summaryrefslogtreecommitdiffstats
path: root/nsswitch/wb_common.c
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--nsswitch/wb_common.c852
1 files changed, 852 insertions, 0 deletions
diff --git a/nsswitch/wb_common.c b/nsswitch/wb_common.c
new file mode 100644
index 0000000..1a3ed12
--- /dev/null
+++ b/nsswitch/wb_common.c
@@ -0,0 +1,852 @@
+/*
+ Unix SMB/CIFS implementation.
+
+ winbind client common code
+
+ Copyright (C) Tim Potter 2000
+ Copyright (C) Andrew Tridgell 2000
+ Copyright (C) Andrew Bartlett 2002
+ Copyright (C) Matthew Newton 2015
+
+
+ This library is free software; you can redistribute it and/or
+ modify it under the terms of the GNU Lesser General Public
+ License as published by the Free Software Foundation; either
+ version 3 of the License, or (at your option) any later version.
+
+ This library is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ Library General Public License for more details.
+
+ You should have received a copy of the GNU Lesser General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "replace.h"
+#include "system/select.h"
+#include "winbind_client.h"
+
+#ifdef HAVE_PTHREAD_H
+#include <pthread.h>
+#endif
+
+static char client_name[32];
+
+/* Global context */
+
+struct winbindd_context {
+ int winbindd_fd; /* winbind file descriptor */
+ bool is_privileged; /* using the privileged socket? */
+ pid_t our_pid; /* calling process pid */
+};
+
+#ifdef HAVE_PTHREAD
+static pthread_mutex_t wb_global_ctx_mutex = PTHREAD_MUTEX_INITIALIZER;
+#endif
+
+static struct winbindd_context *get_wb_global_ctx(void)
+{
+ static struct winbindd_context wb_global_ctx = {
+ .winbindd_fd = -1,
+ .is_privileged = false,
+ .our_pid = 0
+ };
+
+#ifdef HAVE_PTHREAD
+ pthread_mutex_lock(&wb_global_ctx_mutex);
+#endif
+ return &wb_global_ctx;
+}
+
+static void put_wb_global_ctx(void)
+{
+#ifdef HAVE_PTHREAD
+ pthread_mutex_unlock(&wb_global_ctx_mutex);
+#endif
+ return;
+}
+
+void winbind_set_client_name(const char *name)
+{
+ if (name == NULL || strlen(name) == 0) {
+ return;
+ }
+
+ (void)snprintf(client_name, sizeof(client_name), "%s", name);
+}
+
+static const char *winbind_get_client_name(void)
+{
+ if (client_name[0] == '\0') {
+ const char *progname = getprogname();
+ int len;
+
+ if (progname == NULL) {
+ progname = "<unknown>";
+ }
+
+ len = snprintf(client_name,
+ sizeof(client_name),
+ "%s",
+ progname);
+ if (len <= 0) {
+ return progname;
+ }
+ }
+
+ return client_name;
+}
+
+/* Initialise a request structure */
+
+static void winbindd_init_request(struct winbindd_request *request,
+ int request_type)
+{
+ request->length = sizeof(struct winbindd_request);
+
+ request->cmd = (enum winbindd_cmd)request_type;
+ request->pid = getpid();
+
+ (void)snprintf(request->client_name,
+ sizeof(request->client_name),
+ "%s",
+ winbind_get_client_name());
+}
+
+/* Initialise a response structure */
+
+static void init_response(struct winbindd_response *response)
+{
