--- loncom/lond 2016/09/21 05:39:53 1.528 +++ loncom/lond 2017/03/13 18:30:02 1.533 @@ -2,7 +2,7 @@ # The LearningOnline Network # lond "LON Daemon" Server (port "LOND" 5663) # -# $Id: lond,v 1.528 2016/09/21 05:39:53 raeburn Exp $ +# $Id: lond,v 1.533 2017/03/13 18:30:02 raeburn Exp $ # # Copyright Michigan State University Board of Trustees # @@ -35,6 +35,7 @@ use LONCAPA; use LONCAPA::Configuration; use LONCAPA::Lond; +use Socket; use IO::Socket; use IO::File; #use Apache::File; @@ -64,7 +65,7 @@ my $DEBUG = 0; # Non zero to ena my $status=''; my $lastlog=''; -my $VERSION='$Revision: 1.528 $'; #' stupid emacs +my $VERSION='$Revision: 1.533 $'; #' stupid emacs my $remoteVERSION; my $currenthostid="default"; my $currentdomainid; @@ -75,6 +76,8 @@ my $clientname; # LonCAPA name of clie my $clientversion; # LonCAPA version running on client. my $clienthomedom; # LonCAPA domain of homeID for client. my $clientintdom; # LonCAPA "internet domain" for client. +my $clientsamedom; # LonCAPA domain same for this host + # and client. my $clientsameinst; # LonCAPA "internet domain" same for # this host and client. my $clientremoteok; # Client allowed to host domain's users. @@ -102,6 +105,9 @@ my %managers; # Ip -> manager names my %perlvar; # Will have the apache conf defined perl vars. +my %secureconf; # Will have requirements for security + # of lond connections + my $dist; # @@ -445,8 +451,23 @@ sub InsecureConnection { my $Socket = shift; # Don't even start if insecure connections are not allowed. - - if(! $perlvar{londAllowInsecure}) { # Insecure connections not allowed. + # return 0 if Insecure connections not allowed. + # + if (ref($secureconf{'connfrom'}) eq 'HASH') { + if ($clientsamedom) { + if ($secureconf{'connfrom'}{'dom'} eq 'req') { + return 0; + } + } elsif ($clientsameinst) { + if ($secureconf{'connfrom'}{'intdom'} eq 'req') { + return 0; + } + } else { + if ($secureconf{'connfrom'}{'other'} eq 'req') { + return 0; + } + } + } elsif (!$perlvar{londAllowInsecure}) { return 0; } @@ -1568,6 +1589,20 @@ sub du2_handler { # selected directory the filename followed by the full output of # the stat function is returned. The returned info for each # file are separated by ':'. The stat fields are separated by &'s. +# +# If the requested path contains /../ or is: +# +# 1. for a directory, and the path does not begin with one of: +# (a) /home/httpd/html/res/ +# (b) /home/httpd/html/res/userfiles/ +# (c) /home/httpd/lonUsers//<1>/<2>/<3>//userfiles +# or is: +# +# 2. for a file, and the path (after prepending) does not begin with: +# /home/httpd/lonUsers//<1>/<2>/<3>// +# +# the response will be "refused". +# # Parameters: # $cmd - The command that dispatched us (ls). # $ulsdir - The directory path to list... I'm not sure what this @@ -1589,8 +1624,17 @@ sub ls_handler { my $rights; my $ulsout=''; my $ulsfn; + if ($ulsdir =~m{/\.\./}) { + &Failure($client,"refused\n",$userinput); + return 1; + } if (-e $ulsdir) { if(-d $ulsdir) { + unless (($ulsdir =~ m{/home/httpd/html/(res/$LONCAPA::match_domain|userfiles/)}) || + ($ulsdir =~ m{/home/httpd/lonUsers/$LONCAPA::match_domain(?:/[\w\-.@]){3}/$LONCAPA::match_username/userfiles/})) { + &Failure($client,"refused\n",$userinput); + return 1; + } if (opendir(LSDIR,$ulsdir)) { while ($ulsfn=readdir(LSDIR)) { undef($obs); @@ -1614,6 +1658,10 @@ sub ls_handler { closedir(LSDIR); } } else { + unless ($ulsdir =~ m{/home/httpd/lonUsers/$LONCAPA::match_domain(?:/[\w\-.@]){3}/$LONCAPA::match_username/}) { + &Failure($client,"refused\n",$userinput); + return 1; + } my @ulsstats=stat($ulsdir); $ulsout.=$ulsfn.'