[X2Go-Commits] x2gobroker.git - build-main (branch) updated: 0.0.0.1-35-gd9c17a2
X2Go dev team
git-admin at x2go.org
Sun May 19 13:03:12 CEST 2013
The branch, build-main has been updated
via d9c17a236357d7939415afae5b420917f0e2f212 (commit)
from 176c5d672d301ed401172f23f5dac5d765d7f2f6 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
-----------------------------------------------------------------------
Summary of changes:
debian/changelog | 2 +
debian/x2gobroker-daemon.default | 28 ++++++++----
debian/x2gobroker-daemon.init | 51 ++++++++++++++++-----
debian/x2gobroker.install | 1 +
sbin/x2gobroker | 2 +
sbin/x2gobroker-authservice | 67 +++++++++++++++++++++++++++
x2gobroker/authmechs/pam_authmech.py | 4 +-
x2gobroker/authservice.py | 84 ++++++++++++++++++++++++++++++++++
x2gobroker/defaults.py | 6 +++
9 files changed, 223 insertions(+), 22 deletions(-)
create mode 100755 sbin/x2gobroker-authservice
create mode 100644 x2gobroker/authservice.py
The diff of changes is:
diff --git a/debian/changelog b/debian/changelog
index ad2e00c..ebbbbd3 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -13,6 +13,8 @@ x2gobroker (0.0.0.2-0~x2go1) UNRELEASED; urgency=low
- Make sure the unprivileged daemon user (x2gobroker) has access to the
PID file directory.
- Set log level to CRITICAL if running unit tests.
+ - Perform PAM authentication via an authentication service (the broker
+ runs as non-privileged user, the authentication service as root).
* /debian/control:
+ Add bin:package x2gobroker-agent.
* /debian/x2gobroker-daemon.init:
diff --git a/debian/x2gobroker-daemon.default b/debian/x2gobroker-daemon.default
index ff315d5..f3c5bc0 100644
--- a/debian/x2gobroker-daemon.default
+++ b/debian/x2gobroker-daemon.default
@@ -1,35 +1,47 @@
# X2Go Session Broker configuration for Debian
# Uncomment to enable the X2Go Session Broker standalone daemon
-START_DAEMON=true
+START_BROKER=true
-# the posix user ID the broker runs under (do not change!)
+# For PAM authentication the X2Go Session Broker needs its authentication
+# service. The session broker itself runs as a non-privileged user (see below)
+# whereas the authentication service must run as super-user root.
+#
+# If you do not use PAM as authentication mechanism with the X2Go Session Broker,
+# you can disable the authentication service here.
+START_AUTHSERVICE=true
+
+# The posix user ID the broker runs under (do not change!)
# if you change it nonetheless, make sure that the log file
# directory (default: /var/log/x2gobroker) and files in there are
# writable by that user
#X2GOBROKER_DAEMON_USER=x2gobroker
-# run X2Go Session Broker in debug mode, this will make the broker
+# Run X2Go Session Broker in debug mode, this will make the broker
# available through http GET method calls (otherwise: POST method
# only) and you will be able to test the broker through your web
# browser (0=disable, 1=enable).
#X2GOBROKER_DEBUG=0
-# bind standalone daemon to this address:port
+# Bind standalone daemon to this address:port
#DAEMON_BIND_ADDRESS=127.0.0.1:8080
-# default X2Go Session Broker backend (available: zeroconf, inifile)
+# Default X2Go Session Broker backend (available: zeroconf, inifile)
#X2GOBROKER_DEFAULT_BACKEND=zeroconf
-# path to the X2Go Session Broker's configuration file
+# Path to the X2Go Session Broker's configuration file
#X2GOBROKER_CONFIG=/etc/x2go/x2gobroker.conf
-# path to the X2Go Session Broker's session profiles file (when using the inifile backend)
+# Path to the X2Go Session Broker's session profiles file (when using the inifile backend)
#X2GOBROKER_SESSIONPROFILES=/etc/x2go/broker/x2gobroker-sessionprofiles.conf
-# path to the X2Go Session Broker's agent command
+# Path to the X2Go Session Broker's agent command
#X2GOBROKER_AGENT_CMD=/usr/lib/x2go/x2gobroker-agent
+# The unix socket file for communication between the broker and the authentication service.