+ /* Initialise return value */
+
+ response->result = WINBINDD_ERROR;
+}
+
+/* Close established socket */
+
+static void winbind_close_sock(struct winbindd_context *ctx)
+{
+ if (!ctx) {
+ return;
+ }
+
+ if (ctx->winbindd_fd != -1) {
+ close(ctx->winbindd_fd);
+ ctx->winbindd_fd = -1;
+ }
+}
+
+/* Destructor for global context to ensure fd is closed */
+
+#ifdef HAVE_DESTRUCTOR_ATTRIBUTE
+__attribute__((destructor))
+#elif defined (HAVE_PRAGMA_FINI)
+#pragma fini (winbind_destructor)
+#endif
+static void winbind_destructor(void)
+{
+ struct winbindd_context *ctx;
+
+ ctx = get_wb_global_ctx();
+ winbind_close_sock(ctx);
+ put_wb_global_ctx();
+}
+
+#define CONNECT_TIMEOUT 30
+
+/* Make sure socket handle isn't stdin, stdout or stderr */
+#define RECURSION_LIMIT 3
+
+static int make_nonstd_fd_internals(int fd, int limit /* Recursion limiter */)
+{
+ int new_fd;
+ if (fd >= 0 && fd <= 2) {
+#ifdef F_DUPFD
+ if ((new_fd = fcntl(fd, F_DUPFD, 3)) == -1) {
+ return -1;
+ }
+ /* Paranoia */
+ if (new_fd < 3) {
+ close(new_fd);
+ return -1;
+ }
+ close(fd);
+ return new_fd;
+#else
+ if (limit <= 0)
+ return -1;
+
+ new_fd = dup(fd);
+ if (new_fd == -1)
+ return -1;
+
+ /* use the program stack to hold our list of FDs to close */
+ new_fd = make_nonstd_fd_internals(new_fd, limit - 1);
+ close(fd);
+ return new_fd;
+#endif
+ }
+ return fd;
+}
+
+/****************************************************************************
+ Set a fd into blocking/nonblocking mode. Uses POSIX O_NONBLOCK if available,
+ else
+ if SYSV use O_NDELAY
+ if BSD use FNDELAY
+ Set close on exec also.
+****************************************************************************/
+
+static int make_safe_fd(int fd)
+{
+ int result, flags;
+ int new_fd = make_nonstd_fd_internals(fd, RECURSION_LIMIT);
+ if (new_fd == -1) {
+ close(fd);
+ return -1;
+ }
+
+ /* Socket should be nonblocking. */
+#ifdef O_NONBLOCK
+#define FLAG_TO_SET O_NONBLOCK
+#else
+#ifdef SYSV
+#define FLAG_TO_SET O_NDELAY
+#else /* BSD */
+#define FLAG_TO_SET FNDELAY
+#endif
+#endif
+
+ if ((flags = fcntl(new_fd, F_GETFL)) == -1) {
+ close(new_fd);
+ return -1;
+ }
+
+ flags |= FLAG_TO_SET;
+ if (fcntl(new_fd, F_SETFL, flags) == -1) {
+ close(new_fd);
+ return -1;
+ }
+
+#undef FLAG_TO_SET
+
+ /* Socket should be closed on exec() */
+#ifdef FD_CLOEXEC
+ result = flags = fcntl(new_fd, F_GETFD, 0);
+ if (flags >= 0) {
+ flags |= FD_CLOEXEC;
+ result = fcntl( new_fd, F_SETFD, flags );
+ }
+ if (result < 0) {
+ close(new_fd);
+ return -1;
+ }
+#endif
+ return new_fd;
+}
+
+/**
+ * @internal
+ *
+ * @brief Check if we talk to the privileged pipe which should be owned by root.
+ *
+ * This checks if we have uid_wrapper running and if this is the case it will
+ * allow one to connect to the winbind privileged pipe even it is not owned by root.
+ *
+ * @param[in] uid The uid to check if we can safely talk to the pipe.
+ *
+ * @return If we have access it returns true, else false.
