2 Unix SMB/CIFS implementation.
4 winbind client common code
6 Copyright (C) Tim Potter 2000
7 Copyright (C) Andrew Tridgell 2000
8 Copyright (C) Andrew Bartlett 2002
11 This library is free software; you can redistribute it and/or
12 modify it under the terms of the GNU Lesser General Public
13 License as published by the Free Software Foundation; either
14 version 3 of the License, or (at your option) any later version.
16 This library is distributed in the hope that it will be useful,
17 but WITHOUT ANY WARRANTY; without even the implied warranty of
18 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
19 Library General Public License for more details.
21 You should have received a copy of the GNU Lesser General Public License
22 along with this program. If not, see <http://www.gnu.org/licenses/>.
26 #include "system/select.h"
27 #include "winbind_client.h"
29 /* Global variables. These are effectively the client state information */
31 int winbindd_fd = -1; /* fd for winbindd socket */
32 static int is_privileged = 0;
34 /* Free a response structure */
36 void winbindd_free_response(struct winbindd_response *response)
38 /* Free any allocated extra_data */
41 SAFE_FREE(response->extra_data.data);
44 /* Initialise a request structure */
46 static void winbindd_init_request(struct winbindd_request *request,
49 request->length = sizeof(struct winbindd_request);
51 request->cmd = (enum winbindd_cmd)request_type;
52 request->pid = getpid();
56 /* Initialise a response structure */
58 static void init_response(struct winbindd_response *response)
60 /* Initialise return value */
62 response->result = WINBINDD_ERROR;
65 /* Close established socket */
67 #if HAVE_FUNCTION_ATTRIBUTE_DESTRUCTOR
68 __attribute__((destructor))
70 static void winbind_close_sock(void)
72 if (winbindd_fd != -1) {
78 #define CONNECT_TIMEOUT 30
80 /* Make sure socket handle isn't stdin, stdout or stderr */
81 #define RECURSION_LIMIT 3
83 static int make_nonstd_fd_internals(int fd, int limit /* Recursion limiter */)
86 if (fd >= 0 && fd <= 2) {
88 if ((new_fd = fcntl(fd, F_DUPFD, 3)) == -1) {
106 /* use the program stack to hold our list of FDs to close */
107 new_fd = make_nonstd_fd_internals(new_fd, limit - 1);
115 /****************************************************************************
116 Set a fd into blocking/nonblocking mode. Uses POSIX O_NONBLOCK if available,
120 Set close on exec also.
121 ****************************************************************************/
123 static int make_safe_fd(int fd)
126 int new_fd = make_nonstd_fd_internals(fd, RECURSION_LIMIT);
132 /* Socket should be nonblocking. */
134 #define FLAG_TO_SET O_NONBLOCK
137 #define FLAG_TO_SET O_NDELAY
139 #define FLAG_TO_SET FNDELAY
143 if ((flags = fcntl(new_fd, F_GETFL)) == -1) {
148 flags |= FLAG_TO_SET;
149 if (fcntl(new_fd, F_SETFL, flags) == -1) {
156 /* Socket should be closed on exec() */
158 result = flags = fcntl(new_fd, F_GETFD, 0);
161 result = fcntl( new_fd, F_SETFD, flags );
174 * @brief Check if we talk to the priviliged pipe which should be owned by root.
176 * This checks if we have uid_wrapper running and if this is the case it will
177 * allow to connect to the winbind privileged pipe even it is not owned by root.
179 * @param[in] uid The uid to check if we can safely talk to the pipe.
181 * @return If we have access it returns true, else false.
183 static bool winbind_privileged_pipe_is_root(uid_t uid)
189 if (uid_wrapper_enabled()) {
196 /* Connect to winbindd socket */
198 static int winbind_named_pipe_sock(const char *dir)
200 struct sockaddr_un sunaddr;
207 /* Check permissions on unix socket directory */
209 if (lstat(dir, &st) == -1) {
215 * This tells us that the pipe is owned by a privileged
216 * process, as we will be sending passwords to it.
218 if (!S_ISDIR(st.st_mode) ||
219 !winbind_privileged_pipe_is_root(st.st_uid)) {
224 /* Connect to socket */
226 if (asprintf(&path, "%s/%s", dir, WINBINDD_SOCKET_NAME) < 0) {
230 ZERO_STRUCT(sunaddr);
231 sunaddr.sun_family = AF_UNIX;
232 strncpy(sunaddr.sun_path, path, sizeof(sunaddr.sun_path) - 1);
234 /* If socket file doesn't exist, don't bother trying to connect
235 with retry. This is an attempt to make the system usable when
236 the winbindd daemon is not running. */
238 if (lstat(path, &st) == -1) {
245 /* Check permissions on unix socket file */
248 * This tells us that the pipe is owned by a privileged
249 * process, as we will be sending passwords to it.
