geos_one/CASA
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

bug 222012. Better enforce persistent directory location

Browse Source
This commit is contained in:
Jim Norman 2007-01-04 08:54:07 +00:00
parent 67e99fc3d9
commit d0a9891cdf
3 changed files with 523 additions and 471 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
CASA/CASA.changes
View File

@ -1,3 +1,9 @@
-------------------------------------------------------------------
Thu Jan 4 13:37:03 MST 2007 - jnorman@novell.com
- Bug 221012. Based on code review, enhance persistent directory
policy.
------------------------------------------------------------------- -------------------------------------------------------------------
Wed Jan 3 08:12:10 MST 2007 - jnorman@novell.com Wed Jan 3 08:12:10 MST 2007 - jnorman@novell.com

169
CASA/micasad/cache/SecretStore.cs vendored
View File

@ -37,6 +37,11 @@ using sscs.crypto;
using Novell.CASA.CASAPolicy; using Novell.CASA.CASAPolicy;
#if LINUX
using Mono.Unix.Native;
#endif
namespace sscs.cache namespace sscs.cache
{ {
class SecretStore class SecretStore
@ -47,7 +52,7 @@ namespace sscs.cache
private Hashtable tKeyChainList = new Hashtable(); private Hashtable tKeyChainList = new Hashtable();
private Hashtable keyChainList; //= Hashtable.Synchronized(tKeyChainList); private Hashtable keyChainList; //= Hashtable.Synchronized(tKeyChainList);
internal User user; internal User user;
private Mutex ssMutex ; //reqd only for refCount private Mutex ssMutex; //reqd only for refCount
private int state; // Maintains the state of SS ( keychain private int state; // Maintains the state of SS ( keychain
// type availability). TODO: Convert to a class. // type availability). TODO: Convert to a class.
@ -116,7 +121,7 @@ namespace sscs.cache
public bool StopPersistence() public bool StopPersistence()
{ {
if(lss != null && bIsStorePersistent == true) if (lss != null && bIsStorePersistent == true)
{ {
lss.StopPersistence(); lss.StopPersistence();
lss = null; lss = null;
@ -165,13 +170,13 @@ namespace sscs.cache
try try
{ {
byte[] baPasscode = CASACrypto.GetMasterPasscodeUsingDesktopPasswd(sDesktopPassword, GetPasscodeByDesktopFilePath(), false); byte[] baPasscode = CASACrypto.GetMasterPasscodeUsingDesktopPasswd(sDesktopPassword, GetPasscodeByDesktopFilePath(), false);
if(CASACrypto.ValidatePasscode(baPasscode,GetValidationFilePath())) if (CASACrypto.ValidatePasscode(baPasscode, GetValidationFilePath()))
{ {
return true; return true;
} }
// try old salt // try old salt
baPasscode = CASACrypto.GetMasterPasscodeUsingDesktopPasswd(sDesktopPassword, GetPasscodeByDesktopFilePath(), true); baPasscode = CASACrypto.GetMasterPasscodeUsingDesktopPasswd(sDesktopPassword, GetPasscodeByDesktopFilePath(), true);
if(CASACrypto.ValidatePasscode(baPasscode,GetValidationFilePath())) if (CASACrypto.ValidatePasscode(baPasscode, GetValidationFilePath()))
{ {
return true; return true;
} }
@ -198,32 +203,32 @@ namespace sscs.cache
/* Persistence could have started because the user /* Persistence could have started because the user
* could have set master password. * could have set master password.
