From: William A. Rowe Jr Date: Wed, 26 Jun 2013 21:03:33 +0000 (+0000) Subject: mod_authnz_ldap: Allow using exec: callouts like SSLPassphraseDialog X-Git-Tag: 2.2.25~35 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=3c13fc4c6a48029709ee5d4c21bd561f9ef3ab2a;p=thirdparty%2Fapache%2Fhttpd.git mod_authnz_ldap: Allow using exec: callouts like SSLPassphraseDialog for AuthLDAPBindPassword. Backports: r1433478, r1467523, r1467792 Submitted by: druggeri Reviewed by: minfrin. wrowe git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@1497095 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/CHANGES b/CHANGES index da8578489e1..2be12e5b6c4 100644 --- a/CHANGES +++ b/CHANGES @@ -68,6 +68,9 @@ Changes with Apache 2.2.24 *) mod_ssl: Add new directive SSLCompression to disable TLS-level compression. PR 53219. [Björn Jacke , Stefan Fritsch] + *) mod_authnz_ldap: Allow using exec: calls to obtain LDAP bind + password. [Daniel Ruggeri] + Changes with Apache 2.2.23 *) SECURITY: CVE-2012-0883 (cve.mitre.org) diff --git a/STATUS b/STATUS index 71c6f8937a8..bef913714aa 100644 --- a/STATUS +++ b/STATUS @@ -114,17 +114,6 @@ RELEASE SHOWSTOPPERS: PATCHES ACCEPTED TO BACKPORT FROM TRUNK: [ start all new proposals below, under PATCHES PROPOSED. ] - - * mod_authnz_ldap: Allow using exec: callouts like SSLPassphraseDialog - for AuthLDAPBindPassword. - trunk patch: http://svn.apache.org/viewvc?view=revision&revision=1433478 - http://svn.apache.org/viewvc?view=revision&revision=1467523 - http://svn.apache.org/viewvc?view=revision&revision=1467792 - 2.2.x patch: http://people.apache.org/~druggeri/patches/AuthLDAPBindPasswordExec-2.2.patch - (20130119 - updated to include minor mmn bump) - (20130412 - updated to not use static var - thx, wrowe) - +1: druggeri, minfrin. wrowe - * mod_ssl: Catch missing, mismatched or encrypted client cert/key pairs with SSLProxyMachineCertificateFile/Path directives. PR 52212, PR 54698. (check at startup, to prevent segfaults at proxy request time) @@ -221,6 +210,12 @@ PATCHES PROPOSED TO BACKPORT FROM TRUNK: 2.2.x patch: trunk patch works modulo CHANGES +1: trawick, wrowe + * mod_authnz_ldap: Allow using exec: callouts like SSLPassphraseDialog + for AuthLDAPBindPassword. + trunk patch: http://svn.apache.org/viewvc?view=revision&revision=1433478 + 2.4.x patch: http://people.apache.org/~druggeri/patches/AuthLDAPBindPasswordExec-2.4.patch + +1: druggeri + PATCHES/ISSUES THAT ARE STALLED * mod_cache: Realign the cache_quick_handler() to behave identically diff --git a/docs/manual/mod/mod_authnz_ldap.xml b/docs/manual/mod/mod_authnz_ldap.xml index 4a4196252f1..325e7f9d2b1 100644 --- a/docs/manual/mod/mod_authnz_ldap.xml +++ b/docs/manual/mod/mod_authnz_ldap.xml @@ -731,6 +731,21 @@ authenticating the user if this one fails module="mod_authnz_ldap">AuthLDAPBindDN and AuthLDAPBindPassword if you absolutely need them to search the directory.

+ +

If the value begins with exec: the resulting command will be + executed and the first line returned to standard output by the + program will be used as the password.