251 if (!S_ISSOCK(st.st_mode) ||
252 !winbind_privileged_pipe_is_root(st.st_uid)) {
257 /* Connect to socket */
259 if ((fd = socket(AF_UNIX, SOCK_STREAM, 0)) == -1) {
263 /* Set socket non-blocking and close on exec. */
265 if ((fd = make_safe_fd( fd)) == -1) {
269 for (wait_time = 0; connect(fd, (struct sockaddr *)&sunaddr, sizeof(sunaddr)) == -1;
270 wait_time += slept) {
273 int connect_errno = 0;
276 if (wait_time >= CONNECT_TIMEOUT)
282 pfd.events = POLLOUT;
284 ret = poll(&pfd, 1, (CONNECT_TIMEOUT - wait_time) * 1000);
287 errnosize = sizeof(connect_errno);
289 ret = getsockopt(fd, SOL_SOCKET,
290 SO_ERROR, &connect_errno, &errnosize);
292 if (ret >= 0 && connect_errno == 0) {
293 /* Connect succeed */
298 slept = CONNECT_TIMEOUT;
301 slept = rand() % 3 + 1;
320 static const char *winbindd_socket_dir(void)
322 if (nss_wrapper_enabled()) {
325 env_dir = getenv("SELFTEST_WINBINDD_SOCKET_DIR");
326 if (env_dir != NULL) {
331 return WINBINDD_SOCKET_DIR;
334 /* Connect to winbindd socket */
336 static int winbind_open_pipe_sock(int recursing, int need_priv)
338 #ifdef HAVE_UNIXSOCKET
339 static pid_t our_pid;
340 struct winbindd_request request;
341 struct winbindd_response response;
342 ZERO_STRUCT(request);
343 ZERO_STRUCT(response);
345 if (our_pid != getpid()) {
346 winbind_close_sock();
350 if ((need_priv != 0) && (is_privileged == 0)) {
351 winbind_close_sock();
354 if (winbindd_fd != -1) {
362 if ((winbindd_fd = winbind_named_pipe_sock(winbindd_socket_dir())) == -1) {
368 /* version-check the socket */
370 request.wb_flags = WBFLAG_RECURSE;
371 if ((winbindd_request_response(WINBINDD_INTERFACE_VERSION, &request, &response) != NSS_STATUS_SUCCESS) || (response.data.interface_version != WINBIND_INTERFACE_VERSION)) {
372 winbind_close_sock();
376 /* try and get priv pipe */
378 request.wb_flags = WBFLAG_RECURSE;
380 /* Note that response needs to be initialized to avoid
381 * crashing on clean up after WINBINDD_PRIV_PIPE_DIR call failed
382 * as interface version (from the first request) returned as a fstring,
383 * thus response.extra_data.data will not be NULL even though
384 * winbindd response did not write over it due to a failure */
385 ZERO_STRUCT(response);
386 if (winbindd_request_response(WINBINDD_PRIV_PIPE_DIR, &request, &response) == NSS_STATUS_SUCCESS) {
388 if ((fd = winbind_named_pipe_sock((char *)response.extra_data.data)) != -1) {
395 if ((need_priv != 0) && (is_privileged == 0)) {
399 SAFE_FREE(response.extra_data.data);
404 #endif /* HAVE_UNIXSOCKET */
407 /* Write data to winbindd socket */
409 static int winbind_write_sock(void *buffer, int count, int recursing,
412 int fd, result, nwritten;
414 /* Open connection to winbind daemon */
418 fd = winbind_open_pipe_sock(recursing, need_priv);
424 /* Write data to socket */
428 while(nwritten < count) {
432 /* Catch pipe close on other end by checking if a read()
433 call would not block by calling poll(). */
436 pfd.events = POLLIN|POLLOUT|POLLHUP;
438 ret = poll(&pfd, 1, -1);
440 winbind_close_sock();
441 return -1; /* poll error */
444 /* Write should be OK if fd not available for reading */
446 if ((ret == 1) && (pfd.revents & (POLLIN|POLLHUP|POLLERR))) {
448 /* Pipe has closed on remote end */
450 winbind_close_sock();
456 result = write(fd, (char *)buffer + nwritten,
459 if ((result == -1) || (result == 0)) {
463 winbind_close_sock();
473 /* Read data from winbindd socket */
475 static int winbind_read_sock(void *buffer, int count)
481 fd = winbind_open_pipe_sock(false, false);
486 /* Read data from socket */
487 while(nread < count) {
491 /* Catch pipe close on other end by checking if a read()
492 call would not block by calling poll(). */
495 pfd.events = POLLIN|POLLHUP;
497 /* Wait for 5 seconds for a reply. May need to parameterise this... */
