--- /dev/null
+AC_ARG_ENABLE(uid-wrapper,
+AS_HELP_STRING([--enable-uid-wrapper], [Turn on uid wrapper library (default=no)]))
+
+HAVE_UID_WRAPPER=no
+
+if eval "test x$developer = xyes"; then
+ enable_uid_wrapper=yes
+fi
+
+if eval "test x$enable_uid_wrapper = xyes"; then
+ AC_DEFINE(UID_WRAPPER,1,[Use uid wrapper library])
+ HAVE_UID_WRAPPER=yes
+fi
+
+AC_SUBST(HAVE_UID_WRAPPER)
+AC_SUBST(UID_WRAPPER_OBJS)
--- /dev/null
+##############################
+# Start SUBSYSTEM UID_WRAPPER
+[SUBSYSTEM::UID_WRAPPER]
+PRIVATE_DEPENDENCIES = LIBTALLOC
+# End SUBSYSTEM UID_WRAPPER
+##############################
+
+UID_WRAPPER_OBJ_FILES = $(uidwrappersrcdir)/uid_wrapper.o
+
--- /dev/null
+/*
+ Copyright (C) Andrew Tridgell 2009
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#define UID_WRAPPER_NOT_REPLACE
+#include "includes.h"
+#include "system/passwd.h"
+#include "system/filesys.h"
+
+#ifndef _PUBLIC_
+#define _PUBLIC_
+#endif
+
+/*
+ we keep the virtualised euid/egid/groups information here
+ */
+static struct {
+ bool initialised;
+ bool enabled;
+ uid_t euid;
+ gid_t egid;
+ unsigned ngroups;
+ gid_t *groups;
+} uwrap;
+
+static void uwrap_init(void)
+{
+ if (uwrap.initialised) return;
+ uwrap.initialised = true;
+ if (getenv("UID_WRAPPER")) {
+ uwrap.enabled = true;
+ }
+}
+
+_PUBLIC_ int uwrap_seteuid(uid_t euid)
+{
+ uwrap_init();
+ if (!uwrap.enabled) {
+ return seteuid(euid);
+ }
+ /* assume for now that the ruid stays as root */
+ uwrap.euid = euid;
+ return 0;
+}
+
+_PUBLIC_ uid_t uwrap_geteuid(void)
+{
+ uwrap_init();
+ if (!uwrap.enabled) {
+ return geteuid();
+ }
+ return uwrap.euid;
+}
+
+_PUBLIC_ int uwrap_setegid(gid_t egid)
+{
+ uwrap_init();
+ if (!uwrap.enabled) {
+ return setegid(egid);
+ }
+ /* assume for now that the ruid stays as root */
+ uwrap.egid = egid;
+ return 0;
+}
+
+_PUBLIC_ uid_t uwrap_getegid(void)
+{
+ uwrap_init();
+ if (!uwrap.enabled) {
+ return getegid();
+ }
+ return uwrap.egid;
+}
+
+_PUBLIC_ int uwrap_setgroups(size_t size, const gid_t *list)
+{
+ uwrap_init();
+ if (!uwrap.enabled) {
+ return setgroups(size, list);
+ }
+
+ talloc_free(uwrap.groups);
+ uwrap.ngroups = 0;
+
+ uwrap.groups = talloc_array(talloc_autofree_context(), gid_t, size);
+ if (uwrap.groups == NULL) {
+ errno = ENOMEM;
+ return -1;
+ }
+ memcpy(uwrap.groups, list, size*sizeof(gid_t));
+ uwrap.ngroups = size;
+ return 0;
+}
+
+_PUBLIC_ int uwrap_getgroups(int size, gid_t *list)
+{
+ uwrap_init();
+ if (!uwrap.enabled) {
+ return getgroups(size, list);
+ }
+
+ if (size > uwrap.ngroups) {
+ size = uwrap.ngroups;
+ }
+ if (size == 0) {
+ return uwrap.ngroups;
+ }
+ if (size < uwrap.ngroups) {
+ errno = EINVAL;
+ return -1;
+ }
+ memcpy(list, uwrap.groups, size*sizeof(gid_t));
+ return 0;
+}
+
+_PUBLIC_ uid_t uwrap_getuid(void)
+{
+ uwrap_init();
+ if (!uwrap.enabled) {
+ return getuid();
+ }
+ /* we don't simulate ruid changing */
+ return 0;
+}
+
+_PUBLIC_ gid_t uwrap_getgid(void)
+{
+ uwrap_init();
+ if (!uwrap.enabled) {
+ return getgid();
+ }
+ /* we don't simulate rgid changing */
+ return 0;
+}
--- /dev/null
+/*
+ Copyright (C) Andrew Tridgell 2009
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#ifndef __UID_WRAPPER_H__
+#define __UID_WRAPPER_H__
+
+#ifdef seteuid
+#undef seteuid
+#endif
+#define seteuid uwrap_seteuid
+
+#ifdef setegid
+#undef setegid
+#endif
+#define setegid uwrap_setegid
+
+#ifdef geteuid
+#undef geteuid
+#endif
+#define geteuid uwrap_geteuid
+
+#ifdef getegid
+#undef getegid
+#endif
+#define getegid uwrap_getegid
+
+#ifdef setgroups
+#undef setgroups
+#endif
+#define setgroups uwrap_setgroups
+
+#ifdef getgroups
+#undef getgroups
+#endif
+#define getgroups uwrap_getgroups
+
+#ifdef getuid
