#include "system/passwd.h"
#include "auth/auth.h"
#include "ntvfs/ntvfs.h"
-#include "dsdb/samdb/samdb.h"
-#include "param/param.h"
+#include "libcli/wbclient/wbclient.h"
+#define TEVENT_DEPRECATED
+#include <tevent.h>
-struct unixuid_private {
- struct sidmap_context *sidmap;
- struct unix_sec_ctx *last_sec_ctx;
- struct security_token *last_token;
-};
+#if defined(UID_WRAPPER)
+#if !defined(UID_WRAPPER_REPLACE) && !defined(UID_WRAPPER_NOT_REPLACE)
+#define UID_WRAPPER_REPLACE
+#include "../uid_wrapper/uid_wrapper.h"
+#endif
+#else
+#define uwrap_enabled() 0
+#endif
+NTSTATUS ntvfs_unixuid_init(void);
-struct unix_sec_ctx {
- uid_t uid;
- gid_t gid;
- uint_t ngroups;
- gid_t *groups;
+struct unixuid_private {
+ struct wbc_context *wbc_ctx;
+ struct security_unix_token *last_sec_ctx;
+ struct security_token *last_token;
};
+
/*
- pull the current security context into a unix_sec_ctx
+ pull the current security context into a security_unix_token
*/
-static struct unix_sec_ctx *save_unix_security(TALLOC_CTX *mem_ctx)
+static struct security_unix_token *save_unix_security(TALLOC_CTX *mem_ctx)
{
- struct unix_sec_ctx *sec = talloc(mem_ctx, struct unix_sec_ctx);
+ struct security_unix_token *sec = talloc(mem_ctx, struct security_unix_token);
if (sec == NULL) {
return NULL;
}
}
/*
- set the current security context from a unix_sec_ctx
+ set the current security context from a security_unix_token
*/
-static NTSTATUS set_unix_security(struct unix_sec_ctx *sec)
+static NTSTATUS set_unix_security(struct security_unix_token *sec)
{
seteuid(0);
return NT_STATUS_OK;
}
-/*
- form a unix_sec_ctx from the current security_token
-*/
-static NTSTATUS nt_token_to_unix_security(struct ntvfs_module_context *ntvfs,
- struct ntvfs_request *req,
- struct security_token *token,
- struct unix_sec_ctx **sec)
-{
- struct unixuid_private *private = ntvfs->private_data;
- int i;
- NTSTATUS status;
- *sec = talloc(req, struct unix_sec_ctx);
-
- /* we can't do unix security without a user and group */
- if (token->num_sids < 2) {
- return NT_STATUS_ACCESS_DENIED;
- }
+static int unixuid_nesting_level;
- status = sidmap_sid_to_unixuid(private->sidmap,
- token->user_sid, &(*sec)->uid);
- if (!NT_STATUS_IS_OK(status)) {
- return status;
- }
-
- status = sidmap_sid_to_unixgid(private->sidmap,
- token->group_sid, &(*sec)->gid);
- if (!NT_STATUS_IS_OK(status)) {
- return status;
+/*
+ called at the start and end of a tevent nesting loop. Needs to save/restore
+ unix security context
+ */
+static int unixuid_event_nesting_hook(struct tevent_context *ev,
+ void *private_data,
+ uint32_t level,
+ bool begin,
+ void *stack_ptr,
+ const char *location)
+{
+ struct security_unix_token *sec_ctx;
+
+ if (unixuid_nesting_level == 0) {
+ /* we don't need to do anything unless we are nested
+ inside of a call in this module */
+ return 0;
}
- (*sec)->ngroups = token->num_sids - 2;
- (*sec)->groups = talloc_array(*sec, gid_t, (*sec)->ngroups);
- if ((*sec)->groups == NULL) {
- return NT_STATUS_NO_MEMORY;
- }
+ if (begin) {
+ sec_ctx = save_unix_security(ev);
+ if (sec_ctx == NULL) {
+ DEBUG(0,("%s: Failed to save security context\n", location));
+ return -1;
+ }
+ *(struct security_unix_token **)stack_ptr = sec_ctx;
+ if (seteuid(0) != 0 || setegid(0) != 0) {
+ DEBUG(0,("%s: Failed to change to root\n", location));
+ return -1;
+ }
+ } else {
+ /* called when we come out of a nesting level */
+ NTSTATUS status;
+
+ sec_ctx = *(struct security_unix_token **)stack_ptr;
+ if (sec_ctx == NULL) {
+ /* this happens the first time this function
+ is called, as we install the hook while
+ inside an event in unixuid_connect() */
+ return 0;
+ }
- for (i=0;i<(*sec)->ngroups;i++) {
- status = sidmap_sid_to_unixgid(private->sidmap,
- token->sids[i+2], &(*sec)->groups[i]);
+ sec_ctx = talloc_get_type_abort(sec_ctx, struct security_unix_token);
+ status = set_unix_security(sec_ctx);
+ talloc_free(sec_ctx);
if (!NT_STATUS_IS_OK(status)) {
- return status;
+ DEBUG(0,("%s: Failed to revert security context (%s)\n",
+ location, nt_errstr(status)));
+ return -1;
}
}
- return NT_STATUS_OK;
+ return 0;
+}
+
+
+/*
+ form a security_unix_token from the current security_token
+*/
+static NTSTATUS nt_token_to_unix_security(struct ntvfs_module_context *ntvfs,
+ struct ntvfs_request *req,
+ struct security_token *token,
+ struct security_unix_token **sec)
+{
+ struct unixuid_private *priv = ntvfs->private_data;