&'.join('&',@ulsstats).':'; } @@ -1638,6 +1686,20 @@ sub ls_handler { # selected directory the filename followed by the full output of # the stat function is returned. The returned info for each # file are separated by ':'. The stat fields are separated by &'s. +# +# If the requested path contains /../ or is: +# +# 1. for a directory, and the path does not begin with one of: +# (a) /home/httpd/html/res/ +# (b) /home/httpd/html/res/userfiles/ +# (c) /home/httpd/lonUsers//<1>/<2>/<3>//userfiles +# or is: +# +# 2. for a file, and the path (after prepending) does not begin with: +# /home/httpd/lonUsers//<1>/<2>/<3>// +# +# the response will be "refused". +# # Parameters: # $cmd - The command that dispatched us (ls). # $ulsdir - The directory path to list... I'm not sure what this @@ -1658,8 +1720,17 @@ sub ls2_handler { my $rights; my $ulsout=''; my $ulsfn; + if ($ulsdir =~m{/\.\./}) { + &Failure($client,"refused\n",$userinput); + return 1; + } if (-e $ulsdir) { if(-d $ulsdir) { + unless (($ulsdir =~ m{/home/httpd/html/(res/$LONCAPA::match_domain|userfiles/)}) || + ($ulsdir =~ m{/home/httpd/lonUsers/$LONCAPA::match_domain(?:/[\w\-.@]){3}/$LONCAPA::match_username/userfiles/})) { + &Failure($client,"refused\n","$userinput"); + return 1; + } if (opendir(LSDIR,$ulsdir)) { while ($ulsfn=readdir(LSDIR)) { undef($obs); @@ -1684,6 +1755,10 @@ sub ls2_handler { closedir(LSDIR); } } else { + unless ($ulsdir =~ m{/home/httpd/lonUsers/$LONCAPA::match_domain(?:/[\w\-.@]){3}/$LONCAPA::match_username/}) { + &Failure($client,"refused\n",$userinput); + return 1; + } my @ulsstats=stat($ulsdir); $ulsout.=$ulsfn.'&'.join('&',@ulsstats).':'; } @@ -1700,6 +1775,22 @@ sub ls2_handler { # selected directory the filename followed by the full output of # the stat function is returned. The returned info for each # file are separated by ':'. The stat fields are separated by &'s. +# +# If the requested path (after prepending) contains /../ or is: +# +# 1. for a directory, and the path does not begin with one of: +# (a) /home/httpd/html/res/ +# (b) /home/httpd/html/res/userfiles/ +# (c) /home/httpd/lonUsers//<1>/<2>/<3>//userfiles +# (d) /home/httpd/html/priv// and client is the homeserver +# +# or is: +# +# 2. for a file, and the path (after prepending) does not begin with: +# /home/httpd/lonUsers//<1>/<2>/<3>// +# +# the response will be "refused". +# # Parameters: # $cmd - The command that dispatched us (ls). # $tail - The tail of the request that invoked us. @@ -1739,22 +1830,12 @@ sub ls3_handler { } my $dir_root = $perlvar{'lonDocRoot'}; - if ($getpropath) { + if (($getpropath) || ($getuserdir)) { if (($uname =~ /^$LONCAPA::match_name$/) && ($udom =~ /^$LONCAPA::match_domain$/)) { $dir_root = &propath($udom,$uname); $dir_root =~ s/\/$//; } else { - &Failure($client,"refused\n","$cmd:$tail"); - return 1; - } - } elsif ($getuserdir) { - if (($uname =~ /^$LONCAPA::match_name$/) && ($udom =~ /^$LONCAPA::match_domain$/)) { - my $subdir=$uname.'__'; - $subdir =~ s/(.)(.)(.).*/$1\/$2\/$3/; - $dir_root = $Apache::lonnet::perlvar{'lonUsersDir'} - ."/$udom/$subdir/$uname"; - } else { - &Failure($client,"refused\n","$cmd:$tail"); + &Failure($client,"refused\n",$userinput); return 1; } } elsif ($alternate_root ne '') { @@ -1767,12 +1848,28 @@ sub ls3_handler { $ulsdir = $dir_root.'/'.$ulsdir; } } + if ($ulsdir =~m{/\.\./}) { + &Failure($client,"refused\n",$userinput); + return 1; + } + my $islocal; + my @machine_ids = &Apache::lonnet::current_machine_ids(); + if (grep(/^\Q$clientname\E$/,@machine_ids)) { + $islocal = 1; + } my $obs; my $rights; my $ulsout=''; my $ulsfn; if (-e $ulsdir) { if(-d $ulsdir) { + unless (($getpropath) || ($getuserdir) || + ($ulsdir =~ m{/home/httpd/html/(res/$LONCAPA::match_domain|userfiles/)}) || + ($ulsdir =~ m{/home/httpd/lonUsers/$LONCAPA::match_domain(?:/[\w\-.