source3/lib/popt_common_cmdline.c

   1 /*
   2    Unix SMB/CIFS implementation.
   3    Common popt routines only used by cmdline utils
   4
   5    Copyright (C) Tim Potter 2001,2002
   6    Copyright (C) Jelmer Vernooij 2002,2003
   7    Copyright (C) James Peach 2006
   8    Copyright (C) Christof Schmitt 2018
   9
  10    This program is free software; you can redistribute it and/or modify
  11    it under the terms of the GNU General Public License as published by
  12    the Free Software Foundation; either version 3 of the License, or
  13    (at your option) any later version.
  14
  15    This program is distributed in the hope that it will be useful,
  16    but WITHOUT ANY WARRANTY; without even the implied warranty of
  17    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  18    GNU General Public License for more details.
  19
  20    You should have received a copy of the GNU General Public License
  21    along with this program.  If not, see <http://www.gnu.org/licenses/>.
  22 */
  23
  24 /* Handle command line options:
  25  *              -U,--user
  26  *              -A,--authentication-file
  27  *              -k,--use-kerberos
  28  *              -N,--no-pass
  29  *              -S,--signing
  30  *              -P --machine-pass
  31  *              -e --encrypt
  32  *              -C --use-ccache
  33  */
  34
  35 #include "popt_common_cmdline.h"
  36 #include "includes.h"
  37 #include "auth_info.h"
  38 #include "cmdline_contexts.h"
  39
  40 static struct user_auth_info *cmdline_auth_info;
  41
  42 struct user_auth_info *popt_get_cmdline_auth_info(void)
  43 {
  44         return cmdline_auth_info;
  45 }
  46 void popt_free_cmdline_auth_info(void)
  47 {
  48         TALLOC_FREE(cmdline_auth_info);
  49 }
  50
  51 static bool popt_common_credentials_ignore_missing_conf;
  52 static bool popt_common_credentials_delay_post;
  53
  54 void popt_common_credentials_set_ignore_missing_conf(void)
  55 {
  56         popt_common_credentials_ignore_missing_conf = true;
  57 }
  58
  59 void popt_common_credentials_set_delay_post(void)
  60 {
  61         popt_common_credentials_delay_post = true;
  62 }
  63
  64 void popt_common_credentials_post(void)
  65 {
  66         if (get_cmdline_auth_info_use_machine_account(cmdline_auth_info) &&
  67             !set_cmdline_auth_info_machine_account_creds(cmdline_auth_info))
  68         {
  69                 fprintf(stderr,
  70                         "Failed to use machine account credentials\n");
  71                 exit(1);
  72         }
  73
  74         set_cmdline_auth_info_getpass(cmdline_auth_info);
  75
  76         /*
  77          * When we set the username during the handling of the options passed to
  78          * the binary we haven't loaded the config yet. This means that we
  79          * didn't take the 'winbind separator' into account.
  80          *
  81          * The username might contain the domain name and thus it hasn't been
  82          * correctly parsed yet. If we have a username we need to set it again
  83          * to run the string parser for the username correctly.
  84          */
  85         reset_cmdline_auth_info_username(cmdline_auth_info);
  86 }
  87
  88 static void popt_common_credentials_callback(poptContext con,
  89                                         enum poptCallbackReason reason,
  90                                         const struct poptOption *opt,
  91                                         const char *arg, const void *data)
  92 {
  93         if (reason == POPT_CALLBACK_REASON_PRE) {
  94                 struct user_auth_info *auth_info =
  95                                 user_auth_info_init(NULL);
  96                 if (auth_info == NULL) {
  97                         fprintf(stderr, "user_auth_info_init() failed\n");
  98                         exit(1);
  99                 }
 100                 cmdline_auth_info = auth_info;
 101                 return;
 102         }
 103
 104         if (reason == POPT_CALLBACK_REASON_POST) {
 105                 struct messaging_context *msg_ctx = NULL;
 106                 bool ok;
 107
 108                 msg_ctx = cmdline_messaging_context(get_dyn_CONFIGFILE());
 109                 if (msg_ctx == NULL) {
 110                         fprintf(stderr, "Unable to initialize "
 111                                 "messaging context\n");
 112                 }
 113
 114                 ok = lp_load_client(get_dyn_CONFIGFILE());
 115                 if (!ok) {
 116                         const char *pname = poptGetInvocationName(con);
 117
 118                         fprintf(stderr, "%s: Can't load %s - run testparm to debug it\n",
 119                                 pname, get_dyn_CONFIGFILE());
 120                         if (!popt_common_credentials_ignore_missing_conf) {
