geos_one/CASA
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

bug 222012. Better enforce persistent directory location

Browse Source
This commit is contained in:
Jim Norman 2007-01-04 08:54:07 +00:00
parent 67e99fc3d9
commit d0a9891cdf
3 changed files with 523 additions and 471 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
CASA/CASA.changes
View File

@ -1,3 +1,9 @@
-------------------------------------------------------------------
Thu Jan 4 13:37:03 MST 2007 - jnorman@novell.com
- Bug 221012. Based on code review, enhance persistent directory
policy.
-------------------------------------------------------------------
Wed Jan 3 08:12:10 MST 2007 - jnorman@novell.com

169
CASA/micasad/cache/SecretStore.cs vendored
View File

@ -37,6 +37,11 @@ using sscs.crypto;
using Novell.CASA.CASAPolicy;
#if LINUX
using Mono.Unix.Native;
#endif
namespace sscs.cache
{
class SecretStore
@ -47,7 +52,7 @@ namespace sscs.cache
private Hashtable tKeyChainList = new Hashtable();
private Hashtable keyChainList; //= Hashtable.Synchronized(tKeyChainList);
internal User user;
private Mutex ssMutex ; //reqd only for refCount
private Mutex ssMutex; //reqd only for refCount
private int state; // Maintains the state of SS ( keychain
// type availability). TODO: Convert to a class.
@ -116,7 +121,7 @@ namespace sscs.cache
public bool StopPersistence()
{
if(lss != null && bIsStorePersistent == true)
if (lss != null && bIsStorePersistent == true)
{
lss.StopPersistence();
lss = null;
@ -165,13 +170,13 @@ namespace sscs.cache
try
{
byte[] baPasscode = CASACrypto.GetMasterPasscodeUsingDesktopPasswd(sDesktopPassword, GetPasscodeByDesktopFilePath(), false);
if(CASACrypto.ValidatePasscode(baPasscode,GetValidationFilePath()))
if (CASACrypto.ValidatePasscode(baPasscode, GetValidationFilePath()))
{
return true;
}
// try old salt
baPasscode = CASACrypto.GetMasterPasscodeUsingDesktopPasswd(sDesktopPassword, GetPasscodeByDesktopFilePath(), true);
if(CASACrypto.ValidatePasscode(baPasscode,GetValidationFilePath()))
if (CASACrypto.ValidatePasscode(baPasscode, GetValidationFilePath()))
{
return true;
}
@ -198,32 +203,32 @@ namespace sscs.cache
/* Persistence could have started because the user
* could have set master password.
*/
if(slss != null && bIsServerStorePersistent == true)
if (slss != null && bIsServerStorePersistent == true)
{
CSSSLogger.DbgLog(CSSSLogger.GetExecutionPath(this) + " Server Secrets Store is already persistent");
CSSSLogger.DbgLog("StartPersistenceOfServerSecretsBySystemKey - Started");
return true;
}
if(!File.Exists(GetServerPasscodeBySystemKeyFilePath()))
if (!File.Exists(GetServerPasscodeBySystemKeyFilePath()))
{
/*
/*
if (File.Exists(GetServerPasscodeByMasterPasswdFilePath()))
{
// wait for the user to start the Persistence by entering MP
return false;
}
*/
*/
baPasscode = CASACrypto.GenerateServerMasterPasscode(
GetServerPasscodeBySystemKeyFilePath(),
GetServerValidationFilePath());
if( null == baPasscode )
if (null == baPasscode)
{
return false;
}
if(!File.Exists(GetServerKeyFilePath()))
if (!File.Exists(GetServerKeyFilePath()))
{
GenerateAndStoreEncryptionKey(baPasscode, GetServerKeyFilePath());
slss = new LocalStorage(this, baPasscode, true);
@ -233,14 +238,14 @@ namespace sscs.cache
}
baPasscode = CASACrypto.GetServerMasterPasscodeUsingSystemKey(GetServerPasscodeBySystemKeyFilePath());
if(CASACrypto.ValidatePasscode(baPasscode,GetServerValidationFilePath()))
if (CASACrypto.ValidatePasscode(baPasscode, GetServerValidationFilePath()))
