef PBS_ROOT_ALWAYS_ADMIN
if (is_root)
return (priv | ATR_DFLAG_MGRD | ATR_DFLAG_MGWR | ATR_DFLAG_OPRD | ATR_DFLAG_OPWR);
#endif /* PBS_ROOT_ALWAYS_ADMIN */
if (!is_sattr_set(SVR_ATR_managers)) {
if (is_root)
priv |= (ATR_DFLAG_MGRD | ATR_DFLAG_MGWR);
} else if (acl_check(get_sattr(SVR_ATR_managers), uh, ACL_User))
priv |= (ATR_DFLAG_MGRD | ATR_DFLAG_MGWR);
if (!is_attr_set(get_sattr(SVR_ATR_operators))) {
if (is_root)
priv |= (ATR_DFLAG_OPRD | ATR_DFLAG_OPWR);
} else if (acl_check(get_sattr(SVR_ATR_operators), uh, ACL_User))
priv |= (ATR_DFLAG_OPRD | ATR_DFLAG_OPWR);
return (priv);
}
/**
* @brief
* authenticate_user - authenticate user by checking name against credential
* provided on connection via Authenticate User request.
*
* @param[in] preq - user to be authenticated
* @param[in] pcred - credential provided on connection via Authenticate User request.
*
* @return int
* @retval 0 : if user is who s/he claims
* @retval nonzero : error code
*/
int
authenticate_user(struct batch_request *preq, struct connection *pcred)
{
char uath[PBS_MAXUSER + PBS_MAXHOSTNAME + 1];
if (strncmp(preq->rq_user, pcred->cn_username, PBS_MAXUSER))
return (PBSE_BADCRED);
if (strncasecmp(preq->rq_host, pcred->cn_hostname, PBS_MAXHOSTNAME))
return (PBSE_BADCRED);
if (pcred->cn_timestamp) {
if ((pcred->cn_timestamp - CREDENTIAL_TIME_DELTA > time_now) ||
(pcred->cn_timestamp + CREDENTIAL_LIFETIME < time_now))
return (PBSE_EXPIRED);
}
/* If Server's Acl_User enabled, check if user in list */
if (get_sattr_long(SVR_ATR_AclUserEnabled)) {
(void) strcpy(uath, preq->rq_user);
(void) strcat(uath, "@");
(void) strcat(uath, preq->rq_host);
if (acl_check(get_sattr(SVR_ATR_AclUsers),
uath, ACL_User) == 0) {
/* not in list, next check if listed as a manager */
if ((svr_get_privilege(preq->rq_user, preq->rq_host) &
(ATR_DFLAG_MGWR | ATR_DFLAG_OPWR)) == 0)
return (PBSE_PERM);
}
}
/* A site stub for additional checking */
return (site_allow_u(preq->rq_user, preq->rq_host));
}
/**
* @brief
* chk_job_request - check legality of a request against a job
* @par
* this checks the most conditions common to most job batch requests.
* It also returns a pointer to the job if found and the tests pass.
* If the request is for a single subjob or a range of subjobs (of an
* Job Array), the return job pointer is to the parent Array Job.
* @par
* Depending on what the "jobid" identifies, the following is returned
* in the integer pointed to by rc:
* IS_ARRAY_NO (0) - for a regular job
* IS_ARRAY_ArrayJob (1) - for an Array Job
* IS_ARRAY_Single (2) - for a single subjob
* IS_ARRAY_Range (3) - for a range of subjobs
*
* @param[in] jobid - Job Id.
* @param[in,out] preq - job batch request
* @param[out] rc - Depending on what the "jobid" identifies,
* the following is returned
* (0) - for a regular job
* (1) - for an Array Job
* (2) - for a single subjob
* (3) - for a range of subjobs
* @param[out] err PBSE reason why request was rejected
*
* @return job *
* @retval a pointer to the job : if found and the tests pass.
* @retval NULL : failed
*/
job *
chk_job_request(char *jobid, struct batch_request *preq, int *rc, int *err)
{
int t;
int histerr = 0;
job *pjob;
int deletehist = 0;
char *p1;
char *p2;
if (preq->rq_extend && strstr(preq->rq_extend, DELETEHISTORY))
deletehist = 1;
t = is_job_array(jobid);
if ((t == IS_ARRAY_NO) || (t == IS_ARRAY_ArrayJob))
pjob = find_job(jobid); /* regular or ArrayJob itself */
else
pjob = find_arrayparent(jobid); /* subjob(s) */
*rc = t;
if (pjob == NULL) {
log_event(PBSEVENT_DEBUG, PBS_EVENTCLASS_JOB, LOG_INFO,
jobid, msg_unkjobid);
if (err != NULL)
*err = PBSE_UNKJOBID;
if (preq->rq_type != PBS_BATCH_DeleteJobList)
req_reject(PBSE_UNKJOBID, 0, preq);
return NULL;
} else {
histerr = svr_chk_histjob(pjob);
if (histerr && deletehist == 0) {
if (err != NULL)
*err = histerr;
if (preq->rq_type != PBS_BATCH_DeleteJobList)
req_reject(histerr, 0, preq);
return NULL;
}
if (deletehist == 1 && check_job_state(pjob, JOB_STATE_LTR_MOVED) &&
!check_job_substate(pjob, JOB_SUBSTATE_FINISHED)) {
job_purge(pjob);
if (preq->rq_type != PBS_BATCH_DeleteJobList)
req_reject(PBSE_UNKJOBID, 0, preq);
return NULL;
}
}
/*
* The job was found using the job ID in the request, but it may not
* match exactly (i.e. FQDN vs. unqualified hostname). Overwrite the
* host portion of the job ID in the request with the host portion of
* the one from the server job structure. Do not modify anything
* before the first dot in the job ID because it may be an array job.
* This will allow find_job() to look for an exact match when the
* request is serviced by MoM.
*/
p1 = strchr(pjob->ji_qs.ji_jobid, '.');
if (p1) {
p2 = strchr(jobid, '.');
if (p2)
*p2 = '\0';
strncat(jobid, p1, PBS_MAXSVRJOBID - 1);
}
if (svr_authorize_jobreq(preq, pjob) == -1) {
(void) sprintf(log_buffer, msg_permlog, preq->rq_type,
"Job", pjob->ji_qs.ji_jobid,
preq->rq_user, preq->rq_host);
log_event(PBSEVENT_SECURITY, PBS_EVENTCLASS_JOB, LOG_INFO,
pjob->ji_qs.ji_jobid, log_buffer);
if (err != NULL)
*err = PBSE_PERM;
if (preq->rq_type != PBS_BATCH_DeleteJobList)
req_reject(PBSE_PERM, 0, preq);
return NULL;
}
if ((t == IS_ARRAY_NO) && (check_job_state(pjob, JOB_STATE_LTR_EXITING))) {
/* special case Deletejob with "force" */
if (((preq->rq_type == PBS_BATCH_DeleteJob) || (preq->rq_type == PBS_BATCH_DeleteJobList)) &&
(preq->rq_extend != NULL) &&
(strcmp(preq->rq_extend, "force") == 0)) {
return pjob;
}
log_eventf(PBSEVENT_DEBUG, PBS_EVENTCLASS_JOB, LOG_INFO, pjob->ji_qs.ji_jobid,
"%s, state=%c", msg_badstate, get_job_state(pjob));
if (err != NULL)
*err = PBSE_BADSTATE;
if (preq->rq_type != PBS_BATCH_DeleteJobList)
req_reject(PBSE_BADSTATE, 0, preq);
return NULL;
}
return pjob;
}
/**
* @brief
* chk_rescResv_request - check legality of a request against named
* resource reservation
* @par
* This checks the conditions common to most batch requests
* against a resc_resv object. If the object is found in the
* system and the tests are passed, a non-zero resc_resv
* pointer is returned.
* @par
* If the object can't be found or an applied test fails,
* an appropriate error event is logged, an error code is passed
* back to the requester via function req_reject(), the batch
* request structure is handled appropriately, and
* value NULL is returned to the caller.
* @note
* Notes: On failure the reply back to the requester will be handled
* for the caller - as is the batch request structure itself.
* It would be better if the caller got back an error code
* and then called a function passing it that code and request
* and let it handle the event log and rejection of the
* request. Currently, we are modeled along the lines of
* the function chk_job_request().
*
* @param[in] resvID - reservation ID
* @param[in,out] preq - job batch request
*
* @return resc_resv *
* @retval resc_resv object ptr : successful
* @retval NULL : failed test/no object
*/
resc_resv *
chk_rescResv_request(char *resvID, struct batch_request *preq)
{
resc_resv *presv;
if ((presv = find_resv(resvID)) == NULL) {
log_event(PBSEVENT_DEBUG, PBS_EVENTCLASS_RESV, LOG_INFO,
resvID, msg_unkresvID);
req_reject(PBSE_UNKRESVID, 0, preq);
return NULL;
}
if (resvID[0] == PBS_MNTNC_RESV_ID_CHAR && !(preq->rq_perm & (ATR_DFLAG_OPWR | ATR_DFLAG_MGWR))) {
req_reject(PBSE_PERM, 0, preq);
return NULL;
}
if (svr_authorize_resvReq(preq, presv) == -1) {
(void) sprintf(log_buffer, msg_permlog, preq->rq_type,
"RESCRESV", presv->ri_qs.ri_resvID,
preq->rq_user, preq->rq_host);
log_event(PBSEVENT_SECURITY, PBS_EVENTCLASS_RESV, LOG_INFO,
presv->ri_qs.ri_resvID, log_buffer);
req_reject(PBSE_PERM, 0, preq);
return NULL;
}
return (presv);
}
/**
* @return
* svr_chk_ownerResv - compare a user name from a request and the name of
* the user who owns the resources reservation.
*
* @param[in] preq - request structure which contains the user name
* @param[in] presv - resources reservation.
*
* @return int
* @retval 0 : if same
* @retval nonzero : if user is not the reservation owner
*/
int
svr_chk_ownerResv(struct batch_request *preq, resc_resv *presv)
{
char owner[PBS_MAXUSER + 1];
char *host;
char *pu;
char rmtuser[PBS_MAXUSER + 1];
/* map user@host to "local" name */
pu = site_map_user(preq->rq_user, preq->rq_host);
if (pu == NULL)
return (-1);
(void) strncpy(rmtuser, pu, PBS_MAXUSER);
get_jobowner(get_rattr_str(presv, RESV_ATR_resv_owner), owner);
host = get_hostPart(get_rattr_str(presv, RESV_ATR_resv_owner));
pu = site_map_user(owner, host);
return (strcmp(rmtuser, pu));
}
/**
* @brief
* svr_authorize_resvReq - determine if requestor is authorized to make
* request against the reservation. This is only called for batch requests
* against reservations.
*
* @param[in] preq - batch request structure
* @param[in] presv - resources reservation.
*
* @return int
* @retval 0 : if authorized (reservation owner, operator, administrator)
* @retval -1 : if not authorized.
*/
static int
svr_authorize_resvReq(struct batch_request *preq, resc_resv *presv)
{
/* Is requestor special privileged? */
if ((preq->rq_perm & (ATR_DFLAG_OPRD | ATR_DFLAG_OPWR |
ATR_DFLAG_MGRD | ATR_DFLAG_MGWR)) != 0)
return (0);
/* Only Manager has privilage to force modify reservation */
if (preq->rq_type == PBS_BATCH_ModifyResv && (preq->rq_extend != NULL) &&
(strcmp(preq->rq_extend, FORCE) == 0) && ((preq->rq_perm & ATR_DFLAG_MGWR) == 0))
return (-1);
/* if not, see if requestor is the reservation owner */
else if (svr_chk_ownerResv(preq, presv) == 0)
return (0);
else
return (-1);
}