*/ */
if(slss != null && bIsServerStorePersistent == true) if (slss != null && bIsServerStorePersistent == true)
{ {
CSSSLogger.DbgLog(CSSSLogger.GetExecutionPath(this) + " Server Secrets Store is already persistent"); CSSSLogger.DbgLog(CSSSLogger.GetExecutionPath(this) + " Server Secrets Store is already persistent");
CSSSLogger.DbgLog("StartPersistenceOfServerSecretsBySystemKey - Started"); CSSSLogger.DbgLog("StartPersistenceOfServerSecretsBySystemKey - Started");
return true; return true;
} }
if(!File.Exists(GetServerPasscodeBySystemKeyFilePath())) if (!File.Exists(GetServerPasscodeBySystemKeyFilePath()))
{ {
/* /*
if (File.Exists(GetServerPasscodeByMasterPasswdFilePath())) if (File.Exists(GetServerPasscodeByMasterPasswdFilePath()))
{ {
// wait for the user to start the Persistence by entering MP // wait for the user to start the Persistence by entering MP
return false; return false;
} }
*/ */
baPasscode = CASACrypto.GenerateServerMasterPasscode( baPasscode = CASACrypto.GenerateServerMasterPasscode(
GetServerPasscodeBySystemKeyFilePath(), GetServerPasscodeBySystemKeyFilePath(),
GetServerValidationFilePath()); GetServerValidationFilePath());
if( null == baPasscode ) if (null == baPasscode)
{ {
return false; return false;
} }
if(!File.Exists(GetServerKeyFilePath())) if (!File.Exists(GetServerKeyFilePath()))
{ {
GenerateAndStoreEncryptionKey(baPasscode, GetServerKeyFilePath()); GenerateAndStoreEncryptionKey(baPasscode, GetServerKeyFilePath());
slss = new LocalStorage(this, baPasscode, true); slss = new LocalStorage(this, baPasscode, true);
@ -233,14 +238,14 @@ namespace sscs.cache
} }
baPasscode = CASACrypto.GetServerMasterPasscodeUsingSystemKey(GetServerPasscodeBySystemKeyFilePath()); baPasscode = CASACrypto.GetServerMasterPasscodeUsingSystemKey(GetServerPasscodeBySystemKeyFilePath());
if(CASACrypto.ValidatePasscode(baPasscode,GetServerValidationFilePath())) if (CASACrypto.ValidatePasscode(baPasscode, GetServerValidationFilePath()))
{ {
slss = new LocalStorage(this, baPasscode, true); slss = new LocalStorage(this, baPasscode, true);
bIsServerStorePersistent = true; bIsServerStorePersistent = true;
return true; return true;
} }
} }
catch(Exception e) catch (Exception e)
{ {
CSSSLogger.ExpLog(e.ToString()); CSSSLogger.ExpLog(e.ToString());
} }
@ -275,12 +280,12 @@ namespace sscs.cache
/* Persistence could have started because the user /* Persistence could have started because the user
* could have set master password. * could have set master password.
*/ */
if(lss != null && bIsStorePersistent == true) if (lss != null && bIsStorePersistent == true)
{ {
/* Verify passcode and if validation fails, rewrite /* Verify passcode and if validation fails, rewrite
* desktop file. * desktop file.
*/ */
if(File.Exists(GetPasscodeByDesktopFilePath())) if (File.Exists(GetPasscodeByDesktopFilePath()))
{ {
} }
else else
@ -294,7 +299,7 @@ namespace sscs.cache
} }
if(!File.Exists(GetPasscodeByDesktopFilePath())) if (!File.Exists(GetPasscodeByDesktopFilePath()))
{ {
if (File.Exists(GetPasscodeByMasterPasswdFilePath())) if (File.Exists(GetPasscodeByMasterPasswdFilePath()))
{ {
@ -309,22 +314,22 @@ namespace sscs.cache
GetValidationFilePath(), GetValidationFilePath(),
user.UserIdentifier); user.UserIdentifier);
if( null == baPasscode ) if (null == baPasscode)
return false; return false;
if(!File.Exists(GetKeyFilePath())) if (!File.Exists(GetKeyFilePath()))
{ {
GenerateAndStoreEncryptionKey(baPasscode, GetKeyFilePath()); GenerateAndStoreEncryptionKey(baPasscode, GetKeyFilePath());
lss = new LocalStorage(this,baPasscode); lss = new LocalStorage(this, baPasscode);
bIsStorePersistent = true; bIsStorePersistent = true;
return true; return true;
} }
} }
baPasscode = CASACrypto.GetMasterPasscodeUsingDesktopPasswd(desktopPasswd, GetPasscodeByDesktopFilePath(), false); baPasscode = CASACrypto.GetMasterPasscodeUsingDesktopPasswd(desktopPasswd, GetPasscodeByDesktopFilePath(), false);
if(CASACrypto.ValidatePasscode(baPasscode,GetValidationFilePath())) if (CASACrypto.ValidatePasscode(baPasscode, GetValidationFilePath()))