{
slss = new LocalStorage(this, baPasscode, true);
bIsServerStorePersistent = true;
return true;
}
}
catch(Exception e)
catch (Exception e)
{
CSSSLogger.ExpLog(e.ToString());
}
@ -275,12 +280,12 @@ namespace sscs.cache
/* Persistence could have started because the user
* could have set master password.
*/
if(lss != null && bIsStorePersistent == true)
if (lss != null && bIsStorePersistent == true)
{
/* Verify passcode and if validation fails, rewrite
* desktop file.
*/
if(File.Exists(GetPasscodeByDesktopFilePath()))
if (File.Exists(GetPasscodeByDesktopFilePath()))
{
}
else
@ -294,7 +299,7 @@ namespace sscs.cache
}
if(!File.Exists(GetPasscodeByDesktopFilePath()))
if (!File.Exists(GetPasscodeByDesktopFilePath()))
{
if (File.Exists(GetPasscodeByMasterPasswdFilePath()))
{
@ -309,22 +314,22 @@ namespace sscs.cache
GetValidationFilePath(),
user.UserIdentifier);
if( null == baPasscode )
if (null == baPasscode)
return false;
if(!File.Exists(GetKeyFilePath()))
if (!File.Exists(GetKeyFilePath()))
{
GenerateAndStoreEncryptionKey(baPasscode, GetKeyFilePath());
lss = new LocalStorage(this,baPasscode);
lss = new LocalStorage(this, baPasscode);
bIsStorePersistent = true;
return true;
}
}
baPasscode = CASACrypto.GetMasterPasscodeUsingDesktopPasswd(desktopPasswd, GetPasscodeByDesktopFilePath(), false);
if(CASACrypto.ValidatePasscode(baPasscode,GetValidationFilePath()))
if (CASACrypto.ValidatePasscode(baPasscode, GetValidationFilePath()))
{
lss = new LocalStorage(this,baPasscode);
lss = new LocalStorage(this, baPasscode);
bIsStorePersistent = true;
return true;
}
@ -347,7 +352,7 @@ namespace sscs.cache
}
}
}
catch(Exception e)
catch (Exception e)
{
CSSSLogger.ExpLog(e.ToString());
}
@ -378,24 +383,24 @@ namespace sscs.cache
{
try
{
char[] trimChars = {'\0'};
char[] trimChars = { '\0' };
string mPasswd = mPasswdFromIDK.TrimEnd(trimChars);
bool isVerifyOperation = false;
string mPasswdFileName = GetPasscodeByMasterPasswdFilePath();
byte[] baPasscode;
if(File.Exists(mPasswdFileName))
if (File.Exists(mPasswdFileName))
isVerifyOperation = true; //else it is a set operation.
string desktopPasswd = GetDesktopPasswd();
if(isVerifyOperation == false)
if (isVerifyOperation == false)
{
/* Here the master password file needs to be generated.
*/
if(desktopPasswd != null)
if (desktopPasswd != null)
{
baPasscode = CASACrypto.GetMasterPasscodeUsingDesktopPasswd(desktopPasswd, GetPasscodeByDesktopFilePath(), false);
if(CASACrypto.ValidatePasscode(baPasscode,GetValidationFilePath()))
if (CASACrypto.ValidatePasscode(baPasscode, GetValidationFilePath()))
{
CASACrypto.EncryptAndStoreMasterPasscodeUsingString(
baPasscode,
@ -460,29 +465,29 @@ namespace sscs.cache
/* If desktop passwd is not there and user sets
* master password.
*/
if(File.Exists(GetPersistenceFilePath()))
if (File.Exists(GetPersistenceFilePath()))
{
File.Delete(GetPersistenceFilePath());
CSSSLogger.DbgLog("Removing the persistent storeas its meaningless now. - Desktop passwd is not there and Master password is being set");
}
if(File.Exists((GetPasscodeByDesktopFilePath())))
if (File.Exists((GetPasscodeByDesktopFilePath())))
{
File.Delete((GetPasscodeByDesktopFilePath()));
CSSSLogger.DbgLog("Removing the persistent storeas its meaningless now. - Desktop passwd is not there and Master password is being set");
}
baPasscode = CASACrypto.GenerateMasterPasscodeUsingString(mPasswd,GetPasscodeByMasterPasswdFilePath(),GetValidationFilePath(), user.UserIdentifier);
if(baPasscode != null)