@]){3}/$LONCAPA::match_username/userfiles/}) || + (($ulsdir =~ m{/home/httpd/html/priv/$LONCAPA::match_domain/}) && ($islocal))) { + &Failure($client,"refused\n",$userinput); + return 1; + } if (opendir(LSDIR,$ulsdir)) { while ($ulsfn=readdir(LSDIR)) { undef($obs); @@ -1797,6 +1894,11 @@ sub ls3_handler { closedir(LSDIR); } } else { + unless (($getpropath) || ($getuserdir) || + ($ulsdir =~ m{/home/httpd/lonUsers/$LONCAPA::match_domain(?:/[\w\-.@]){3}/$LONCAPA::match_username/})) { + &Failure($client,"refused\n",$userinput); + return 1; + } my @ulsstats=stat($ulsdir); $ulsout.=$ulsfn.'&'.join('&',@ulsstats).':'; } @@ -1820,15 +1922,17 @@ sub read_lonnet_global { ); my %limit_to = ( perlvar => { - lonOtherAuthen => 1, - lonBalancer => 1, - lonVersion => 1, - lonSysEMail => 1, - lonHostID => 1, - lonRole => 1, - lonDefDomain => 1, - lonLoadLim => 1, - lonUserLoadLim => 1, + lonOtherAuthen => 1, + lonBalancer => 1, + lonVersion => 1, + lonAdmEMail => 1, + lonSupportEMail => 1, + lonSysEMail => 1, + lonHostID => 1, + lonRole => 1, + lonDefDomain => 1, + lonLoadLim => 1, + lonUserLoadLim => 1, } ); if (ref($requested) eq 'HASH') { @@ -2219,12 +2323,8 @@ sub hash_passwd { my $plainsalt = substr($rest[1],0,22); $salt = Crypt::Eksblowfish::Bcrypt::de_base64($plainsalt); } else { - my $defaultcost; - my %domconfig = - &Apache::lonnet::get_dom('configuration',['password'],$domain); - if (ref($domconfig{'password'}) eq 'HASH') { - $defaultcost = $domconfig{'password'}{'cost'}; - } + my %domdefaults = &Apache::lonnet::get_domain_defaults($domain); + my $defaultcost = $domdefaults{'intauth_cost'}; if (($defaultcost eq '') || ($defaultcost =~ /D/)) { $cost = 10; } else { @@ -6720,6 +6820,7 @@ sub UpdateHosts { # will take care of new and changed hosts as connections come into being. &Apache::lonnet::reset_hosts_info(); + my %active; foreach my $child (keys(%children)) { my $childip = $children{$child}; @@ -6729,15 +6830,62 @@ sub UpdateHosts { ." $child for ip $childip "); kill('INT', $child); } else { + $active{$child} = $childip; logthis(' keeping child for ip ' ." $childip (pid=$child) "); } } + + my %oldconf = %secureconf; + my %connchange; + if (lonssl::Read_Connect_Config(\%secureconf,\%perlvar) eq 'ok') { + logthis(' Reloaded SSL connection rules '); + } else { + logthis(' Failed to reload SSL connection rules '); + } + if ((ref($oldconf{'connfrom'}) eq 'HASH') && (ref($secureconf{'connfrom'}) eq 'HASH')) { + foreach my $type ('dom','intdom','other') { + if ((($oldconf{'connfrom'}{$type} eq 'no') && ($secureconf{'connfrom'}{$type} eq 'req')) || + (($oldconf{'connfrom'}{$type} eq 'req') && ($secureconf{'connfrom'}{$type} eq 'no'))) { + $connchange{$type} = 1; + } + } + } + if (keys(%connchange)) { + foreach my $child (keys(%active)) { + my $childip = $active{$child}; + if ($childip ne '127.0.0.1') { + my $childhostname = gethostbyaddr(Socket::inet_aton($childip),AF_INET); + if ($childhostname ne '') { + my $childlonhost = &Apache::lonnet::get_server_homeID($childhostname); + my ($samedom,$sameinst) = &set_client_info($childlonhost); + if ($samedom) { + if ($connchange{'dom'}) { + logthis(' UpdateHosts killing child ' + ." $child for ip $childip "); + kill('INT', $child); + } + } elsif ($sameinst) { + if ($connchange{'intdom'}) { + logthis(' UpdateHosts killing child ' + ." $child for ip $childip "); + kill('INT', $child); + } + } else { + if ($connchange{'other'}) { + logthis(' UpdateHosts killing child ' + ." $child for ip $childip "); + kill('INT', $child); + } + } + } + } + } + } ReloadApache; &status("Finished reloading hosts.tab"); } - sub checkchildren { &status("Checking on the children (sending signals)"); &initnewstatus(); @@ -6972,6 +7120,10 @@ if ($arch eq 'unknown') { chomp($arch); } +unless (lonssl::Read_Connect_Config(\%secureconf,\%perlvar) eq 'ok') { + &logthis('No connectionrules table. Will fallback to loncapa.conf'); +} + # -------------------------------------------------------------- # Accept connections. When a connection comes