+#X2GOBROKER_AUTHSERVICE_SOCKET=/run/x2gobroker/x2gobroker-authservice.socket
+
+
##########################################################
### ###
### Enable SSL Support ###
diff --git a/debian/x2gobroker-daemon.init b/debian/x2gobroker-daemon.init
index fba7672..67276e4 100755
--- a/debian/x2gobroker-daemon.init
+++ b/debian/x2gobroker-daemon.init
@@ -19,13 +19,16 @@
set -eu
DAEMON=/usr/sbin/x2gobroker
+AUTHSERVICE=/usr/sbin/x2gobroker-authservice
test -d /run && RUNDIR=/run || RUNDIR=/var/run
-PIDFILE=$RUNDIR/x2gobroker/x2gobroker-daemon.pid
+PIDFILE_BROKER=$RUNDIR/x2gobroker/x2gobroker-daemon.pid
+PIDFILE_AUTHSERVICE=$RUNDIR/x2gobroker/x2gobroker-authservice.pid
DEBIANCONFIG=/etc/default/x2gobroker-daemon
test -x "$DAEMON" || exit 0
-START_DAEMON=false
+START_BROKER=false
+START_AUTHSERVICE=false
DAEMON_BIND_ADDRESS=127.0.0.1:8080
X2GOBROKER_DEBUG=0
X2GOBROKER_DAEMON_USER='x2gobroker'
@@ -33,6 +36,7 @@ X2GOBROKER_DEFAULT_BACKEND="zeroconf"
X2GOBROKER_CONFIG="/etc/x2go/x2gobroker.conf"
X2GOBROKER_SESSIONPROFILES="/etc/x2go/broker/x2gobroker-sessionprofiles.conf"
X2GOBROKER_AGENT_CMD="/usr/lib/x2go/x2gobroker-agent"
+X2GOBROKER_AUTHSERVICE_SOCKET="$RUNDIR/x2gobroker/x2gobroker-authservice.socket"
X2GOBROKER_SSL_CERTFILE=
X2GOBROKER_SSL_KEYFILE=
test -f $DEBIANCONFIG && . $DEBIANCONFIG
@@ -57,6 +61,7 @@ export X2GOBROKER_CONFIG
export X2GOBROKER_DEFAULT_BACKEND
export X2GOBROKER_SESSIONPROFILES
export X2GOBROKER_AGENT_CMD
+export X2GOBROKER_AUTHSERVICE_SOCKET
export X2GOBROKER_SSL_CERTFILE
export X2GOBROKER_SSL_KEYFILE
@@ -72,28 +77,50 @@ is_true()
case "${1:-}" in
start)
- if [ -e $PIDFILE ]; then
+ if [ -e $PIDFILE_BROKER ]; then
if ps -u $X2GOBROKER_DAEMON_USER | grep $(basename $DAEMON) 1>/dev/null 2>/dev/null; then
log_warning_msg "X2Go Session Broker already running"
else
- log_warning_msg "X2Go Session Broker: stale PID file ($PIDFILE). Delete it manually!"
+ log_warning_msg "X2Go Session Broker: stale PID file ($PIDFILE_BROKER). Delete it manually!"
fi
- START_DAEMON=no
+ START_BROKER=no
fi
- if is_true $START_DAEMON; then
- log_daemon_msg "Starting X2Go Session Broker standalone daemon" $(basename $DAEMON)
+ if is_true $START_BROKER; then
+ log_daemon_msg "Starting X2Go Session Broker standalone daemon" "$(basename $DAEMON)"
set +e
- start-stop-daemon --chuid $X2GOBROKER_DAEMON_USER -b -m -S -p $PIDFILE -x $DAEMON -- -b $DAEMON_BIND_ADDRESS
+ start-stop-daemon --chuid $X2GOBROKER_DAEMON_USER -b -m -S -p $PIDFILE_BROKER -x $DAEMON -- -b $DAEMON_BIND_ADDRESS
log_end_msg $?
set -e
+ if [ -e $PIDFILE_AUTHSERVICE ]; then
+ if ps -u root | grep $(basename $AUTHSERVICE) 1>/dev/null 2>/dev/null; then
+ log_warning_msg "X2Go Broker Authentication Service already running"
+ else
+ log_warning_msg "X2Go Broker Authentication Service: stale PID file ($PIDFILE_AUTHSERVICE). Delete it manually!"
+ fi
+ START_AUTHSERVICE=no
+ fi
+ if is_true $START_AUTHSERVICE; then
+ set +e
+ log_daemon_msg "Starting X2Go Broker Authentication Service" "$(basename $AUTHSERVICE)"
+ start-stop-daemon -b -m -S -p $PIDFILE_AUTHSERVICE -x $AUTHSERVICE -- -s $X2GOBROKER_AUTHSERVICE_SOCKET
+ set -e
+ fi
fi
;;
stop)
- if [ -f $PIDFILE ] ; then
- log_daemon_msg "Stopping X2Go Session Broker standalone daemon" "x2gobroker"
+ if [ -f $PIDFILE_BROKER ] ; then
+ log_daemon_msg "Stopping X2Go Session Broker standalone daemon" "$(basename $DAEMON)"
+ set +e
+ start-stop-daemon -K -p $PIDFILE_BROKER
+ rm -f $PIDFILE_BROKER
+ log_end_msg $?