baPasscode = CASACrypto.GenerateMasterPasscodeUsingString(mPasswd, GetPasscodeByMasterPasswdFilePath(), GetValidationFilePath(), user.UserIdentifier);
if (baPasscode != null)
{
if(!File.Exists(GetKeyFilePath()))
if (!File.Exists(GetKeyFilePath()))
{
GenerateAndStoreEncryptionKey(baPasscode, GetKeyFilePath());
}
CASACrypto.EncryptAndStoreMasterPasscodeUsingString(baPasscode,mPasswd,GetPasscodeByMasterPasswdFilePath());
if( bIsStorePersistent == false )
CASACrypto.EncryptAndStoreMasterPasscodeUsingString(baPasscode, mPasswd, GetPasscodeByMasterPasswdFilePath());
if (bIsStorePersistent == false)
{
lss = new LocalStorage(this,baPasscode);
lss = new LocalStorage(this, baPasscode);
bIsStorePersistent = true;
}
return true;
@ -498,14 +503,14 @@ namespace sscs.cache
//Get the passcode from master passwd file and validate.
//If validation succeeds,start persistence.
if(desktopPasswd == null)
if (desktopPasswd == null)
{
baPasscode = CASACrypto.DecryptMasterPasscodeUsingString(mPasswd, GetPasscodeByMasterPasswdFilePath(), false);
if(CASACrypto.ValidatePasscode(baPasscode,GetValidationFilePath()))
if (CASACrypto.ValidatePasscode(baPasscode, GetValidationFilePath()))
{
if(bIsStorePersistent == false)
if (bIsStorePersistent == false)
{
lss = new LocalStorage(this,baPasscode);
lss = new LocalStorage(this, baPasscode);
bIsStorePersistent = true;
}
return true;
@ -535,12 +540,12 @@ namespace sscs.cache
{ //There are 2 cases - either desktop passwd has changed
//or it hasnt.
baPasscode = CASACrypto.GetMasterPasscodeUsingMasterPasswd(mPasswd, GetPasscodeByMasterPasswdFilePath(), false);
if(CASACrypto.ValidatePasscode(baPasscode,GetValidationFilePath()))
if (CASACrypto.ValidatePasscode(baPasscode, GetValidationFilePath()))
{
RewriteDesktopPasswdFile(baPasscode,desktopPasswd);
if(bIsStorePersistent == false)
RewriteDesktopPasswdFile(baPasscode, desktopPasswd);
if (bIsStorePersistent == false)
{
lss = new LocalStorage(this,baPasscode);
lss = new LocalStorage(this, baPasscode);
bIsStorePersistent = true;
}
return true;
@ -564,7 +569,7 @@ namespace sscs.cache
}
}
}
catch(Exception e)
catch (Exception e)
{
CSSSLogger.ExpLog(e.ToString());
}
@ -578,7 +583,7 @@ namespace sscs.cache
CASACrypto.EncryptAndStoreMasterPasscodeUsingString(baPasscode, desktopPasswd, GetPasscodeByDesktopFilePath());
CSSSLogger.DbgLog("Re-encryted passcode with desktop passwd");
}
catch(Exception e)
catch (Exception e)
{
CSSSLogger.ExpLog(e.ToString());
}
@ -608,7 +613,7 @@ namespace sscs.cache
}
}
catch(Exception e)
catch (Exception e)
{
CSSSLogger.ExpLog(e.ToString());
}
@ -663,7 +668,7 @@ namespace sscs.cache
ssMutex.ReleaseMutex();
CSSSLogger.DbgLog(CSSSLogger.GetExecutionPath(this) + " : RefCount = " + refCount);
}
catch(Exception e)
catch (Exception e)
{
CSSSLogger.ExpLog(e.ToString());
throw e;
@ -679,7 +684,7 @@ namespace sscs.cache
ssMutex.ReleaseMutex();
CSSSLogger.DbgLog(CSSSLogger.GetExecutionPath(this) + " : RefCount = " + refCount);
}
catch(Exception e)
catch (Exception e)
{
CSSSLogger.ExpLog(e.ToString());
throw e;
@ -692,15 +697,15 @@ namespace sscs.cache
try
{
keychain.CreatedTime = DateTime.Now;
keyChainList.Add(keychain.GetKey(),keychain);
keyChainList.Add(keychain.GetKey(), keychain);
}
catch(Exception e)
catch (Exception e)
{
CSSSLogger.DbgLog(e.ToString());
throw e;
}
CSSSLogger.DbgLog(CSSSLogger.GetExecutionPath(this) + " - Successfully added Keychain = "+ keychain.GetKey() + " length = "+ (keychain.GetKey()).Length);