+
+ return security_token_to_unix_token(req,
+ priv->wbc_ctx,
+ token, sec);
}
/*
setup our unix security context according to the session authentication info
*/
static NTSTATUS unixuid_setup_security(struct ntvfs_module_context *ntvfs,
- struct ntvfs_request *req, struct unix_sec_ctx **sec)
+ struct ntvfs_request *req, struct security_unix_token **sec)
{
- struct unixuid_private *private = ntvfs->private_data;
+ struct unixuid_private *priv = ntvfs->private_data;
struct security_token *token;
- struct unix_sec_ctx *newsec;
+ struct security_unix_token *newsec;
NTSTATUS status;
- if (req->session_info == NULL) {
+ /* If we are asked to set up, but have not had a successful
+ * session setup or tree connect, then these may not be filled
+ * in. ACCESS_DENIED is the right error code here */
+ if (req->session_info == NULL || priv == NULL) {
return NT_STATUS_ACCESS_DENIED;
}
return NT_STATUS_NO_MEMORY;
}
- if (token == private->last_token) {
- newsec = private->last_sec_ctx;
+ if (token == priv->last_token) {
+ newsec = priv->last_sec_ctx;
} else {
status = nt_token_to_unix_security(ntvfs, req, token, &newsec);
if (!NT_STATUS_IS_OK(status)) {
talloc_free(*sec);
return status;
}
- if (private->last_sec_ctx) {
- talloc_free(private->last_sec_ctx);
+ if (priv->last_sec_ctx) {
+ talloc_free(priv->last_sec_ctx);
}
- private->last_sec_ctx = newsec;
- private->last_token = token;
- talloc_steal(private, newsec);
+ priv->last_sec_ctx = newsec;
+ priv->last_token = token;
+ talloc_steal(priv, newsec);
}
status = set_unix_security(newsec);
*/
#define PASS_THRU_REQ(ntvfs, req, op, args) do { \
NTSTATUS status2; \
- struct unix_sec_ctx *sec; \
+ struct security_unix_token *sec; \
status = unixuid_setup_security(ntvfs, req, &sec); \
NT_STATUS_NOT_OK_RETURN(status); \
+ unixuid_nesting_level++; \
status = ntvfs_next_##op args; \
+ unixuid_nesting_level--; \
status2 = set_unix_security(sec); \
talloc_free(sec); \
if (!NT_STATUS_IS_OK(status2)) smb_panic("Unable to reset security context"); \
connect to a share - used when a tree_connect operation comes in.
*/
static NTSTATUS unixuid_connect(struct ntvfs_module_context *ntvfs,
- struct ntvfs_request *req, const char *sharename)
+ struct ntvfs_request *req, union smb_tcon *tcon)
{
- struct unixuid_private *private;
+ struct unixuid_private *priv;
NTSTATUS status;
- private = talloc(ntvfs, struct unixuid_private);
- if (!private) {
+ priv = talloc(ntvfs, struct unixuid_private);
+ if (!priv) {
return NT_STATUS_NO_MEMORY;
}
- private->sidmap = sidmap_open(private, ntvfs->ctx->lp_ctx);
- if (private->sidmap == NULL) {
- return NT_STATUS_INTERNAL_DB_CORRUPTION;
+ priv->wbc_ctx = wbc_init(priv, ntvfs->ctx->msg_ctx,
+ ntvfs->ctx->event_ctx);
+ if (priv->wbc_ctx == NULL) {
+ talloc_free(priv);
+ return NT_STATUS_INTERNAL_ERROR;
}
- ntvfs->private_data = private;
- private->last_sec_ctx = NULL;
- private->last_token = NULL;
+ priv->last_sec_ctx = NULL;
+ priv->last_token = NULL;
+ ntvfs->private_data = priv;
+
+ tevent_loop_set_nesting_hook(ntvfs->ctx->event_ctx,
+ unixuid_event_nesting_hook,
+ &unixuid_nesting_level);
/* we don't use PASS_THRU_REQ here, as the connect operation runs with
root privileges. This allows the backends to setup any database
links they might need during the connect. */
- status = ntvfs_next_connect(ntvfs, req, sharename);
+ status = ntvfs_next_connect(ntvfs, req, tcon);
return status;
}
*/
static NTSTATUS unixuid_disconnect(struct ntvfs_module_context *ntvfs)
{
- struct unixuid_private *private = ntvfs->private_data;
+ struct unixuid_private *priv = ntvfs->private_data;
NTSTATUS status;
- talloc_free(private);
+ talloc_free(priv);
ntvfs->private_data = NULL;
status = ntvfs_next_disconnect(ntvfs);
static NTSTATUS unixuid_logoff(struct ntvfs_module_context *ntvfs,
struct ntvfs_request *req)
{
- struct unixuid_private *private = ntvfs->private_data;
+ struct unixuid_private *priv = ntvfs->private_data;
NTSTATUS status;
PASS_THRU_REQ(ntvfs, req, logoff, (ntvfs, req));
- private->last_token = NULL;
+ priv->last_token = NULL;
return status;
}
*/
static NTSTATUS unixuid_async_setup(struct ntvfs_module_context *ntvfs,
struct ntvfs_request *req,
- void *private)
+ void *private_data)
{
NTSTATUS status;
- PASS_THRU_REQ(ntvfs, req, async_setup, (ntvfs, req, private));
+ PASS_THRU_REQ(ntvfs, req, async_setup, (ntvfs, req, private_data));
return status;
}