+ */
+static bool winbind_privileged_pipe_is_root(uid_t uid)
+{
+ if (uid == 0) {
+ return true;
+ }
+
+ if (uid_wrapper_enabled()) {
+ return true;
+ }
+
+ return false;
+}
+
+/* Connect to winbindd socket */
+
+static int winbind_named_pipe_sock(const char *dir)
+{
+ struct sockaddr_un sunaddr;
+ struct stat st;
+ int fd;
+ int wait_time;
+ int slept;
+ int ret;
+
+ /* Check permissions on unix socket directory */
+
+ if (lstat(dir, &st) == -1) {
+ errno = ENOENT;
+ return -1;
+ }
+
+ /*
+ * This tells us that the pipe is owned by a privileged
+ * process, as we will be sending passwords to it.
+ */
+ if (!S_ISDIR(st.st_mode) ||
+ !winbind_privileged_pipe_is_root(st.st_uid)) {
+ errno = ENOENT;
+ return -1;
+ }
+
+ /* Connect to socket */
+
+ sunaddr = (struct sockaddr_un) { .sun_family = AF_UNIX };
+
+ ret = snprintf(sunaddr.sun_path, sizeof(sunaddr.sun_path),
+ "%s/%s", dir, WINBINDD_SOCKET_NAME);
+ if ((ret == -1) || (ret >= sizeof(sunaddr.sun_path))) {
+ errno = ENAMETOOLONG;
+ return -1;
+ }
+
+ /* If socket file doesn't exist, don't bother trying to connect
+ with retry. This is an attempt to make the system usable when
+ the winbindd daemon is not running. */
+
+ if (lstat(sunaddr.sun_path, &st) == -1) {
+ errno = ENOENT;
+ return -1;
+ }
+
+ /* Check permissions on unix socket file */
+
+ /*
+ * This tells us that the pipe is owned by a privileged
+ * process, as we will be sending passwords to it.
+ */
+ if (!S_ISSOCK(st.st_mode) ||
+ !winbind_privileged_pipe_is_root(st.st_uid)) {
+ errno = ENOENT;
+ return -1;
+ }
+
+ /* Connect to socket */
+
+ if ((fd = socket(AF_UNIX, SOCK_STREAM, 0)) == -1) {
+ return -1;
+ }
+
+ /* Set socket non-blocking and close on exec. */
+
+ if ((fd = make_safe_fd( fd)) == -1) {
+ return fd;
+ }
+
+ for (wait_time = 0; connect(fd, (struct sockaddr *)&sunaddr, sizeof(sunaddr)) == -1;
+ wait_time += slept) {
+ struct pollfd pfd;
+ int connect_errno = 0;
+ socklen_t errnosize;
+
+ if (wait_time >= CONNECT_TIMEOUT)
+ goto error_out;
+
+ switch (errno) {
+ case EINPROGRESS:
+ pfd.fd = fd;
+ pfd.events = POLLOUT;
+
+ ret = poll(&pfd, 1, (CONNECT_TIMEOUT - wait_time) * 1000);
+
+ if (ret > 0) {
+ errnosize = sizeof(connect_errno);
+
+ ret = getsockopt(fd, SOL_SOCKET,
+ SO_ERROR, &connect_errno, &errnosize);
+
+ if (ret >= 0 && connect_errno == 0) {
+ /* Connect succeed */
+ goto out;
+ }
+ }
+
+ slept = CONNECT_TIMEOUT;
+ break;
+ case EAGAIN:
+ slept = rand() % 3 + 1;
+ sleep(slept);
+ break;
+ default:
+ goto error_out;
+ }
+
+ }
+
+ out:
+
+ return fd;
+
+ error_out:
+
+ close(fd);
+ return -1;
+}
+
+static const char *winbindd_socket_dir(void)
+{
+ if (nss_wrapper_enabled()) {
+ const char *env_dir;
+
+ env_dir = getenv("SELFTEST_WINBINDD_SOCKET_DIR");
+ if (env_dir != NULL) {
+ return env_dir;
+ }
+ }
+
+ return WINBINDD_SOCKET_DIR;
+}
+
+/* Connect to winbindd socket */
+
+static int winbind_open_pipe_sock(struct winbindd_context *ctx,
+ int recursing, int need_priv)
+{
+#ifdef HAVE_UNIXSOCKET