+
+#Password used as-is
+AuthLDAPBindPassword secret
+
+#Run /path/to/program to get my password
+AuthLDAPBindPassword exec:/path/to/program
+
+#Run /path/to/otherProgram and provide arguments
+AuthLDAPBindPassword "exec:/path/to/otherProgram argument1"
+
 + diff --git a/include/ap_mmn.h b/include/ap_mmn.h index f8ebeb7fae4..1b2cfa02a62 100644 --- a/include/ap_mmn.h +++ b/include/ap_mmn.h @@ -149,6 +149,7 @@ * 20051115.29 (2.2.21) add max_ranges to core_dir_config * 20051115.30 (2.2.21) add ap_set_accept_ranges() * 20051115.31 (2.2.23) Add forcerecovery to proxy_balancer_shared struct + # 20051115.32 (2.2.24) Add ap_get_exec_line */ #define MODULE_MAGIC_COOKIE 0x41503232UL /* "AP22" */ @@ -156,7 +157,7 @@ #ifndef MODULE_MAGIC_NUMBER_MAJOR #define MODULE_MAGIC_NUMBER_MAJOR 20051115 #endif -#define MODULE_MAGIC_NUMBER_MINOR 31 /* 0...n */ +#define MODULE_MAGIC_NUMBER_MINOR 32 /* 0...n */ /** * Determine if the server's current MODULE_MAGIC_NUMBER is at least a diff --git a/include/httpd.h b/include/httpd.h index f20c87332d8..5bf2cfe7135 100644 --- a/include/httpd.h +++ b/include/httpd.h @@ -1867,6 +1867,19 @@ extern int raise_sigstop_flags; */ AP_DECLARE(const char *) ap_psignature(const char *prefix, request_rec *r); + +/** + * Short function to execute a command and return the first line of + * output minus \r \n. Useful for "obscuring" passwords via exec calls + * @param p the pool to allocate from + * @param cmd the command to execute + * @param argv the arguments to pass to the cmd + * @return ptr to characters or NULL on any error + */ +AP_DECLARE(char *) ap_get_exec_line(apr_pool_t *p, + const char *cmd, + const char * const *argv); + /** strtoul does not exist on sunos4. */ #ifdef strtoul #undef strtoul diff --git a/modules/aaa/mod_authnz_ldap.c b/modules/aaa/mod_authnz_ldap.c index ce1af3db4de..630ca85da74 100644 --- a/modules/aaa/mod_authnz_ldap.c +++ b/modules/aaa/mod_authnz_ldap.c @@ -1075,6 +1075,43 @@ static const char *set_charset_config(cmd_parms *cmd, void *config, const char * return NULL; } +static const char *set_bind_password(cmd_parms *cmd, void *_cfg, const char *arg) +{ + authn_ldap_config_t *sec = _cfg; + int arglen = strlen(arg); + char **argv; + char *result; + + if ((arglen > 5) && strncmp(arg, "exec:", 5) == 0) { + if (apr_tokenize_to_argv(arg+5, &argv, cmd->temp_pool) != APR_SUCCESS) { + return apr_pstrcat(cmd->pool, + "Unable to parse exec arguments from ", + arg+5, NULL); + } + argv[0] = ap_server_root_relative(cmd->temp_pool, argv[0]); + + if (!argv[0]) { + return apr_pstrcat(cmd->pool, + "Invalid AuthLDAPBindPassword exec location:", + arg+5, NULL); + } + result = ap_get_exec_line(cmd->pool, + (const char*)argv[0], (const char * const *)argv); + + if(!result) { + return apr_pstrcat(cmd->pool, + "Unable to get bind password from exec of ", + arg+5, NULL); + } + sec->bindpw = result; + } + else { + sec->bindpw = (char *)arg; + } + + return NULL; +} + static const command_rec authnz_ldap_cmds[] = { AP_INIT_TAKE12("AuthLDAPURL", mod_auth_ldap_parse_url, NULL, OR_AUTHCFG, @@ -1105,8 +1142,7 @@ static const command_rec authnz_ldap_cmds[] = (void *)APR_OFFSETOF(authn_ldap_config_t, binddn), OR_AUTHCFG, "DN to use to bind to LDAP server. If not provided, will do an anonymous bind."), - AP_INIT_TAKE1("AuthLDAPBindPassword", ap_set_string_slot, - (void *)APR_OFFSETOF(authn_ldap_config_t, bindpw), OR_AUTHCFG, + AP_INIT_TAKE1("AuthLDAPBindPassword", set_bind_password, NULL, OR_AUTHCFG, "Password to use to bind to LDAP server. If not provided, will do an anonymous bind."), AP_INIT_FLAG("AuthLDAPBindAuthoritative", ap_set_flag_slot, diff --git a/server/util.c b/server/util.c index a50d0340e5a..b334c964537 100644 --- a/server/util.c +++ b/server/util.c @@ -2240,3 +2240,44 @@ AP_DECLARE(apr_status_t) ap_timeout_parameter_parse( return APR_SUCCESS; } +AP_DECLARE(char *) ap_get_exec_line(apr_pool_t *p, + const char *cmd, + const char * const * argv) +{ + char buf[MAX_STRING_LEN]; + apr_procattr_t *procattr; + apr_proc_t *proc; + apr_file_t *fp; + apr_size_t nbytes = 1; + char c; + int k; + + if (apr_procattr_create(&procattr, p) != APR_SUCCESS) + return NULL; + if (apr_procattr_io_set(procattr, APR_FULL_BLOCK, APR_FULL_BLOCK, + APR_FULL_BLOCK) != APR_SUCCESS) + return NULL; + if (apr_procattr_dir_set(procattr, + ap_make_dirstr_parent(p, cmd)) != APR_SUCCESS) + return NULL; + if (apr_procattr_cmdtype_set(procattr, APR_PROGRAM) != APR_SUCCESS) + return NULL; + proc = apr_pcalloc(p, sizeof(apr_proc_t)); + if (apr_proc_create(proc, cmd, argv, NULL, procattr, p) != APR_SUCCESS) + return NULL; + fp = proc->out; + + if (fp == NULL) + return NULL; + /* XXX: we are reading 1 byte at a time here */ + for (k = 0; apr_file_read(fp, &c, &nbytes) == APR_SUCCESS + && nbytes == 1 && (k < MAX_STRING_LEN-1) ; ) { + if (c == '\n' || c == '\r') + break; + buf[k++] = c; + } + buf[k] = '\0'; + apr_file_close(fp); + + return apr_pstrndup(p, buf, k); +}