httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From wr...@apache.org
Subject svn commit: r1497095 - in /httpd/httpd/branches/2.2.x: CHANGES STATUS docs/manual/mod/mod_authnz_ldap.xml include/ap_mmn.h include/httpd.h modules/aaa/mod_authnz_ldap.c server/util.c
Date Wed, 26 Jun 2013 21:03:34 GMT
Author: wrowe
Date: Wed Jun 26 21:03:33 2013
New Revision: 1497095

URL: http://svn.apache.org/r1497095
Log:
mod_authnz_ldap: Allow using exec: callouts like SSLPassphraseDialog
for AuthLDAPBindPassword.

Backports: r1433478, r1467523, r1467792
Submitted by: druggeri
Reviewed by: minfrin. wrowe


Modified:
    httpd/httpd/branches/2.2.x/CHANGES
    httpd/httpd/branches/2.2.x/STATUS
    httpd/httpd/branches/2.2.x/docs/manual/mod/mod_authnz_ldap.xml
    httpd/httpd/branches/2.2.x/include/ap_mmn.h
    httpd/httpd/branches/2.2.x/include/httpd.h
    httpd/httpd/branches/2.2.x/modules/aaa/mod_authnz_ldap.c
    httpd/httpd/branches/2.2.x/server/util.c

Modified: httpd/httpd/branches/2.2.x/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/CHANGES?rev=1497095&r1=1497094&r2=1497095&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/CHANGES [utf-8] (original)
+++ httpd/httpd/branches/2.2.x/CHANGES [utf-8] Wed Jun 26 21:03:33 2013
@@ -68,6 +68,9 @@ Changes with Apache 2.2.24
   *) mod_ssl: Add new directive SSLCompression to disable TLS-level
      compression. PR 53219. [Björn Jacke <bjoern j3e de>, Stefan Fritsch]
 
+  *) mod_authnz_ldap: Allow using exec: calls to obtain LDAP bind
+     password.  [Daniel Ruggeri]
+
 Changes with Apache 2.2.23
 
   *) SECURITY: CVE-2012-0883 (cve.mitre.org)

Modified: httpd/httpd/branches/2.2.x/STATUS
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/STATUS?rev=1497095&r1=1497094&r2=1497095&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/STATUS (original)
+++ httpd/httpd/branches/2.2.x/STATUS Wed Jun 26 21:03:33 2013
@@ -114,17 +114,6 @@ RELEASE SHOWSTOPPERS:
 PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
   [ start all new proposals below, under PATCHES PROPOSED. ]
   
-  
-   * mod_authnz_ldap: Allow using exec: callouts like SSLPassphraseDialog
-     for AuthLDAPBindPassword.
-     trunk patch: http://svn.apache.org/viewvc?view=revision&revision=1433478
-                  http://svn.apache.org/viewvc?view=revision&revision=1467523
-                  http://svn.apache.org/viewvc?view=revision&revision=1467792
-     2.2.x patch: http://people.apache.org/~druggeri/patches/AuthLDAPBindPasswordExec-2.2.patch
-                  (20130119 - updated to include minor mmn bump)
-                  (20130412 - updated to not use static var - thx, wrowe)
-     +1: druggeri, minfrin. wrowe
-
   * mod_ssl: Catch missing, mismatched or encrypted client cert/key pairs
     with SSLProxyMachineCertificateFile/Path directives. PR 52212, PR 54698.
     (check at startup, to prevent segfaults at proxy request time)
@@ -221,6 +210,12 @@ PATCHES PROPOSED TO BACKPORT FROM TRUNK:
     2.2.x patch: trunk patch works modulo CHANGES
     +1: trawick, wrowe
 
+   * mod_authnz_ldap: Allow using exec: callouts like SSLPassphraseDialog
+     for AuthLDAPBindPassword.
+     trunk patch: http://svn.apache.org/viewvc?view=revision&revision=1433478
+     2.4.x patch: http://people.apache.org/~druggeri/patches/AuthLDAPBindPasswordExec-2.4.patch
+     +1: druggeri
+
 PATCHES/ISSUES THAT ARE STALLED
 
