All new accounts created on Gitlab now require administrator approval. If you invite any collaborators, please let Flux staff know so they can approve the accounts.

Commit 1ed7fdab authored by Mike Hibler's avatar Mike Hibler

Add "node/user_passwords" sitevar to control passing of password hashes.

Defaults to 0, which means do not pass user password hashes to nodes via
tmcc. Non-zero will restore the old behavior.
parent 94a5df2b
......@@ -161,6 +161,7 @@ INSERT INTO sitevariables VALUES ('cloudlab/message',NULL,'','Message to display
INSERT INTO sitevariables VALUES ('aptui/autoextend_maximum',NULL,'7','Maximum number of days requested that will automaticaly be granted; zero means only admins can extend an experiment.',0);
INSERT INTO sitevariables VALUES ('aptui/autoextend_maxage',NULL,'14','Maximum age (in days) of an experiment before all extension requests require admin approval.',0);
INSERT INTO sitevariables VALUES ('node/nfs_transport',NULL,'udp','Transport protocol to be used by NFS mounts on clients. One of: udp, tcp, or osdefault, where osdefault means use the client OS default setting.',0);
INSERT INTO sitevariables VALUES ('node/user_passwords',NULL,'0','If non-zero, password hashes for users are passed to nodes allow user logins on the console. For better security, you should leave this zero.',0);
INSERT INTO sitevariables VALUES ('images/default_typelist',NULL,'','List of types to associate with an imported image when it is not appropriate to associate all existing types.',0);
INSERT INTO sitevariables VALUES ('protogeni/use_imagetracker',NULL,'0','Enable use of the image tracker.',0);
INSERT INTO sitevariables VALUES ('general/no_openflow',NULL,'0','Disallow topologies that specify openflow controllers, there is no local support for it.',0);
......
#
# Add sitevariables to control whether user password hashes are distributed
# to nodes via tmcd.
#
use strict;
use libdb;
sub DoUpdate($$$)
{
my ($dbhandle, $dbname, $version) = @_;
DBQueryFatal("INSERT INTO `sitevariables` VALUES ".
"('node/user_passwords',NULL,'0',".
"'If non-zero, password hashes for users are passed to nodes allow user logins on the console. For better security, you should leave this zero.',0)")
if (!TBSiteVarExists("node/user_passwords"));
return 0;
}
1;
# Local Variables:
# mode:perl
# End:
......@@ -2665,6 +2665,7 @@ COMMAND_PROTOTYPE(doaccounts)
int tbadmin, didwidearea = 0, nodetypeprojects = 0;
int didnonlocal = 0;
int swapper_only = 0;
int dohashes = 0;
if (! tcp) {
error("ACCOUNTS: %s: Cannot give account info out over UDP!\n",
......@@ -2894,10 +2895,29 @@ COMMAND_PROTOTYPE(doaccounts)
}
#endif /* EVENTSYS */
/*
* For local nodes, see if we should return password hashes.
* This is controlled by the node/user_passwords sitevar.
*/
res = mydb_query("select value,defaultvalue from sitevariables "
"where name='node/user_passwords'", 2);
if (res) {
if ((int)mysql_num_rows(res) > 0) {
row = mysql_fetch_row(res);
if (row[0] && row[0][0])
dohashes = atoi(row[0]);
else if (row[1] && row[1][0])
dohashes = atoi(row[1]);
}
mysql_free_result(res);
}
/*
* Now onto the users in the project.
*/
if (reqp->iscontrol) {
char *passwdfield = dohashes ? "u.usr_pswd" : "'*'";
/*
* All users! This is not currently used. The problem
* is that returning a list of hundreds of users whenever
......@@ -2906,7 +2926,7 @@ COMMAND_PROTOTYPE(doaccounts)
* but is not scalable.
*/
res = mydb_query("select distinct "
" u.uid,u.usr_pswd,u.unix_uid,u.usr_name, "
" u.uid,%s,u.unix_uid,u.usr_name, "
" p.trust,g.pid,g.gid,g.unix_gid,u.admin, "
" u.emulab_pubkey,u.home_pubkey, "
" UNIX_TIMESTAMP(u.usr_modified), "
......@@ -2918,7 +2938,7 @@ COMMAND_PROTOTYPE(doaccounts)
" and u.webonly=0 "
" and g.unix_id is not NULL "
" and u.status='active' order by u.uid",
15, reqp->pid, reqp->gid);
15, passwdfield);
}
else if (nodetypeprojects) {
/*
......@@ -2994,7 +3014,8 @@ COMMAND_PROTOTYPE(doaccounts)
* groups for that user.
*/
char adminclause[MYBUFSIZE];
char *passwdfield = (!reqp->islocal && reqp->isdedicatedwa) ?
char *passwdfield =
(!dohashes || (!reqp->islocal && reqp->isdedicatedwa))?
"'*'" : "u.usr_pswd";
strcpy(adminclause, "");
#ifdef ISOLATEADMINS
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment