| ["package", node, pkg] => OS.Process.exit (Main.requestApt {node = node, pkg = pkg})
| ["cron", node, uname] => OS.Process.exit (Main.requestCron {node = node, uname = uname})
| ["ftp", node, uname] => OS.Process.exit (Main.requestFtp {node = node, uname = uname})
+ | ["tpe", node, uname] => OS.Process.exit (Main.requestTrustedPath {node = node, uname = uname})
| _ => print "Invalid command-line arguments\n"
val requestApt : {node : string, pkg : string} -> OS.Process.status
val requestCron : {node : string, uname : string} -> OS.Process.status
val requestFtp : {node : string, uname : string} -> OS.Process.status
+ val requestTrustedPath : {node : string, uname : string} -> OS.Process.status
end
before OpenSSL.close bio
end
+fun requestTrustedPath {node, uname} =
+ let
+ val (user, context) = requestContext (fn () => ())
+ val bio = OpenSSL.connect (context, if node = Config.masterNode then
+ dispatcher
+ else
+ Domain.nodeIp node ^ ":" ^ Int.toString Config.slavePort)
+
+ val _ = Msg.send (bio, MsgQuery (QTrustedPath uname))
+
+ fun loop () =
+ case Msg.recv bio of
+ NONE => (print "Server closed connection unexpectedly.\n";
+ OS.Process.failure)
+ | SOME m =>
+ case m of
+ MsgYes => (print "User has trusted path restriction.\n";
+ OS.Process.success)
+ | MsgNo => (print "User does not have trusted path restriction.\n";
+ OS.Process.failure)
+ | MsgError s => (print ("Trusted path query failed: " ^ s ^ "\n");
+ OS.Process.failure)
+ | _ => (print "Unexpected server reply.\n";
+ OS.Process.failure)
+ in
+ loop ()
+ before OpenSSL.close bio
+ end
+
fun regenerate context =
let
val b = basis ()
QApt pkg => if Apt.installed pkg then MsgYes else MsgNo
| QCron user => if Cron.allowed user then MsgYes else MsgNo
| QFtp user => if Ftp.allowed user then MsgYes else MsgNo
+ | QTrustedPath user => if TrustedPath.query user then MsgYes else MsgNo
fun describeQuery q =
case q of
QApt pkg => "Requested installation status of package " ^ pkg
| QCron user => "Asked about cron permissions for user " ^ user
| QFtp user => "Asked about FTP permissions for user " ^ user
+ | QTrustedPath user => "Asked about trusted path settings for user " ^ user
fun service () =
let
OpenSSL.writeString (bio, s))
| QFtp s => (OpenSSL.writeInt (bio, 2);
OpenSSL.writeString (bio, s))
+ | QTrustedPath s => (OpenSSL.writeInt (bio, 3);
+ OpenSSL.writeString (bio, s))
fun recvQuery bio =
case OpenSSL.readInt bio of
0 => Option.map QApt (OpenSSL.readString bio)
| 1 => Option.map QCron (OpenSSL.readString bio)
| 2 => Option.map QFtp (OpenSSL.readString bio)
+ | 3 => Option.map QTrustedPath (OpenSSL.readString bio)
| _ => NONE)
| NONE => NONE
(* Is this user allowed to use cron? *)
| QFtp of string
(* Is this user allowed to use FTP? *)
+ | QTrustedPath of string
+ (* Is this user restricted to trusted-path executables? *)
datatype msg =
MsgOk
--- /dev/null
+(* HCoop Domtool (http://hcoop.sourceforge.net/)
+ * Copyright (c) 2006-2007, Adam Chlipala
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version 2
+ * of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+ *)
+
+(* Trusted path settings querying *)
+
+signature TRUSTED_PATH = sig
+
+ val query : string -> bool
+ (* Is the named user restricted to trusted-path executables on this host? *)
+
+end
--- /dev/null
+(* HCoop Domtool (http://hcoop.sourceforge.net/)
+ * Copyright (c) 2006-2007, Adam Chlipala
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version 2
+ * of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+ *)
+
+(* Trusted path settings querying *)
+
+structure TrustedPath :> TRUSTED_PATH = struct
+
+fun query uname = List.exists (fn x => x = uname)
+ (Posix.SysDB.Group.members (Posix.SysDB.getgrnam "only-tpe"))
+ handle OS.SysErr _ => false
+
+end
plugins/ftp.sig
plugins/ftp.sml
+plugins/trustedPath.sig
+plugins/trustedPath.sml
+
mail/vmail.sig
mail/vmail.sml
HCoop / hcoop / domtool2.git / commitdiff