+ struct winbindd_request request;
+ struct winbindd_response response;
+
+ ZERO_STRUCT(request);
+ ZERO_STRUCT(response);
+
+ if (!ctx) {
+ return -1;
+ }
+
+ if (ctx->our_pid != getpid()) {
+ winbind_close_sock(ctx);
+ ctx->our_pid = getpid();
+ }
+
+ if ((need_priv != 0) && !ctx->is_privileged) {
+ winbind_close_sock(ctx);
+ }
+
+ if (ctx->winbindd_fd != -1) {
+ return ctx->winbindd_fd;
+ }
+
+ if (recursing) {
+ return -1;
+ }
+
+ ctx->winbindd_fd = winbind_named_pipe_sock(winbindd_socket_dir());
+
+ if (ctx->winbindd_fd == -1) {
+ return -1;
+ }
+
+ ctx->is_privileged = false;
+
+ /* version-check the socket */
+
+ request.wb_flags = WBFLAG_RECURSE;
+ if ((winbindd_request_response(ctx, WINBINDD_INTERFACE_VERSION, &request,
+ &response) != NSS_STATUS_SUCCESS) ||
+ (response.data.interface_version != WINBIND_INTERFACE_VERSION)) {
+ winbind_close_sock(ctx);
+ return -1;
+ }
+
+ if (need_priv == 0) {
+ return ctx->winbindd_fd;
+ }
+
+ /* try and get priv pipe */
+
+ request.wb_flags = WBFLAG_RECURSE;
+
+ /* Note that response needs to be initialized to avoid
+ * crashing on clean up after WINBINDD_PRIV_PIPE_DIR call failed
+ * as interface version (from the first request) returned as a fstring,
+ * thus response.extra_data.data will not be NULL even though
+ * winbindd response did not write over it due to a failure */
+ ZERO_STRUCT(response);
+ if (winbindd_request_response(ctx, WINBINDD_PRIV_PIPE_DIR, &request,
+ &response) == NSS_STATUS_SUCCESS) {
+ int fd;
+ fd = winbind_named_pipe_sock((char *)response.extra_data.data);
+ if (fd != -1) {
+ close(ctx->winbindd_fd);
+ ctx->winbindd_fd = fd;
+ ctx->is_privileged = true;
+ }
+
+ SAFE_FREE(response.extra_data.data);
+ }
+
+ if (!ctx->is_privileged) {
+ return -1;
+ }
+
+ return ctx->winbindd_fd;
+#else
+ return -1;
+#endif /* HAVE_UNIXSOCKET */
+}
+
+/* Write data to winbindd socket */
+
+static int winbind_write_sock(struct winbindd_context *ctx, void *buffer,
+ int count, int recursing, int need_priv)
+{
+ int fd, result, nwritten;
+
+ /* Open connection to winbind daemon */
+
+ restart:
+
+ fd = winbind_open_pipe_sock(ctx, recursing, need_priv);
+ if (fd == -1) {
+ errno = ENOENT;
+ return -1;
+ }
+
+ /* Write data to socket */
+
+ nwritten = 0;
+
+ while(nwritten < count) {
+ struct pollfd pfd;
+ int ret;
+
+ /* Catch pipe close on other end by checking if a read()
+ call would not block by calling poll(). */
+
+ pfd.fd = fd;
+ pfd.events = POLLIN|POLLOUT|POLLHUP;
+
+ ret = poll(&pfd, 1, -1);
+ if (ret == -1) {
+ winbind_close_sock(ctx);
+ return -1; /* poll error */
+ }
+
+ /* Write should be OK if fd not available for reading */
+
+ if ((ret == 1) && (pfd.revents & (POLLIN|POLLHUP|POLLERR))) {
+
+ /* Pipe has closed on remote end */
+
+ winbind_close_sock(ctx);
+ goto restart;
+ }
+
+ /* Do the write */
+
+ result = write(fd, (char *)buffer + nwritten,
+ count - nwritten);
+
+ if ((result == -1) || (result == 0)) {
+
+ /* Write failed */
+
+ winbind_close_sock(ctx);