   * mod_cache: Realign the cache_quick_handler() to behave identically

Modified: httpd/httpd/branches/2.2.x/docs/manual/mod/mod_authnz_ldap.xml
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/docs/manual/mod/mod_authnz_ldap.xml?rev=1497095&r1=1497094&r2=1497095&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/docs/manual/mod/mod_authnz_ldap.xml (original)
+++ httpd/httpd/branches/2.2.x/docs/manual/mod/mod_authnz_ldap.xml Wed Jun 26 21:03:33 2013
@@ -731,6 +731,21 @@ authenticating the user if this one fail
     module="mod_authnz_ldap">AuthLDAPBindDN</directive> and <directive
     module="mod_authnz_ldap">AuthLDAPBindPassword</directive> if you
     absolutely need them to search the directory.</p> 
+
+    <p>If the value begins with exec: the resulting command will be
+    executed and the first line returned to standard output by the
+    program will be used as the password.</p>
+<example><pre>
+#Password used as-is
+AuthLDAPBindPassword secret
+
+#Run /path/to/program to get my password
+AuthLDAPBindPassword exec:/path/to/program
+
+#Run /path/to/otherProgram and provide arguments
+AuthLDAPBindPassword "exec:/path/to/otherProgram argument1"
+</pre></example>
+
 </usage>
 </directivesynopsis>
 

Modified: httpd/httpd/branches/2.2.x/include/ap_mmn.h
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/include/ap_mmn.h?rev=1497095&r1=1497094&r2=1497095&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/include/ap_mmn.h (original)
+++ httpd/httpd/branches/2.2.x/include/ap_mmn.h Wed Jun 26 21:03:33 2013
@@ -149,6 +149,7 @@
  * 20051115.29 (2.2.21) add max_ranges to core_dir_config
  * 20051115.30 (2.2.21) add ap_set_accept_ranges()
  * 20051115.31 (2.2.23) Add forcerecovery to proxy_balancer_shared struct
+ # 20051115.32 (2.2.24) Add ap_get_exec_line
  */
 
 #define MODULE_MAGIC_COOKIE 0x41503232UL /* "AP22" */
@@ -156,7 +157,7 @@
 #ifndef MODULE_MAGIC_NUMBER_MAJOR
 #define MODULE_MAGIC_NUMBER_MAJOR 20051115
 #endif
-#define MODULE_MAGIC_NUMBER_MINOR 31                    /* 0...n */
+#define MODULE_MAGIC_NUMBER_MINOR 32                    /* 0...n */
 
 /**
  * Determine if the server's current MODULE_MAGIC_NUMBER is at least a

Modified: httpd/httpd/branches/2.2.x/include/httpd.h
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/include/httpd.h?rev=1497095&r1=1497094&r2=1497095&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/include/httpd.h (original)
+++ httpd/httpd/branches/2.2.x/include/httpd.h Wed Jun 26 21:03:33 2013
@@ -1867,6 +1867,19 @@ extern int raise_sigstop_flags;
  */
 AP_DECLARE(const char *) ap_psignature(const char *prefix, request_rec *r);
 
+
+/**
+ * Short function to execute a command and return the first line of
+ * output minus \r \n. Useful for "obscuring" passwords via exec calls
+ * @param p the pool to allocate from
+ * @param cmd the command to execute
+ * @param argv the arguments to pass to the cmd
+ * @return ptr to characters or NULL on any error
+ */
+AP_DECLARE(char *) ap_get_exec_line(apr_pool_t *p,
+                                    const char *cmd,
+                                    const char * const *argv);
+
 /** strtoul does not exist on sunos4. */
 #ifdef strtoul
 #undef strtoul

Modified: httpd/httpd/branches/2.2.x/modules/aaa/mod_authnz_ldap.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/modules/aaa/mod_authnz_ldap.c?rev=1497095&r1=1497094&r2=1497095&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/modules/aaa/mod_authnz_ldap.c (original)
+++ httpd/httpd/branches/2.2.x/modules/aaa/mod_authnz_ldap.c Wed Jun 26 21:03:33 2013
@@ -1075,6 +1075,43 @@ static const char *set_charset_config(cm
     return NULL;
 }
 