CSSSLogger.DbgLog(CSSSLogger.GetExecutionPath(this) + " - Successfully added Keychain = " + keychain.GetKey() + " length = " + (keychain.GetKey()).Length);
return true;
}
@ -741,7 +746,7 @@ namespace sscs.cache
internal KeyChain GetKeyChain(string id)
{
if(keyChainList.ContainsKey(id))
if (keyChainList.ContainsKey(id))
{
CSSSLogger.DbgLog("In " + CSSSLogger.GetExecutionPath(this) + " Keychain already exists.");
KeyChain kc = (KeyChain)(keyChainList[id]);
@ -757,7 +762,7 @@ namespace sscs.cache
internal bool CheckIfKeyChainExists(string id)
{
if(keyChainList.ContainsKey(id))
if (keyChainList.ContainsKey(id))
return true;
else
return false;
@ -777,9 +782,9 @@ namespace sscs.cache
*/
internal bool CommitStore()
{
if(lss != null)
if (lss != null)
lss.PersistStore(ConstStrings.SSCS_SESSION_KEY_CHAIN_ID);
if(slss != null)
if (slss != null)
slss.PersistStore(ConstStrings.SSCS_SERVER_KEY_CHAIN_ID);
return true;
}
@ -792,25 +797,25 @@ namespace sscs.cache
}
internal void DumpSecretstore()
{
lock(keyChainList.SyncRoot)
lock (keyChainList.SyncRoot)
{
IDictionaryEnumerator iter = (IDictionaryEnumerator)GetKeyChainEnumerator();
while( iter.MoveNext() )
while (iter.MoveNext())
{
int i = 0;
KeyChain kc = (KeyChain)iter.Value;
CSSSLogger.DbgLog("\nKeychain id = " + kc.GetKey());
CSSSLogger.DbgLog("Secret List is ");
IDictionaryEnumerator secIter = (IDictionaryEnumerator)(kc.GetAllSecrets());
while(secIter.MoveNext())
while (secIter.MoveNext())
{
Secret secret = (Secret)secIter.Value;
CSSSLogger.DbgLog("Secret " + i.ToString() + " id = " + secret.GetKey() + " value = " + secret.GetValue() );
IDictionaryEnumerator etor = (IDictionaryEnumerator) secret.GetKeyValueEnumerator();
while(etor.MoveNext())
CSSSLogger.DbgLog("Secret " + i.ToString() + " id = " + secret.GetKey() + " value = " + secret.GetValue());
IDictionaryEnumerator etor = (IDictionaryEnumerator)secret.GetKeyValueEnumerator();
while (etor.MoveNext())
{
KeyValue kv = (KeyValue)etor.Value;
CSSSLogger.DbgLog("Key = " + kv.Key +" Value = " + kv.GetValue());
CSSSLogger.DbgLog("Key = " + kv.Key + " Value = " + kv.GetValue());
}
i++;
}
@ -872,7 +877,7 @@ namespace sscs.cache
string passwd = secret.GetKeyValue(ConstStrings.MICASA_DESKTOP_PASSWD_KEYNAME).GetValue();
return passwd;
}
catch(Exception e)
catch (Exception e)
{
CSSSLogger.ExpLog(e.ToString());
}
@ -938,7 +943,7 @@ namespace sscs.cache
if ((miCASAFiles != null) && (miCASAFiles.Length > 0))
{
for (int i=0; i<miCASAFiles.Length; i++)
for (int i = 0; i < miCASAFiles.Length; i++)
{
string sFileName = miCASAFiles[i].Substring(miCASAFiles[i].LastIndexOf("/"));
File.Move(miCASAFiles[i], sNewPath + sFileName);
@ -1133,7 +1138,45 @@ namespace sscs.cache
// restore umask
Mono.Unix.Native.Syscall.umask(permissions);
#endif
}
internal bool IsDirectoryOwnedByUser(string sPath)
{
#if LINUX
try
{
Stat stat = new Stat();
int rcode = Syscall.stat(sPath, out stat);
if (stat.st_uid == (uint)this.user.UserIdentifier.GetUID())
{
FilePermissions fp = stat.st_mode;
if ((fp & FilePermissions.S_IWUSR) != FilePermissions.S_IWUSR)
{
return false;
}
else
{
return true;
}
}
else
{
return false;
}
}
catch (Exception e)
{
return false;
}
#else
return true;
#endif
}
}
}

7
CASA/micasad/verbs/ObjectSerialization.cs
View File

@ -277,9 +277,12 @@ namespace sscs.verbs
cpd.SetErrorMessage("Directory not allowed");
return wo;
}
#endif
if (!ssStore.IsDirectoryOwnedByUser(sNewDir))
{
cpd.SetErrorMessage("Directory not owned by user");
return wo;
}
// copy all .miCASA* files to new location
string[] files = Directory.GetFiles(sOldDir, ".miCASA*");