+ return -1;
+ }
+
+ nwritten += result;
+ }
+
+ return nwritten;
+}
+
+/* Read data from winbindd socket */
+
+static int winbind_read_sock(struct winbindd_context *ctx,
+ void *buffer, int count)
+{
+ int fd;
+ int nread = 0;
+ int total_time = 0;
+
+ fd = winbind_open_pipe_sock(ctx, false, false);
+ if (fd == -1) {
+ return -1;
+ }
+
+ /* Read data from socket */
+ while(nread < count) {
+ struct pollfd pfd;
+ int ret;
+
+ /* Catch pipe close on other end by checking if a read()
+ call would not block by calling poll(). */
+
+ pfd.fd = fd;
+ pfd.events = POLLIN|POLLHUP;
+
+ /* Wait for 5 seconds for a reply. May need to parameterise this... */
+
+ ret = poll(&pfd, 1, 5000);
+ if (ret == -1) {
+ winbind_close_sock(ctx);
+ return -1; /* poll error */
+ }
+
+ if (ret == 0) {
+ /* Not ready for read yet... */
+ if (total_time >= 300) {
+ /* Timeout */
+ winbind_close_sock(ctx);
+ return -1;
+ }
+ total_time += 5;
+ continue;
+ }
+
+ if ((ret == 1) && (pfd.revents & (POLLIN|POLLHUP|POLLERR))) {
+
+ /* Do the Read */
+
+ int result = read(fd, (char *)buffer + nread,
+ count - nread);
+
+ if ((result == -1) || (result == 0)) {
+
+ /* Read failed. I think the only useful thing we
+ can do here is just return -1 and fail since the
+ transaction has failed half way through. */
+
+ winbind_close_sock(ctx);
+ return -1;
+ }
+
+ nread += result;
+
+ }
+ }
+
+ return nread;
+}
+
+/* Read reply */
+
+static int winbindd_read_reply(struct winbindd_context *ctx,
+ struct winbindd_response *response)
+{
+ int result1, result2 = 0;
+
+ if (!response) {
+ return -1;
+ }
+
+ /* Read fixed length response */
+
+ result1 = winbind_read_sock(ctx, response,
+ sizeof(struct winbindd_response));
+
+ /* We actually send the pointer value of the extra_data field from
+ the server. This has no meaning in the client's address space
+ so we clear it out. */
+
+ response->extra_data.data = NULL;
+
+ if (result1 == -1) {
+ return -1;
+ }
+
+ if (response->length < sizeof(struct winbindd_response)) {
+ return -1;
+ }
+
+ /* Read variable length response */
+
+ if (response->length > sizeof(struct winbindd_response)) {
+ int extra_data_len = response->length -
+ sizeof(struct winbindd_response);
+
+ /* Mallocate memory for extra data */
+
+ if (!(response->extra_data.data = malloc(extra_data_len))) {
+ return -1;
+ }
+
+ result2 = winbind_read_sock(ctx, response->extra_data.data,
+ extra_data_len);
+ if (result2 == -1) {
+ winbindd_free_response(response);
+ return -1;
+ }
+ }
+
+ /* Return total amount of data read */
+
+ return result1 + result2;
+}
+
+/*
+ * send simple types of requests
+ */
+
+static NSS_STATUS winbindd_send_request(
+ struct winbindd_context *ctx,
+ int req_type,
+ int need_priv,
+ struct winbindd_request *request)
+{
+ struct winbindd_request lrequest;
+
+ /* Check for our tricky environment variable */
+
+ if (winbind_env_set()) {
+ return NSS_STATUS_NOTFOUND;
+ }
+
+ if (!request) {
+ ZERO_STRUCT(lrequest);
+ request = &lrequest;