{ {
lss = new LocalStorage(this,baPasscode); lss = new LocalStorage(this, baPasscode);
bIsStorePersistent = true; bIsStorePersistent = true;
return true; return true;
} }
@ -347,7 +352,7 @@ namespace sscs.cache
} }
} }
} }
catch(Exception e) catch (Exception e)
{ {
CSSSLogger.ExpLog(e.ToString()); CSSSLogger.ExpLog(e.ToString());
} }
@ -378,24 +383,24 @@ namespace sscs.cache
{ {
try try
{ {
char[] trimChars = {'\0'}; char[] trimChars = { '\0' };
string mPasswd = mPasswdFromIDK.TrimEnd(trimChars); string mPasswd = mPasswdFromIDK.TrimEnd(trimChars);
bool isVerifyOperation = false; bool isVerifyOperation = false;
string mPasswdFileName = GetPasscodeByMasterPasswdFilePath(); string mPasswdFileName = GetPasscodeByMasterPasswdFilePath();
byte[] baPasscode; byte[] baPasscode;
if(File.Exists(mPasswdFileName)) if (File.Exists(mPasswdFileName))
isVerifyOperation = true; //else it is a set operation. isVerifyOperation = true; //else it is a set operation.
string desktopPasswd = GetDesktopPasswd(); string desktopPasswd = GetDesktopPasswd();
if(isVerifyOperation == false) if (isVerifyOperation == false)
{ {
/* Here the master password file needs to be generated. /* Here the master password file needs to be generated.
*/ */
if(desktopPasswd != null) if (desktopPasswd != null)
{ {
baPasscode = CASACrypto.GetMasterPasscodeUsingDesktopPasswd(desktopPasswd, GetPasscodeByDesktopFilePath(), false); baPasscode = CASACrypto.GetMasterPasscodeUsingDesktopPasswd(desktopPasswd, GetPasscodeByDesktopFilePath(), false);
if(CASACrypto.ValidatePasscode(baPasscode,GetValidationFilePath())) if (CASACrypto.ValidatePasscode(baPasscode, GetValidationFilePath()))
{ {
CASACrypto.EncryptAndStoreMasterPasscodeUsingString( CASACrypto.EncryptAndStoreMasterPasscodeUsingString(
baPasscode, baPasscode,
@ -460,29 +465,29 @@ namespace sscs.cache
/* If desktop passwd is not there and user sets /* If desktop passwd is not there and user sets
* master password. * master password.
*/ */
if(File.Exists(GetPersistenceFilePath())) if (File.Exists(GetPersistenceFilePath()))
{ {
File.Delete(GetPersistenceFilePath()); File.Delete(GetPersistenceFilePath());
CSSSLogger.DbgLog("Removing the persistent storeas its meaningless now. - Desktop passwd is not there and Master password is being set"); CSSSLogger.DbgLog("Removing the persistent storeas its meaningless now. - Desktop passwd is not there and Master password is being set");
} }
if(File.Exists((GetPasscodeByDesktopFilePath()))) if (File.Exists((GetPasscodeByDesktopFilePath())))
{ {
File.Delete((GetPasscodeByDesktopFilePath())); File.Delete((GetPasscodeByDesktopFilePath()));
CSSSLogger.DbgLog("Removing the persistent storeas its meaningless now. - Desktop passwd is not there and Master password is being set"); CSSSLogger.DbgLog("Removing the persistent storeas its meaningless now. - Desktop passwd is not there and Master password is being set");
} }
baPasscode = CASACrypto.GenerateMasterPasscodeUsingString(mPasswd,GetPasscodeByMasterPasswdFilePath(),GetValidationFilePath(), user.UserIdentifier); baPasscode = CASACrypto.GenerateMasterPasscodeUsingString(mPasswd, GetPasscodeByMasterPasswdFilePath(), GetValidationFilePath(), user.UserIdentifier);
if(baPasscode != null) if (baPasscode != null)
{ {
if(!File.Exists(GetKeyFilePath())) if (!File.Exists(GetKeyFilePath()))
{ {
GenerateAndStoreEncryptionKey(baPasscode, GetKeyFilePath()); GenerateAndStoreEncryptionKey(baPasscode, GetKeyFilePath());
} }
CASACrypto.EncryptAndStoreMasterPasscodeUsingString(baPasscode,mPasswd,GetPasscodeByMasterPasswdFilePath()); CASACrypto.EncryptAndStoreMasterPasscodeUsingString(baPasscode, mPasswd, GetPasscodeByMasterPasswdFilePath());
if( bIsStorePersistent == false ) if (bIsStorePersistent == false)
{ {
lss = new LocalStorage(this,baPasscode); lss = new LocalStorage(this, baPasscode);
bIsStorePersistent = true; bIsStorePersistent = true;
} }
return true; return true;
@ -498,14 +503,14 @@ namespace sscs.cache
//Get the passcode from master passwd file and validate. //Get the passcode from master passwd file and validate.