+static const char *set_bind_password(cmd_parms *cmd, void *_cfg, const char *arg)
+{
+    authn_ldap_config_t *sec = _cfg;
+    int arglen = strlen(arg);
+    char **argv;
+    char *result;
+
+    if ((arglen > 5) && strncmp(arg, "exec:", 5) == 0) {
+        if (apr_tokenize_to_argv(arg+5, &argv, cmd->temp_pool) != APR_SUCCESS) {
+            return apr_pstrcat(cmd->pool,
+                               "Unable to parse exec arguments from ",
+                               arg+5, NULL);
+        }
+        argv[0] = ap_server_root_relative(cmd->temp_pool, argv[0]);
+
+        if (!argv[0]) {
+            return apr_pstrcat(cmd->pool,
+                               "Invalid AuthLDAPBindPassword exec location:",
+                               arg+5, NULL);
+        }
+        result = ap_get_exec_line(cmd->pool,
+                                  (const char*)argv[0], (const char * const *)argv);
+
+        if(!result) {
+            return apr_pstrcat(cmd->pool,
+                               "Unable to get bind password from exec of ",
+                               arg+5, NULL);
+        }
+        sec->bindpw = result;
+    }
+    else {
+        sec->bindpw = (char *)arg;
+    }
+
+    return NULL;
+}
+
 static const command_rec authnz_ldap_cmds[] =
 {
     AP_INIT_TAKE12("AuthLDAPURL", mod_auth_ldap_parse_url, NULL, OR_AUTHCFG,
@@ -1105,8 +1142,7 @@ static const command_rec authnz_ldap_cmd
                   (void *)APR_OFFSETOF(authn_ldap_config_t, binddn), OR_AUTHCFG,
                   "DN to use to bind to LDAP server. If not provided, will do an anonymous
bind."),
 
-    AP_INIT_TAKE1("AuthLDAPBindPassword", ap_set_string_slot,
-                  (void *)APR_OFFSETOF(authn_ldap_config_t, bindpw), OR_AUTHCFG,
+    AP_INIT_TAKE1("AuthLDAPBindPassword", set_bind_password, NULL, OR_AUTHCFG,
                   "Password to use to bind to LDAP server. If not provided, will do an anonymous
bind."),
 
     AP_INIT_FLAG("AuthLDAPBindAuthoritative", ap_set_flag_slot,

Modified: httpd/httpd/branches/2.2.x/server/util.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/server/util.c?rev=1497095&r1=1497094&r2=1497095&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/server/util.c (original)
+++ httpd/httpd/branches/2.2.x/server/util.c Wed Jun 26 21:03:33 2013
@@ -2240,3 +2240,44 @@ AP_DECLARE(apr_status_t) ap_timeout_para
     return APR_SUCCESS;
 }
 
+AP_DECLARE(char *) ap_get_exec_line(apr_pool_t *p,
+                                    const char *cmd,
+                                    const char * const * argv)
+{
+    char buf[MAX_STRING_LEN];
+    apr_procattr_t *procattr;
+    apr_proc_t *proc;
+    apr_file_t *fp;
+    apr_size_t nbytes = 1;
+    char c;
+    int k;
+
+    if (apr_procattr_create(&procattr, p) != APR_SUCCESS)
+        return NULL;
+    if (apr_procattr_io_set(procattr, APR_FULL_BLOCK, APR_FULL_BLOCK,
+                            APR_FULL_BLOCK) != APR_SUCCESS)
+        return NULL;
+    if (apr_procattr_dir_set(procattr,
+                             ap_make_dirstr_parent(p, cmd)) != APR_SUCCESS)
+        return NULL;
+    if (apr_procattr_cmdtype_set(procattr, APR_PROGRAM) != APR_SUCCESS)
+        return NULL;
+    proc = apr_pcalloc(p, sizeof(apr_proc_t));
+    if (apr_proc_create(proc, cmd, argv, NULL, procattr, p) != APR_SUCCESS)
+        return NULL;
+    fp = proc->out;
+
+    if (fp == NULL)
+        return NULL;
+    /* XXX: we are reading 1 byte at a time here */
+    for (k = 0; apr_file_read(fp, &c, &nbytes) == APR_SUCCESS
+                && nbytes == 1 && (k < MAX_STRING_LEN-1)     ; ) {
+        if (c == '\n' || c == '\r')
+            break;
+        buf[k++] = c;
+    }
+    buf[k] = '\0';
+    apr_file_close(fp);
+
+    return apr_pstrndup(p, buf, k);
+}



Mime
View raw message