+ }
+
+ /* Fill in request and send down pipe */
+
+ winbindd_init_request(request, req_type);
+
+ if (winbind_write_sock(ctx, request, sizeof(*request),
+ request->wb_flags & WBFLAG_RECURSE,
+ need_priv) == -1)
+ {
+ /* Set ENOENT for consistency. Required by some apps */
+ errno = ENOENT;
+
+ return NSS_STATUS_UNAVAIL;
+ }
+
+ if ((request->extra_len != 0) &&
+ (winbind_write_sock(ctx, request->extra_data.data,
+ request->extra_len,
+ request->wb_flags & WBFLAG_RECURSE,
+ need_priv) == -1))
+ {
+ /* Set ENOENT for consistency. Required by some apps */
+ errno = ENOENT;
+
+ return NSS_STATUS_UNAVAIL;
+ }
+
+ return NSS_STATUS_SUCCESS;
+}
+
+/*
+ * Get results from winbindd request
+ */
+
+static NSS_STATUS winbindd_get_response(struct winbindd_context *ctx,
+ struct winbindd_response *response)
+{
+ struct winbindd_response lresponse;
+
+ if (!response) {
+ ZERO_STRUCT(lresponse);
+ response = &lresponse;
+ }
+
+ init_response(response);
+
+ /* Wait for reply */
+ if (winbindd_read_reply(ctx, response) == -1) {
+ /* Set ENOENT for consistency. Required by some apps */
+ errno = ENOENT;
+
+ return NSS_STATUS_UNAVAIL;
+ }
+
+ /* Throw away extra data if client didn't request it */
+ if (response == &lresponse) {
+ winbindd_free_response(response);
+ }
+
+ /* Copy reply data from socket */
+ if (response->result != WINBINDD_OK) {
+ return NSS_STATUS_NOTFOUND;
+ }
+
+ return NSS_STATUS_SUCCESS;
+}
+
+/* Handle simple types of requests */
+
+NSS_STATUS winbindd_request_response(struct winbindd_context *ctx,
+ int req_type,
+ struct winbindd_request *request,
+ struct winbindd_response *response)
+{
+ NSS_STATUS status = NSS_STATUS_UNAVAIL;
+ bool release_global_ctx = false;
+
+ if (ctx == NULL) {
+ ctx = get_wb_global_ctx();
+ release_global_ctx = true;
+ }
+
+ status = winbindd_send_request(ctx, req_type, 0, request);
+ if (status != NSS_STATUS_SUCCESS) {
+ goto out;
+ }
+ status = winbindd_get_response(ctx, response);
+
+out:
+ if (release_global_ctx) {
+ put_wb_global_ctx();
+ }
+ return status;
+}
+
+NSS_STATUS winbindd_priv_request_response(struct winbindd_context *ctx,
+ int req_type,
+ struct winbindd_request *request,
+ struct winbindd_response *response)
+{
+ NSS_STATUS status = NSS_STATUS_UNAVAIL;
+ bool release_global_ctx = false;
+
+ if (ctx == NULL) {
+ ctx = get_wb_global_ctx();
+ release_global_ctx = true;
+ }
+
+ status = winbindd_send_request(ctx, req_type, 1, request);
+ if (status != NSS_STATUS_SUCCESS) {
+ goto out;
+ }
+ status = winbindd_get_response(ctx, response);
+
+out:
+ if (release_global_ctx) {
+ put_wb_global_ctx();
+ }
+ return status;
+}
+
+/* Create and free winbindd context */
+
+struct winbindd_context *winbindd_ctx_create(void)
+{
+ struct winbindd_context *ctx;
+
+ ctx = calloc(1, sizeof(struct winbindd_context));
+
+ if (!ctx) {
+ return NULL;
+ }
+
+ ctx->winbindd_fd = -1;
+
+ return ctx;
+}
+
+void winbindd_ctx_free(struct winbindd_context *ctx)
+{
+ winbind_close_sock(ctx);
+ free(ctx);
+}