+ set -e
+ fi
+ if [ -f $PIDFILE_AUTHSERVICE ] ; then
+ log_daemon_msg "X2Go Broker Authentication Service" "$(basename $AUTHSERVICE)"
set +e
- start-stop-daemon -K -p $PIDFILE
- rm -f $PIDFILE
+ start-stop-daemon -K -p $PIDFILE_AUTHSERVICE
+ rm -f $PIDFILE_AUTHSERVICE
log_end_msg $?
set -e
fi
diff --git a/debian/x2gobroker.install b/debian/x2gobroker.install
index fac20e4..29dc1c0 100644
--- a/debian/x2gobroker.install
+++ b/debian/x2gobroker.install
@@ -1 +1,2 @@
sbin/x2gobroker usr/sbin/
+sbin/x2gobroker-authservice usr/sbin/
\ No newline at end of file
diff --git a/sbin/x2gobroker b/sbin/x2gobroker
index da91b0e..bb52019 100755
--- a/sbin/x2gobroker
+++ b/sbin/x2gobroker
@@ -1,5 +1,7 @@
#!/usr/bin/env python
+# -*- coding: utf-8 -*-
+
# This file is part of the X2Go Project - http://www.x2go.org
# Copyright (C) 2011-2012 by Oleksandr Shneyder <oleksandr.shneyder at obviously-nice.de>
# Copyright (C) 2011-2012 by Heinz-Markus Graesing <heinz-m.graesing at obviously-nice.de>
diff --git a/sbin/x2gobroker-authservice b/sbin/x2gobroker-authservice
new file mode 100755
index 0000000..12974f8
--- /dev/null
+++ b/sbin/x2gobroker-authservice
@@ -0,0 +1,67 @@
+#!/usr/bin/env python
+
+# -*- coding: utf-8 -*-
+
+# This file is part of the X2Go Project - http://www.x2go.org
+# Copyright (C) 2011-2012 by Oleksandr Shneyder <oleksandr.shneyder at obviously-nice.de>
+# Copyright (C) 2011-2012 by Heinz-Markus Graesing <heinz-m.graesing at obviously-nice.de>
+# Copyright (C) 2012 by Mike Gabriel <mike.gabriel at das-netzwerkteam.de>
+#
+# X2Go Session Broker is free software; you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+#
+# X2Go Session Broker is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU Affero General Public License for more details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with this program; if not, write to the
+# Free Software Foundation, Inc.,
+# 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA.
+
+import os
+import sys
+import setproctitle
+import argparse
+
+try:
+ import x2gobroker.authservice
+except ImportError:
+ sys.path.insert(0, os.path.join(os.getcwd(), '..'))
+ import x2gobroker.authservice
+
+PROG_NAME = os.path.basename(sys.argv[0])
+PROG_OPTIONS = sys.argv[1:]
+setproctitle.setproctitle("%s %s" % (PROG_NAME, " ".join(PROG_OPTIONS)))
+
+if __name__ == '__main__':
+
+ common_options = [
+ {'args':['-s','--socket-file'], 'default': x2gobroker.defaults.X2GOBROKER_AUTHSERVICE_SOCKET, 'metavar': 'AUTHSOCKET', 'help': 'socket file for AuthService communication', },
+ {'args':['-d','--debug'], 'default': False, 'action': 'store_true', 'help': 'enable debugging code', },
+ ]
+ p = argparse.ArgumentParser(description='X2Go Session Broker (PAM Auth Service)',\
+ formatter_class=argparse.RawDescriptionHelpFormatter, \
+ add_help=True, argument_default=None)
+ p_common = p.add_argument_group('common parameters')
+
+ for (p_group, opts) in ( (p_common, common_options), ):
+ for opt in opts:
+ args = opt['args']
+ del opt['args']
+ p_group.add_argument(*args, **opt)
+
+ cmdline_args = p.parse_args()
+
+ if cmdline_args.debug:
+ x2gobroker.defaults.X2GOBROKER_DEBUG = cmdline_args.debug
+
+ socket_file = cmdline_args.socket_file
+ x2gobroker.authservice.AuthService(socket_file)
+ try:
+ x2gobroker.authservice.loop()
+ except KeyboardInterrupt:
+ pass
diff --git a/x2gobroker/authmechs/pam_authmech.py b/x2gobroker/authmechs/pam_authmech.py
