/**
* @internal
*
- * @brief Check if we have priviliged access.
+ * @brief Check if we talk to the priviliged pipe which should be owned by root.
*
- * This checks if we have uid_wrapper running and if yes turns it of so that we
- * can check if we have access.
+ * This checks if we have uid_wrapper running and if this is the case it will
+ * allow to connect to the winbind privileged pipe even it is not owned by root.
*
- * @param[in] uid The uid to compare if we have access.
+ * @param[in] uid The uid to check if we can safely talk to the pipe.
*
* @return If we have access it returns true, else false.
*/
-static bool winbind_privileged_access(uid_t uid)
+static bool winbind_privileged_pipe_is_root(uid_t uid)
{
- uid_t euid;
-
- if (uid_wrapper_enabled()) {
- setenv("UID_WRAPPER_MYUID", "1", 1);
+ if (uid == 0) {
+ return true;
}
- euid = geteuid();
-
if (uid_wrapper_enabled()) {
- unsetenv("UID_WRAPPER_MYUID");
+ return true;
}
- return (uid == euid);
+ return false;
}
/* Connect to winbindd socket */
return -1;
}
- /* This tells uid_wrapper to return the userid for the geteuid check */
+ /*
+ * This tells us that the pipe is owned by a privileged
+ * process, as we will be sending passwords to it.
+ */
if (!S_ISDIR(st.st_mode) ||
- !winbind_privileged_access(st.st_uid)) {
+ !winbind_privileged_pipe_is_root(st.st_uid)) {
errno = ENOENT;
return -1;
}
SAFE_FREE(path);
/* Check permissions on unix socket file */
- /* This tells uid_wrapper to return the userid for the geteuid check */
+ /*
+ * This tells us that the pipe is owned by a privileged
+ * process, as we will be sending passwords to it.
+ */
if (!S_ISSOCK(st.st_mode) ||
- !winbind_privileged_access(st.st_uid)) {
+ !winbind_privileged_pipe_is_root(st.st_uid)) {
errno = ENOENT;
return -1;
}
static const char *winbindd_socket_dir(void)
{
-#ifdef SOCKET_WRAPPER
- const char *env_dir;
+ if (nss_wrapper_enabled()) {
+ const char *env_dir;
- env_dir = getenv(WINBINDD_SOCKET_DIR_ENVVAR);
- if (env_dir) {
- return env_dir;
+ env_dir = getenv("SELFTEST_WINBINDD_SOCKET_DIR");
+ if (env_dir != NULL) {
+ return env_dir;
+ }
}
-#endif
return WINBINDD_SOCKET_DIR;
}
/* try and get priv pipe */
request.wb_flags = WBFLAG_RECURSE;
+
+ /* Note that response needs to be initialized to avoid
+ * crashing on clean up after WINBINDD_PRIV_PIPE_DIR call failed
+ * as interface version (from the first request) returned as a fstring,
+ * thus response.extra_data.data will not be NULL even though
+ * winbindd response did not write over it due to a failure */
+ ZERO_STRUCT(response);
if (winbindd_request_response(WINBINDD_PRIV_PIPE_DIR, &request, &response) == NSS_STATUS_SUCCESS) {
int fd;
if ((fd = winbind_named_pipe_sock((char *)response.extra_data.data)) != -1) {
git.samba.org / obnox / samba / samba-obnox.git / blobdiff