+#undef getuid
+#endif
+#define getuid uwrap_getuid
+
+#ifdef getgid
+#undef getgid
+#endif
+#define getgid uwrap_getgid
+
+#endif /* __UID_WRAPPER_H__ */
ASN1_UTIL_OBJ_FILES = $(libutilsrcdir)/asn1.o
[SUBSYSTEM::UNIX_PRIVS]
+PRIVATE_DEPENDENCIES = UID_WRAPPER
UNIX_PRIVS_OBJ_FILES = $(libutilsrcdir)/unix_privs.o
}
if ((st.st_uid != uid) ||
((st.st_mode & 0777) != dir_perms)) {
+#ifndef UID_WRAPPER_REPLACE
DEBUG(0, ("invalid permissions on directory "
"%s\n", dname));
umask(old_umask);
return false;
+#endif
}
}
return true;
LIBWBCLIENT \
LIBTEVENT \
UTIL_TEVENT \
- LIBASYNC_REQ
+ LIBASYNC_REQ \
+ UID_WRAPPER
# End BINARY nsstest
#################################
$ENV{NSS_WRAPPER_PASSWD} = $env_vars->{NSS_WRAPPER_PASSWD};
$ENV{NSS_WRAPPER_GROUP} = $env_vars->{NSS_WRAPPER_GROUP};
+ $ENV{UID_WRAPPER} = "1";
+
# Start slapd before samba, but with the fifo on stdin
if (defined($self->{ldap})) {
$self->slapd_start($env_vars) or
[tmp]
path = $ctx->{tmpdir}
read only = no
- ntvfs handler = posix
posix:sharedelay = 100000
posix:eadb = $ctx->{lockdir}/eadb.tdb
posix:oplocktimeout = 3
[test1]
path = $ctx->{tmpdir}/test1
read only = no
- ntvfs handler = posix
posix:sharedelay = 100000
posix:eadb = $ctx->{lockdir}/eadb.tdb
posix:oplocktimeout = 3
[test2]
path = $ctx->{tmpdir}/test2
read only = no
- ntvfs handler = posix
posix:sharedelay = 100000
posix:eadb = $ctx->{lockdir}/eadb.tdb
posix:oplocktimeout = 3
poptsrcdir := ../lib/popt
socketwrappersrcdir := ../lib/socket_wrapper
nsswrappersrcdir := ../lib/nss_wrapper
+uidwrappersrcdir := ../lib/uid_wrapper
appwebsrcdir := lib/appweb
libstreamsrcdir := lib/stream
libutilsrcdir := ../lib/util
[MODULE::auth_unix]
INIT_FUNCTION = auth_unix_init
SUBSYSTEM = auth
-PRIVATE_DEPENDENCIES = CRYPT PAM PAM_ERRORS NSS_WRAPPER
+PRIVATE_DEPENDENCIES = CRYPT PAM PAM_ERRORS NSS_WRAPPER UID_WRAPPER
auth_unix_OBJ_FILES = $(addprefix $(authsrcdir)/ntlm/, auth_unix.o)
m4_include(ntvfs/unixuid/config.m4)
m4_include(../lib/socket_wrapper/config.m4)
m4_include(../lib/nss_wrapper/config.m4)
+m4_include(../lib/uid_wrapper/config.m4)
m4_include(auth/config.m4)
m4_include(kdc/config.m4)
m4_include(ntvfs/sysdep/config.m4)
#undef HAVE_KRB5_ENCRYPT_BLOCK
+#if defined(UID_WRAPPER) && !defined(UID_WRAPPER_REPLACE) && !defined(UID_WRAPPER_NOT_REPLACE)
+#define UID_WRAPPER_REPLACE
+#include "../uid_wrapper/uid_wrapper.h"
+#endif
+
#endif
HEIMDAL_ROKEN_PROGNAME \
HEIMDAL_ROKEN_CLOSEFROM \
RESOLV \
- LIBREPLACE_NETWORK
+ LIBREPLACE_NETWORK \
+ UID_WRAPPER
# End SUBSYSTEM HEIMDAL_ROKEN
#######################
#define TALLOC_ABORT(reason) smb_panic(reason)
#endif
+#if defined(UID_WRAPPER) && !defined(UID_WRAPPER_REPLACE) && !defined(UID_WRAPPER_NOT_REPLACE)
+#define UID_WRAPPER_REPLACE
+#include "../uid_wrapper/uid_wrapper.h"
+#endif
+
#endif /* _INCLUDES_H */
mkinclude lib/cmdline/config.mk
mkinclude ../lib/socket_wrapper/config.mk
mkinclude ../lib/nss_wrapper/config.mk
+mkinclude ../lib/uid_wrapper/config.mk
mkinclude lib/stream/config.mk
mkinclude ../lib/util/config.mk
mkinclude ../lib/tdr/config.mk
max_bits |= SEC_STD_ALL;
}
+#ifdef UID_WRAPPER_REPLACE
+ /* when running with the uid wrapper, files will be created
+ owned by the ruid, but we may have a different simulated
+ euid. We need to force the permission bits as though the
+ files owner matches the euid */
+ max_bits |= SEC_STD_ALL;
+#endif
+
if (*access_mask == SEC_FLAG_MAXIMUM_ALLOWED) {
*access_mask = max_bits;
return NT_STATUS_OK;
[MODULE::ntvfs_unixuid]
INIT_FUNCTION = ntvfs_unixuid_init
SUBSYSTEM = ntvfs
-PRIVATE_DEPENDENCIES = SAMDB NSS_WRAPPER
+PRIVATE_DEPENDENCIES = SAMDB NSS_WRAPPER UID_WRAPPER
# End MODULE ntvfs_unixuid
################################################