//If validation succeeds,start persistence. //If validation succeeds,start persistence.
if(desktopPasswd == null) if (desktopPasswd == null)
{ {
baPasscode = CASACrypto.DecryptMasterPasscodeUsingString(mPasswd, GetPasscodeByMasterPasswdFilePath(), false); baPasscode = CASACrypto.DecryptMasterPasscodeUsingString(mPasswd, GetPasscodeByMasterPasswdFilePath(), false);
if(CASACrypto.ValidatePasscode(baPasscode,GetValidationFilePath())) if (CASACrypto.ValidatePasscode(baPasscode, GetValidationFilePath()))
{ {
if(bIsStorePersistent == false) if (bIsStorePersistent == false)
{ {
lss = new LocalStorage(this,baPasscode); lss = new LocalStorage(this, baPasscode);
bIsStorePersistent = true; bIsStorePersistent = true;
} }
return true; return true;
@ -535,12 +540,12 @@ namespace sscs.cache
{ //There are 2 cases - either desktop passwd has changed { //There are 2 cases - either desktop passwd has changed
//or it hasnt. //or it hasnt.
baPasscode = CASACrypto.GetMasterPasscodeUsingMasterPasswd(mPasswd, GetPasscodeByMasterPasswdFilePath(), false); baPasscode = CASACrypto.GetMasterPasscodeUsingMasterPasswd(mPasswd, GetPasscodeByMasterPasswdFilePath(), false);
if(CASACrypto.ValidatePasscode(baPasscode,GetValidationFilePath())) if (CASACrypto.ValidatePasscode(baPasscode, GetValidationFilePath()))
{ {
RewriteDesktopPasswdFile(baPasscode,desktopPasswd); RewriteDesktopPasswdFile(baPasscode, desktopPasswd);
if(bIsStorePersistent == false) if (bIsStorePersistent == false)
{ {
lss = new LocalStorage(this,baPasscode); lss = new LocalStorage(this, baPasscode);
bIsStorePersistent = true; bIsStorePersistent = true;
} }
return true; return true;
@ -564,7 +569,7 @@ namespace sscs.cache
} }
} }
} }
catch(Exception e) catch (Exception e)
{ {
CSSSLogger.ExpLog(e.ToString()); CSSSLogger.ExpLog(e.ToString());
} }
@ -578,7 +583,7 @@ namespace sscs.cache
CASACrypto.EncryptAndStoreMasterPasscodeUsingString(baPasscode, desktopPasswd, GetPasscodeByDesktopFilePath()); CASACrypto.EncryptAndStoreMasterPasscodeUsingString(baPasscode, desktopPasswd, GetPasscodeByDesktopFilePath());
CSSSLogger.DbgLog("Re-encryted passcode with desktop passwd"); CSSSLogger.DbgLog("Re-encryted passcode with desktop passwd");
} }
catch(Exception e) catch (Exception e)
{ {
CSSSLogger.ExpLog(e.ToString()); CSSSLogger.ExpLog(e.ToString());
} }
@ -608,7 +613,7 @@ namespace sscs.cache
} }
} }
catch(Exception e) catch (Exception e)
{ {
CSSSLogger.ExpLog(e.ToString()); CSSSLogger.ExpLog(e.ToString());
} }
@ -663,7 +668,7 @@ namespace sscs.cache
ssMutex.ReleaseMutex(); ssMutex.ReleaseMutex();
CSSSLogger.DbgLog(CSSSLogger.GetExecutionPath(this) + " : RefCount = " + refCount); CSSSLogger.DbgLog(CSSSLogger.GetExecutionPath(this) + " : RefCount = " + refCount);
} }
catch(Exception e) catch (Exception e)
{ {
CSSSLogger.ExpLog(e.ToString()); CSSSLogger.ExpLog(e.ToString());
throw e; throw e;
@ -679,7 +684,7 @@ namespace sscs.cache
