diffs to support SecureWare

lance@fox.com
Tue, 5 Jul 94 14:59:47 PDT

SCO ODT 3.2.4 uses TCB entries for password control and also
uses something called Login UID (LUID). The set of diffs included
below modify 'configure', 'config.h.in', 'posixmodule.c',
and 'pwdmodule.c' to use the correct calls and to add some calls
when the '-lprot' library is around.

posixmodule.c has setluid() and getluid() defined now since these
are needed to any daemon that gets run from init since the LUID is
NOT set and you cannot query password entries unless it is set.
(BTW: why is there no execvp() call in posixmodule.c?)

pwdmodule.c has changes to return the correct encrypted password.
Before, these routines always returned '*' as the encrypted password.
now it returns the actual encrypted password stored in the TCB entries.

once I get the cryptmodule.c I will modify it to use bigcrypt() instead
of crypt() in the necessary locations to support checking passwords.
with the SecureWare enhancements, passwords can be up to 80 chars
long and the default crypt() will not support anything over 8 chars long.

I thought people would like this since I needed it to run my www server
(Thanks Guido!!!) from init so that i never have to restart it manually.

Enjoy!!!!!

*** python-1.0.2.orig/config.h.in Tue May 3 07:43:56 1994
--- python-1.0.2/config.h.in Tue Jul 5 14:30:20 1994
***************
*** 275,277 ****
--- 275,282 ----

/* Define if you have the thread library (-lthread). */
#undef HAVE_LIBTHREAD
+
+ /* Define if your OS uses SecureWare and TCB entries */
+ /* SCO ODT 3.4.2 does with higher levels of security */
+ #undef SecureWare
+

*** python-1.0.2.orig/configure Wed May 4 02:32:26 1994
--- python-1.0.2/configure Tue Jul 5 14:20:43 1994
***************
*** 1966,1971 ****
--- 1966,2005 ----
# checks for system services
# (none yet)

+ # Check for -lprot as this says to use TCB entry and SecureWare defines
+ ac_save_LIBS="${LIBS}"
+ LIBS="${LIBS} -lprot"
+ ac_have_lib=""
+ test -n "$silent" || echo "checking for -lprot"
+ cat > conftest.${ac_ext} <<EOF
+ #include "confdefs.h"
+
+ int main() { return 0; }
+ int t() { main();; return 0; }
+ EOF
+ if eval $ac_compile; then
+ rm -rf conftest*
+ ac_have_lib="1"
+
+ fi
+ rm -f conftest*
+ LIBS="${ac_save_LIBS}"
+ if test -n "${ac_have_lib}"; then
+ {
+ LIBS="$LIBS -lprot"
+ test -n "$verbose" && \
+ echo " defining SecureWare"
+ echo "#define" SecureWare "1" >> confdefs.h
+ DEFS="$DEFS -DSecureWare=1"
+ ac_sed_defs="${ac_sed_defs}\${ac_dA}SecureWare\${ac_dB}SecureWare\${ac_dC}1\${ac_dD}
+ \${ac_uA}SecureWare\${ac_uB}SecureWare\${ac_uC}1\${ac_uD}
+ \${ac_eA}SecureWare\${ac_eB}SecureWare\${ac_eC}1\${ac_eD}
+ "
+ }
+ else
+ :;
+ fi
+
# other checks for UNIX variants
ac_save_LIBS="${LIBS}"
LIBS="${LIBS} -lsun"

*** python-1.0.2.orig/Python/pythonmain.c Tue May 3 07:51:33 1994
--- python-1.0.2/Python/pythonmain.c Tue Jul 5 14:39:21 1994
***************
*** 39,44 ****
--- 39,56 ----
extern char *getversion();
extern char *getcopyright();

+ #if defined(SecureWare)
+ #if defined(M_UNIX)
+ /* nap() is not normally defined in SCO ODT... so this
+ defines it WITHOUT having to link to -lx since that will
+ break other things */
+ long nap(secs)
+ long secs;
+ {
+ return syscall(0x0c28,secs);
+ }
+ #endif
+ #endif
int
realmain(argc, argv)
int argc;
***************
*** 53,58 ****
--- 65,86 ----
int inspect = 0;
int unbuffered = 0;

+ #ifdef SecureWare
+ set_auth_parameters(argc,argv);
+ #if 0
+ /* Force people to call posix.setluid() with a value...
+ Uncomment this code if you do not want to force them to..
+ */
+ if (getluid() == -1) {
+ if (errno == EPERM) {
+ /* LUID is not set.
+ Set it to the UID of the process as a default since we need
+ one to do anything else */
+ setluid(getuid());
+ }
+ }
+ #endif
+ #endif
if ((p = getenv("PYTHONDEBUG")) && *p != '\0')
debugging = 1;
if ((p = getenv("PYTHONVERBOSE")) && *p != '\0')

*** python-1.0.2.orig/Modules/posixmodule.c Thu Feb 24 02:49:41 1994
--- python-1.0.2/Modules/posixmodule.c Tue Jul 5 14:42:48 1994
***************
*** 827,832 ****
--- 827,844 ----
return newintobject((long)getppid());
}

+ #ifdef SecureWare
+ static object *
+ posix_getluid(self, args)
+ object *self;
+ object *args;
+ {
+ if (!getnoarg(args))
+ return NULL;
+ return newintobject((long)getluid());
+ }
+ #endif
+
static object *
posix_getuid(self, args)
object *self;
***************
*** 875,880 ****
--- 887,908 ----
#endif /* ! NT */
}

+ #ifdef SecureWare
+ static object *
+ posix_setluid(self, args)
+ object *self;
+ object *args;
+ {
+ int uid;
+ if (!getargs(args, "i", &uid))
+ return NULL;
+ if (setluid(uid) < 0)
+ return posix_error();
+ INCREF(None);
+ return None;
+ }
+ #endif
+
static object *
posix_setuid(self, args)
object *self;
***************
*** 1364,1370 ****
#ifndef NT
{"pipe", posix_pipe},
#endif /* ! NT */
!
{NULL, NULL} /* Sentinel */
};

--- 1392,1401 ----
#ifndef NT
{"pipe", posix_pipe},
#endif /* ! NT */
! #ifdef SecureWare
! {"getluid", posix_getluid},
! {"setluid", posix_setluid},
! #endif
{NULL, NULL} /* Sentinel */
};

*** python-1.0.2.orig/Modules/pwdmodule.c Sat Jan 1 16:36:16 1994
--- python-1.0.2/Modules/pwdmodule.c Tue Jul 5 14:34:45 1994
***************
*** 30,46 ****
#include <sys/types.h>
#include <pwd.h>
#include <grp.h>
!

/* Module pwd */

!
static object *mkpwent(p)
struct passwd *p;
{
return mkvalue("(ssllsss)",
p->pw_name,
p->pw_passwd,
(long)p->pw_uid,
(long)p->pw_gid,
p->pw_gecos,
--- 30,60 ----
#include <sys/types.h>
#include <pwd.h>
#include <grp.h>
! #ifdef SecureWare
! #include <sys/security.h>
! #include <sys/audit.h>
! #include <prot.h>
! #endif

/* Module pwd */

! #ifdef SecureWare
! static object *mkpwent(p,pr_pw)
! struct passwd *p;
! struct pr_passwd *pr_pw;
! #else
static object *mkpwent(p)
struct passwd *p;
+ #endif
{
return mkvalue("(ssllsss)",
p->pw_name,
+ #ifdef SecureWare
+ (pr_pw->uflg.fg_encrypt?pr_pw->ufld.fd_encrypt:
+ p->pw_passwd),
+ #else
p->pw_passwd,
+ #endif
(long)p->pw_uid,
(long)p->pw_gid,
p->pw_gecos,
***************
*** 53,65 ****
--- 67,90 ----
{
int uid;
struct passwd *p;
+ #ifdef SecureWare
+ struct pr_passwd *pr_pw;
+ #endif
if (!getintarg(args, &uid))
return NULL;
if ((p = getpwuid(uid)) == NULL) {
err_setstr(KeyError, "getpwuid(): uid not found");
return NULL;
}
+ #ifndef SecureWare
+ if ((pr_pw = getprpwuid(uid)) == NULL) {
+ err_setstr(KeyError, "getpwuid(): pr_uid not found");
+ return NULL;
+ }
+ return mkpwent(p,pr_pw);
+ #else
return mkpwent(p);
+ #endif
}

static object *pwd_getpwnam(self, args)
***************
*** 67,79 ****
--- 92,115 ----
{
char *name;
struct passwd *p;
+ #ifdef SecureWare
+ struct pr_passwd *pr_pw;
+ #endif
if (!getstrarg(args, &name))
return NULL;
if ((p = getpwnam(name)) == NULL) {
err_setstr(KeyError, "getpwnam(): name not found");
return NULL;
}
+ #ifdef SecureWare
+ if ((pr_pw = getprpwnam(name)) == NULL) {
+ err_setstr(KeyError, "getpwnam(): pr_name not found");
+ return NULL;
+ }
+ return mkpwent(p,pr_pw);
+ #else
return mkpwent(p);
+ #endif
}

static object *pwd_getpwall(self, args)
***************
*** 81,93 ****
--- 117,139 ----
{
object *d;
struct passwd *p;
+ #ifdef SecureWare
+ struct pr_passwd *pr_pw;
+ #endif
if (!getnoarg(args))
return NULL;
if ((d = newlistobject(0)) == NULL)
return NULL;
setpwent();
+ #ifdef SecureWare
+ setprpwent();
+ while (((p = getpwent()) != NULL) &&
+ ((pr_pw = getprpwent()) != NULL)) {
+ object *v = mkpwent(p,pr_pw);
+ #else
while ((p = getpwent()) != NULL) {
object *v = mkpwent(p);
+ #endif
if (v == NULL || addlistitem(d, v) != 0) {
XDECREF(v);
DECREF(d);

--
Lance Ellinghouse                lance@fox.com