index fca5ec0..b46d1a2 100644
--- a/x2gobroker/authmechs/pam_authmech.py
+++ b/x2gobroker/authmechs/pam_authmech.py
@@ -18,7 +18,7 @@
# Free Software Foundation, Inc.,
# 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA.
-import pam
+import x2gobroker.authservice
class X2GoBrokerAuthMech(object):
@@ -26,7 +26,7 @@ class X2GoBrokerAuthMech(object):
# do a simple PAM authentication against the PAM service ,,x2gobroker''
if username and password:
- if pam.authenticate(username, password, service="x2gobroker"):
+ if x2gobroker.authservice.authenticate(username, password, service="x2gobroker"):
return True
return False
diff --git a/x2gobroker/authservice.py b/x2gobroker/authservice.py
new file mode 100644
index 0000000..018be90
--- /dev/null
+++ b/x2gobroker/authservice.py
@@ -0,0 +1,84 @@
+# -*- coding: utf-8 -*-
+
+# This file is part of the X2Go Project - http://www.x2go.org
+# Copyright (C) 2011-2012 by Oleksandr Shneyder <oleksandr.shneyder at obviously-nice.de>
+# Copyright (C) 2011-2012 by Heinz-Markus Graesing <heinz-m.graesing at obviously-nice.de>
+# Copyright (C) 2012 by Mike Gabriel <mike.gabriel at das-netzwerkteam.de>
+#
+# X2Go Session Broker is free software; you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+#
+# X2Go Session Broker is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU Affero General Public License for more details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with this program; if not, write to the
+# Free Software Foundation, Inc.,
+# 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA.
+
+import asyncore
+import pam
+import socket
+
+import x2gobroker.defaults
+
+class AuthClient(asyncore.dispatcher_with_send):
+
+ def __init__(self, sock):
+ asyncore.dispatcher_with_send.__init__(self, sock)
+ self._buf = ''
+
+ def handle_read(self):
+ data = self._buf + self.recv(1024)
+ if not data:
+ self.close()
+ return
+ reqs, data = data.rsplit('\n', 1)
+ self._buf = data
+ for req in reqs.split('\n'):
+ try:
+ user, passwd, service = req.split()
+ except:
+ self.send('bad\n')
+ else:
+ if pam.authenticate(user, passwd, service):
+ self.send('ok\n')
+ else:
+ self.send('fail\n')
+
+ def handle_close(self):
+ self.close()
+
+
+class AuthService(asyncore.dispatcher_with_send):
+
+ def __init__(self, socketfile):
+ asyncore.dispatcher_with_send.__init__(self)
+ self.create_socket(socket.AF_UNIX, socket.SOCK_STREAM)
+ self.set_reuse_addr()
+ self.bind(socketfile)
+ self.listen(1)
+
+ def handle_accept(self):
+ conn, _ = self.accept()
+ AuthClient(conn)
+
+
+def loop():
+ asyncore.loop()
+
+
+def authenticate(username, password, service="x2gobroker"):
+ s = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM)
+ s.connect(x2gobroker.defaults.X2GOBROKER_AUTHSERVICE_SOCKET)
+
+ s.send('{username} {password} {service}\n'.format(username=username, password=password, service=service))
+ result = s.recv(1024)
+ s.close()
+ if result.startswith('ok'):
+ return True
+ return False
diff --git a/x2gobroker/defaults.py b/x2gobroker/defaults.py
index 4e90837..c02ce43 100644
--- a/x2gobroker/defaults.py
+++ b/x2gobroker/defaults.py
@@ -84,6 +84,12 @@ else:
X2GOBROKER_AGENT_CMD = "/usr/lib/x2go/x2gobroker-agent"
logger_broker.info(' X2GOBROKER_AGENT_CMD: {value}'.format(value=X2GOBROKER_AGENT_CMD))
+if os.environ.has_key('X2GOBROKER_AUTHSERVICE_SOCKET'):
+ X2GOBROKER_AUTHSERVICE_SOCKET=os.environ['X2GOBROKER_AUTHSERVICE_SOCKET']
+else:
+ X2GOBROKER_AUTHSERVICE_SOCKET="/var/run/x2gobroker-authservice.socket"
+logger_broker.info(' X2GOBROKER_AUTHSERVICE_SOCKET: {value}'.format(value=X2GOBROKER_AUTHSERVICE_SOCKET))
+
if os.environ.has_key('X2GOBROKER_DEFAULT_BACKEND'):
X2GOBROKER_DEFAULT_BACKEND = os.environ['X2GOBROKER_DEFAULT_BACKEND']
else:
hooks/post-receive
--
x2gobroker.git (HTTP(S) Session broker for X2Go)
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "x2gobroker.git" (HTTP(S) Session broker for X2Go).
More information about the x2go-commits
mailing list