ssMutex.ReleaseMutex(); ssMutex.ReleaseMutex();
CSSSLogger.DbgLog(CSSSLogger.GetExecutionPath(this) + " : RefCount = " + refCount); CSSSLogger.DbgLog(CSSSLogger.GetExecutionPath(this) + " : RefCount = " + refCount);
} }
catch(Exception e) catch (Exception e)
{ {
CSSSLogger.ExpLog(e.ToString()); CSSSLogger.ExpLog(e.ToString());
throw e; throw e;
@ -692,15 +697,15 @@ namespace sscs.cache
try try
{ {
keychain.CreatedTime = DateTime.Now; keychain.CreatedTime = DateTime.Now;
keyChainList.Add(keychain.GetKey(),keychain); keyChainList.Add(keychain.GetKey(), keychain);
} }
catch(Exception e) catch (Exception e)
{ {
CSSSLogger.DbgLog(e.ToString()); CSSSLogger.DbgLog(e.ToString());
throw e; throw e;
} }
CSSSLogger.DbgLog(CSSSLogger.GetExecutionPath(this) + " - Successfully added Keychain = "+ keychain.GetKey() + " length = "+ (keychain.GetKey()).Length); CSSSLogger.DbgLog(CSSSLogger.GetExecutionPath(this) + " - Successfully added Keychain = " + keychain.GetKey() + " length = " + (keychain.GetKey()).Length);
return true; return true;
} }
@ -741,7 +746,7 @@ namespace sscs.cache
internal KeyChain GetKeyChain(string id) internal KeyChain GetKeyChain(string id)
{ {
if(keyChainList.ContainsKey(id)) if (keyChainList.ContainsKey(id))
{ {
CSSSLogger.DbgLog("In " + CSSSLogger.GetExecutionPath(this) + " Keychain already exists."); CSSSLogger.DbgLog("In " + CSSSLogger.GetExecutionPath(this) + " Keychain already exists.");
KeyChain kc = (KeyChain)(keyChainList[id]); KeyChain kc = (KeyChain)(keyChainList[id]);
@ -757,7 +762,7 @@ namespace sscs.cache
internal bool CheckIfKeyChainExists(string id) internal bool CheckIfKeyChainExists(string id)
{ {
if(keyChainList.ContainsKey(id)) if (keyChainList.ContainsKey(id))
return true; return true;
else else
return false; return false;
@ -777,9 +782,9 @@ namespace sscs.cache
*/ */
internal bool CommitStore() internal bool CommitStore()
{ {
if(lss != null) if (lss != null)
lss.PersistStore(ConstStrings.SSCS_SESSION_KEY_CHAIN_ID); lss.PersistStore(ConstStrings.SSCS_SESSION_KEY_CHAIN_ID);
if(slss != null) if (slss != null)
slss.PersistStore(ConstStrings.SSCS_SERVER_KEY_CHAIN_ID); slss.PersistStore(ConstStrings.SSCS_SERVER_KEY_CHAIN_ID);
return true; return true;
} }
@ -792,25 +797,25 @@ namespace sscs.cache
} }
internal void DumpSecretstore() internal void DumpSecretstore()
{ {
lock(keyChainList.SyncRoot) lock (keyChainList.SyncRoot)
{ {
IDictionaryEnumerator iter = (IDictionaryEnumerator)GetKeyChainEnumerator(); IDictionaryEnumerator iter = (IDictionaryEnumerator)GetKeyChainEnumerator();
while( iter.MoveNext() ) while (iter.MoveNext())
{ {
int i = 0; int i = 0;
KeyChain kc = (KeyChain)iter.Value; KeyChain kc = (KeyChain)iter.Value;
CSSSLogger.DbgLog("\nKeychain id = " + kc.GetKey()); CSSSLogger.DbgLog("\nKeychain id = " + kc.GetKey());
CSSSLogger.DbgLog("Secret List is "); CSSSLogger.DbgLog("Secret List is ");
IDictionaryEnumerator secIter = (IDictionaryEnumerator)(kc.GetAllSecrets()); IDictionaryEnumerator secIter = (IDictionaryEnumerator)(kc.GetAllSecrets());
while(secIter.MoveNext()) while (secIter.MoveNext())
{ {
Secret secret = (Secret)secIter.Value; Secret secret = (Secret)secIter.Value;
CSSSLogger.DbgLog("Secret " + i.ToString() + " id = " + secret.GetKey() + " value = " + secret.GetValue() ); CSSSLogger.DbgLog("Secret " + i.ToString() + " id = " + secret.GetKey() + " value = " + secret.GetValue());
IDictionaryEnumerator etor = (IDictionaryEnumerator) secret.GetKeyValueEnumerator(); IDictionaryEnumerator etor = (IDictionaryEnumerator)secret.GetKeyValueEnumerator();
while(etor.MoveNext()) while (etor.MoveNext())
{ {
KeyValue kv = (KeyValue)etor.Value; KeyValue kv = (KeyValue)etor.Value;
CSSSLogger.DbgLog("Key = " + kv.Key +" Value = " + kv.GetValue()); CSSSLogger.DbgLog("Key = " + kv.Key + " Value = " + kv.GetValue());
} }
i++; i++;
} }
@ -872,7 +877,7 @@ namespace sscs.cache
string passwd = secret.GetKeyValue(ConstStrings.MICASA_DESKTOP_PASSWD_KEYNAME).GetValue(); string passwd = secret.GetKeyValue(ConstStrings.MICASA_DESKTOP_PASSWD_KEYNAME).GetValue();
return passwd; return passwd;
} }
catch(Exception e) catch (Exception e)
{ {
CSSSLogger.ExpLog(e.ToString()); CSSSLogger.ExpLog(e.ToString());
} }
@ -938,7 +943,7 @@ namespace sscs.cache
if ((miCASAFiles != null) && (miCASAFiles.Length > 0)) if ((miCASAFiles != null) && (miCASAFiles.Length > 0))
{ {
for (int i=0; i<miCASAFiles.Length; i++) for (int i = 0; i < miCASAFiles.Length; i++)
{ {
string sFileName = miCASAFiles[i].Substring(miCASAFiles[i].LastIndexOf("/")); string sFileName = miCASAFiles[i].Substring(miCASAFiles[i].LastIndexOf("/"));
File.Move(miCASAFiles[i], sNewPath + sFileName); File.Move(miCASAFiles[i], sNewPath + sFileName);
@ -1133,7 +1138,45 @@ namespace sscs.cache
// restore umask // restore umask
Mono.Unix.Native.Syscall.umask(permissions); Mono.Unix.Native.Syscall.umask(permissions);
#endif
}
internal bool IsDirectoryOwnedByUser(string sPath)
{
#if LINUX
try
{
Stat stat = new Stat();
int rcode = Syscall.stat(sPath, out stat);
if (stat.st_uid == (uint)this.user.UserIdentifier.GetUID())
{
FilePermissions fp = stat.st_mode;
if ((fp & FilePermissions.S_IWUSR) != FilePermissions.S_IWUSR)
{
return false;
}
else
{
return true;
}
}
else
{
return false;
}
}
catch (Exception e)
{
return false;
}
#else
return true;
#endif #endif
} }
} }
} }

7
CASA/micasad/verbs/ObjectSerialization.cs
View File

@ -277,9 +277,12 @@ namespace sscs.verbs
cpd.SetErrorMessage("Directory not allowed"); cpd.SetErrorMessage("Directory not allowed");
return wo; return wo;
} }
#endif #endif
if (!ssStore.IsDirectoryOwnedByUser(sNewDir))
{
cpd.SetErrorMessage("Directory not owned by user");
return wo;
}
// copy all .miCASA* files to new location // copy all .miCASA* files to new location
string[] files = Directory.GetFiles(sOldDir, ".miCASA*"); string[] files = Directory.GetFiles(sOldDir, ".miCASA*");