499 ret = poll(&pfd, 1, 5000);
501 winbind_close_sock();
502 return -1; /* poll error */
506 /* Not ready for read yet... */
507 if (total_time >= 30) {
509 winbind_close_sock();
516 if ((ret == 1) && (pfd.revents & (POLLIN|POLLHUP|POLLERR))) {
520 int result = read(fd, (char *)buffer + nread,
523 if ((result == -1) || (result == 0)) {
525 /* Read failed. I think the only useful thing we
526 can do here is just return -1 and fail since the
527 transaction has failed half way through. */
529 winbind_close_sock();
543 static int winbindd_read_reply(struct winbindd_response *response)
545 int result1, result2 = 0;
551 /* Read fixed length response */
553 result1 = winbind_read_sock(response,
554 sizeof(struct winbindd_response));
559 if (response->length < sizeof(struct winbindd_response)) {
563 /* We actually send the pointer value of the extra_data field from
564 the server. This has no meaning in the client's address space
565 so we clear it out. */
567 response->extra_data.data = NULL;
569 /* Read variable length response */
571 if (response->length > sizeof(struct winbindd_response)) {
572 int extra_data_len = response->length -
573 sizeof(struct winbindd_response);
575 /* Mallocate memory for extra data */
577 if (!(response->extra_data.data = malloc(extra_data_len))) {
581 result2 = winbind_read_sock(response->extra_data.data,
584 winbindd_free_response(response);
589 /* Return total amount of data read */
591 return result1 + result2;
595 * send simple types of requests
598 NSS_STATUS winbindd_send_request(int req_type, int need_priv,
599 struct winbindd_request *request)
601 struct winbindd_request lrequest;
603 /* Check for our tricky environment variable */
605 if (winbind_env_set()) {
606 return NSS_STATUS_NOTFOUND;
610 ZERO_STRUCT(lrequest);
614 /* Fill in request and send down pipe */
616 winbindd_init_request(request, req_type);
618 if (winbind_write_sock(request, sizeof(*request),
619 request->wb_flags & WBFLAG_RECURSE,
622 /* Set ENOENT for consistency. Required by some apps */
625 return NSS_STATUS_UNAVAIL;
628 if ((request->extra_len != 0) &&
629 (winbind_write_sock(request->extra_data.data,
631 request->wb_flags & WBFLAG_RECURSE,
634 /* Set ENOENT for consistency. Required by some apps */
637 return NSS_STATUS_UNAVAIL;
640 return NSS_STATUS_SUCCESS;
644 * Get results from winbindd request
647 NSS_STATUS winbindd_get_response(struct winbindd_response *response)
649 struct winbindd_response lresponse;
652 ZERO_STRUCT(lresponse);
653 response = &lresponse;
656 init_response(response);
659 if (winbindd_read_reply(response) == -1) {
660 /* Set ENOENT for consistency. Required by some apps */
663 return NSS_STATUS_UNAVAIL;
666 /* Throw away extra data if client didn't request it */
667 if (response == &lresponse) {
668 winbindd_free_response(response);
671 /* Copy reply data from socket */
672 if (response->result != WINBINDD_OK) {
673 return NSS_STATUS_NOTFOUND;
676 return NSS_STATUS_SUCCESS;
679 /* Handle simple types of requests */
681 NSS_STATUS winbindd_request_response(int req_type,
682 struct winbindd_request *request,
683 struct winbindd_response *response)
685 NSS_STATUS status = NSS_STATUS_UNAVAIL;
688 while ((status == NSS_STATUS_UNAVAIL) && (count < 10)) {
689 status = winbindd_send_request(req_type, 0, request);
690 if (status != NSS_STATUS_SUCCESS)
692 status = winbindd_get_response(response);
699 NSS_STATUS winbindd_priv_request_response(int req_type,
700 struct winbindd_request *request,
701 struct winbindd_response *response)
703 NSS_STATUS status = NSS_STATUS_UNAVAIL;
706 while ((status == NSS_STATUS_UNAVAIL) && (count < 10)) {
707 status = winbindd_send_request(req_type, 1, request);
708 if (status != NSS_STATUS_SUCCESS)
710 status = winbindd_get_response(response);