in, it is validated # and if good, a child process is created to process transactions @@ -7102,7 +7254,7 @@ sub make_new_child { $ConnectionType = "manager"; $clientname = $managers{$outsideip}; } - my $clientok; + my ($clientok,$clientinfoset); if ($clientrec || $ismanager) { &status("Waiting for init from $clientip $clientname"); @@ -7130,7 +7282,32 @@ sub make_new_child { # If the connection type is ssl, but I didn't get my # certificate files yet, then I'll drop back to # insecure (if allowed). - + + if ($inittype eq "ssl") { + my $context; + if ($clientsamedom) { + $context = 'dom'; + if ($secureconf{'connfrom'}{'dom'} eq 'no') { + $inittype = ""; + } + } elsif ($clientsameinst) { + $context = 'intdom'; + if ($secureconf{'connfrom'}{'intdom'} eq 'no') { + $inittype = ""; + } + } else { + $context = 'other'; + if ($secureconf{'connfrom'}{'other'} eq 'no') { + $inittype = ""; + } + } + if ($inittype eq '') { + &logthis(" Domain config set " + ."to no ssl for $clientname (context: $context)" + ." -- trying insecure auth"); + } + } + if($inittype eq "ssl") { my ($ca, $cert) = lonssl::CertificateFile; my $kfile = lonssl::KeyFile; @@ -7163,7 +7340,7 @@ sub make_new_child { close $client; } } elsif ($inittype eq "ssl") { - my $key = SSLConnection($client); + my $key = SSLConnection($client,$clientname); if ($key) { $clientok = 1; my $cipherkey = pack("H32", $key); @@ -7178,6 +7355,7 @@ sub make_new_child { } } else { + $clientinfoset = &set_client_info(); my $ok = InsecureConnection($client); if($ok) { $clientok = 1; @@ -7190,7 +7368,6 @@ sub make_new_child { ."Attempted insecure connection disallowed "); close $client; $clientok = 0; - } } } else { @@ -7199,7 +7376,6 @@ sub make_new_child { ."$clientip failed to initialize: >$remotereq< "); &status('No init '.$clientip); } - } else { &logthis( "WARNING: Unknown client $clientip"); @@ -7217,18 +7393,8 @@ sub make_new_child { # ------------------------------------------------------------ Process requests my $keep_going = 1; my $user_input; - my $clienthost = &Apache::lonnet::hostname($clientname); - my $clientserverhomeID = &Apache::lonnet::get_server_homeID($clienthost); - $clienthomedom = &Apache::lonnet::host_domain($clientserverhomeID); - $clientintdom = &Apache::lonnet::internet_dom($clientserverhomeID); - $clientsameinst = 0; - if ($clientintdom ne '') { - my $internet_names = &Apache::lonnet::get_internet_names($currenthostid); - if (ref($internet_names) eq 'ARRAY') { - if (grep(/^\Q$clientintdom\E$/,@{$internet_names})) { - $clientsameinst = 1; - } - } + unless ($clientinfoset) { + $clientinfoset = &set_client_info(); } $clientremoteok = 0; unless ($clientsameinst) { @@ -7284,6 +7450,60 @@ sub make_new_child { exit; } + +# +# Used to determine if a particular client is from the same domain +# as the current server, or from the same internet domain. +# +# Optional input -- the client to check for domain and internet domain. +# If not specified, defaults to the package variable: $clientname +# +# If called in array context will not set package variables, but will +# instead return an array of two values - (a) true if client is in the +# same domain as the server, and (b) true if client is in the same internet +# domain. +# +# If called in scalar context, sets package variables for current client: +# +# $clienthomedom - LonCAPA domain of homeID for client. +# $clientsamedom - LonCAPA domain same for this host and client. +# $clientintdom - LonCAPA "internet domain" for client. +# $clientsameinst - LonCAPA "internet domain" same for this host & client. +# +# returns 1 to indicate package variables have been set for current client. +# + +sub set_client_info { + my ($lonhost) = @_; + $lonhost ||= $clientname; + my $clienthost = &Apache::lonnet::hostname($lonhost); + my $clientserverhomeID = &Apache::lonnet::get_server_homeID($clienthost); + my $homedom = &Apache::lonnet::host_domain($clientserverhomeID); + my $samedom = 0; + if ($perlvar{'lonDefDom'} eq $homedom) { + $samedom = 1; + } + my $intdom = &Apache::lonnet::internet_dom($clientserverhomeID); + my $sameinst = 0; + if ($intdom ne '') { + my $internet_names = &Apache::lonnet::get_internet_names($currenthostid); + if (ref($internet_names) eq 'ARRAY') { + if (grep(/^\Q$intdom\E$/,@{$internet_names})) { + $sameinst = 1; + } + } + } + if (wantarray) { + return ($samedom,$sameinst); + } else { + $clienthomedom = $homedom; + $clientsamedom = $samedom; + $clientintdom = $intdom; + $clientsameinst = $sameinst; + return 1; + } +} + # # Determine if a user is an author for the indicated domain. # @@ -7392,15 +7612,25 @@ sub password_filename { # domain - domain of the user. # name - User's name. # contents - New contents of the file. +# saveold - (optional). If true save old file in a passwd.bak file. # Returns: # 0 - Failed. # 1 - Success. # sub rewrite_password_file { - my ($domain, $user, $contents) = @_; + my ($domain, $user, $contents, $saveold) = @_; my $file = &password_filename($domain, $user); if (defined $file) { + if ($saveold) { + my $bakfile = $file.'.bak'; + if (CopyFile($file,$bakfile)) { + chmod(0400,$bakfile); + &logthis("Old password saved in passwd.bak for internally authenticated user: $user:$domain"); + } else { + &logthis("Failed to save old password in passwd.bak for internally authenticated user: $user:$domain"); + } + } my $pf = IO::File->new(">$file"); if($pf) { print $pf "$contents\n"; @@ -7491,20 +7721,27 @@ sub validate_user { $contentpwd = $domdefaults{'auth_arg_def'}; } } - } + } if ($howpwd ne 'nouser') { if($howpwd eq "internal") { # Encrypted is in local password file. if (length($contentpwd) == 13) { $validated = (crypt($password,$contentpwd) eq $contentpwd); if ($validated) { - my $ncpass = &hash_passwd($domain,$password); - if (&rewrite_password_file($domain,$user,"$howpwd:$ncpass")) { - &update_passwd_history($user,$domain,$howpwd,'conversion'); - &logthis("Validated password hashed with bcrypt for $user:$domain"); + my %domdefaults = &Apache::lonnet::get_domain_defaults($domain); + if ($domdefaults{'intauth_switch'}) { + my $ncpass = &hash_passwd($domain,$password); + my $saveold; + if ($domdefaults{'intauth_switch'} == 2) { + $saveold = 1; + } + if (&rewrite_password_file($domain,$user,"$howpwd:$ncpass",$saveold)) { + &update_passwd_history($user,$domain,$howpwd,'conversion'); + &logthis("Validated password hashed with bcrypt for $user:$domain"); + } } } } else { - $validated = &check_internal_passwd($password,$contentpwd,$domain); + $validated = &check_internal_passwd($password,$contentpwd,$domain,$user); } } elsif ($howpwd eq "unix") { # User is a normal unix user. @@ -7574,24 +7811,35 @@ sub validate_user { } sub check_internal_passwd { - my ($plainpass,$stored,$domain) = @_; + my ($plainpass,$stored,$domain,$user) = @_; my (undef,$method,@rest) = split(/!/,$stored); - if ($method eq "bcrypt") { + if ($method eq 'bcrypt') { my $result = &hash_passwd($domain,$plainpass,@rest); if ($result ne $stored) { return 0; } - # Upgrade to a larger number of rounds if necessary - my $defaultcost; - my %domconfig = - &Apache::lonnet::get_dom('configuration',['password'],$domain); - if (ref($domconfig{'password'}) eq 'HASH') { - $defaultcost = $domconfig{'password'}{'cost'}; - } - if (($defaultcost eq '') || ($defaultcost =~ /D/)) { - $defaultcost = 10; + my %domdefaults = &Apache::lonnet::get_domain_defaults($domain); + if ($domdefaults{'intauth_check'}) { + # Upgrade to a larger number of rounds if necessary + my $defaultcost = $domdefaults{'intauth_cost'}; + if (($defaultcost eq '') || ($defaultcost =~ /D/)) { + $defaultcost = 10; + } + if (int($rest[0])