 121                                 exit(1);
 122                         }
 123                 }
 124
 125                 load_interfaces();
 126
 127                 set_cmdline_auth_info_guess(cmdline_auth_info);
 128
 129                 if (popt_common_credentials_delay_post) {
 130                         return;
 131                 }
 132
 133                 popt_common_credentials_post();
 134                 return;
 135         }
 136
 137         switch(opt->val) {
 138         case 'U':
 139                 set_cmdline_auth_info_username(cmdline_auth_info, arg);
 140                 break;
 141
 142         case 'A':
 143                 set_cmdline_auth_info_from_file(cmdline_auth_info, arg);
 144                 break;
 145
 146         case 'k':
 147 #ifndef HAVE_KRB5
 148                 d_printf("No kerberos support compiled in\n");
 149                 exit(1);
 150 #else
 151                 set_cmdline_auth_info_use_krb5_ticket(cmdline_auth_info);
 152 #endif
 153                 break;
 154
 155         case 'S':
 156                 if (!set_cmdline_auth_info_signing_state(cmdline_auth_info,
 157                                 arg)) {
 158                         fprintf(stderr, "Unknown signing option %s\n", arg );
 159                         exit(1);
 160                 }
 161                 break;
 162         case 'P':
 163                 set_cmdline_auth_info_use_machine_account(cmdline_auth_info);
 164                 break;
 165         case 'N':
 166                 set_cmdline_auth_info_password(cmdline_auth_info, "");
 167                 break;
 168         case 'e':
 169                 set_cmdline_auth_info_smb_encrypt(cmdline_auth_info);
 170                 break;
 171         case 'C':
 172                 set_cmdline_auth_info_use_ccache(cmdline_auth_info, true);
 173                 break;
 174         case 'H':
 175                 set_cmdline_auth_info_use_pw_nt_hash(cmdline_auth_info, true);
 176                 break;
 177         }
 178 }
 179
 180 /**
 181  * @brief Burn the commandline password.
 182  *
 183  * This function removes the password from the command line so we
 184  * don't leak the password e.g. in 'ps aux'.
 185  *
 186  * It should be called after processing the options and you should pass down
 187  * argv from main().
 188  *
 189  * @param[in]  argc     The number of arguments.
 190  *
 191  * @param[in]  argv[]   The argument array we will find the array.
 192  */
 193 void popt_burn_cmdline_password(int argc, char *argv[])
 194 {
 195         bool found = false;
 196         char *p = NULL;
 197         int i, ulen = 0;
 198
 199         for (i = 0; i < argc; i++) {
 200                 p = argv[i];
 201                 if (strncmp(p, "-U", 2) == 0) {
 202                         ulen = 2;
 203                         found = true;
 204                 } else if (strncmp(p, "--user", 6) == 0) {
 205                         ulen = 6;
 206                         found = true;
 207                 }
 208
 209                 if (found) {
 210                         if (p == NULL) {
 211                                 return;
 212                         }
 213
 214                         if (strlen(p) == ulen) {
 215                                 continue;
 216                         }
 217
 218                         p = strchr_m(p, '%');
 219                         if (p != NULL) {
 220                                 memset_s(p, strlen(p), '\0', strlen(p));
 221                         }
 222                         found = false;
 223                 }
 224         }
 225 }
 226
 227 struct poptOption popt_common_credentials[] = {
 228         { NULL, 0, POPT_ARG_CALLBACK|POPT_CBFLAG_PRE|POPT_CBFLAG_POST,
 229           (void *)popt_common_credentials_callback, 0, NULL },
 230         { "user", 'U', POPT_ARG_STRING, NULL, 'U',
 231           "Set the network username", "USERNAME" },
 232         { "no-pass", 'N', POPT_ARG_NONE, NULL, 'N',
 233           "Don't ask for a password" },
 234         { "kerberos", 'k', POPT_ARG_NONE, NULL, 'k',
 235           "Use kerberos (active directory) authentication" },
 236         { "authentication-file", 'A', POPT_ARG_STRING, NULL, 'A',
 237           "Get the credentials from a file", "FILE" },
 238         { "signing", 'S', POPT_ARG_STRING, NULL, 'S',
 239           "Set the client signing state", "on|off|required" },
 240         {"machine-pass", 'P', POPT_ARG_NONE, NULL, 'P',
 241          "Use stored machine account password" },
 242         {"encrypt", 'e', POPT_ARG_NONE, NULL, 'e',
 243          "Encrypt SMB transport" },
 244         {"use-ccache", 'C', POPT_ARG_NONE, NULL, 'C',
 245          "Use the winbind ccache for authentication" },
 246         {"pw-nt-hash", '\0', POPT_ARG_NONE, NULL, 'H',
 247          "The supplied password is the NT hash" },
 248         POPT_TABLEEND
 249 };