Copyright (C) Tim Potter 2000
Copyright (C) Andrew Tridgell 2000
Copyright (C) Andrew Bartlett 2002
+ Copyright (C) Matthew Newton 2015
This library is free software; you can redistribute it and/or
#include "system/select.h"
#include "winbind_client.h"
-/* Global variables. These are effectively the client state information */
+/* Global context */
-int winbindd_fd = -1; /* fd for winbindd socket */
-static int is_privileged = 0;
+struct winbindd_context {
+ int winbindd_fd; /* winbind file descriptor */
+ bool is_privileged; /* using the privileged socket? */
+ pid_t our_pid; /* calling process pid */
+};
+
+static struct winbindd_context wb_global_ctx = {
+ .winbindd_fd = -1,
+ .is_privileged = 0,
+ .our_pid = 0
+};
/* Free a response structure */
/* Close established socket */
-#if HAVE_FUNCTION_ATTRIBUTE_DESTRUCTOR
+static void winbind_close_sock(struct winbindd_context *ctx)
+{
+ if (!ctx) {
+ return;
+ }
+
+ if (ctx->winbindd_fd != -1) {
+ close(ctx->winbindd_fd);
+ ctx->winbindd_fd = -1;
+ }
+}
+
+/* Destructor for global context to ensure fd is closed */
+
+#if HAVE_DESTRUCTOR_ATTRIBUTE
__attribute__((destructor))
#endif
-static void winbind_close_sock(void)
+static void winbind_destructor(void)
{
- if (winbindd_fd != -1) {
- close(winbindd_fd);
- winbindd_fd = -1;
- }
+ winbind_close_sock(&wb_global_ctx);
}
#define CONNECT_TIMEOUT 30
/**
* @internal
*
- * @brief Check if we have priviliged access.
+ * @brief Check if we talk to the priviliged pipe which should be owned by root.
*
- * This checks if we have uid_wrapper running and if yes turns it of so that we
- * can check if we have access.
+ * This checks if we have uid_wrapper running and if this is the case it will
+ * allow one to connect to the winbind privileged pipe even it is not owned by root.
*
- * @param[in] uid The uid to compare if we have access.
+ * @param[in] uid The uid to check if we can safely talk to the pipe.
*
* @return If we have access it returns true, else false.
*/
-static bool winbind_privileged_access(uid_t uid)
+static bool winbind_privileged_pipe_is_root(uid_t uid)
{
- uid_t euid;
-
- if (uid_wrapper_enabled()) {
- setenv("UID_WRAPPER_MYUID", "1", 1);
+ if (uid == 0) {
+ return true;
}
- euid = geteuid();
-
if (uid_wrapper_enabled()) {
- unsetenv("UID_WRAPPER_MYUID");
+ return true;
}
- return (uid == euid);
+ return false;
}
/* Connect to winbindd socket */
{
struct sockaddr_un sunaddr;
struct stat st;
- char *path = NULL;
int fd;
int wait_time;
int slept;
+ int ret;
/* Check permissions on unix socket directory */
return -1;
}
- /* This tells uid_wrapper to return the userid for the geteuid check */
+ /*
+ * This tells us that the pipe is owned by a privileged
+ * process, as we will be sending passwords to it.
+ */
if (!S_ISDIR(st.st_mode) ||
- !winbind_privileged_access(st.st_uid)) {
+ !winbind_privileged_pipe_is_root(st.st_uid)) {
errno = ENOENT;
return -1;
}
/* Connect to socket */
- if (asprintf(&path, "%s/%s", dir, WINBINDD_SOCKET_NAME) < 0) {
+ sunaddr = (struct sockaddr_un) { .sun_family = AF_UNIX };
+
+ ret = snprintf(sunaddr.sun_path, sizeof(sunaddr.sun_path),
+ "%s/%s", dir, WINBINDD_SOCKET_NAME);
+ if ((ret == -1) || (ret >= sizeof(sunaddr.sun_path))) {
+ errno = ENAMETOOLONG;
return -1;
}
- ZERO_STRUCT(sunaddr);
- sunaddr.sun_family = AF_UNIX;
- strncpy(sunaddr.sun_path, path, sizeof(sunaddr.sun_path) - 1);
-
/* If socket file doesn't exist, don't bother trying to connect
with retry. This is an attempt to make the system usable when
the winbindd daemon is not running. */
- if (lstat(path, &st) == -1) {
+ if (lstat(sunaddr.sun_path, &st) == -1) {
errno = ENOENT;
- SAFE_FREE(path);
return -1;
}
- SAFE_FREE(path);
/* Check permissions on unix socket file */
- /* This tells uid_wrapper to return the userid for the geteuid check */
+ /*
+ * This tells us that the pipe is owned by a privileged
+ * process, as we will be sending passwords to it.
+ */
if (!S_ISSOCK(st.st_mode) ||
- !winbind_privileged_access(st.st_uid)) {
+ !winbind_privileged_pipe_is_root(st.st_uid)) {
errno = ENOENT;
return -1;
}
for (wait_time = 0; connect(fd, (struct sockaddr *)&sunaddr, sizeof(sunaddr)) == -1;
wait_time += slept) {
struct pollfd pfd;
- int ret;
int connect_errno = 0;
socklen_t errnosize;
static const char *winbindd_socket_dir(void)
{
-#ifdef SOCKET_WRAPPER
- const char *env_dir;
+ if (nss_wrapper_enabled()) {
+ const char *env_dir;
- env_dir = getenv(WINBINDD_SOCKET_DIR_ENVVAR);
- if (env_dir) {
- return env_dir;
+ env_dir = getenv("SELFTEST_WINBINDD_SOCKET_DIR");
+ if (env_dir != NULL) {
+ return env_dir;
+ }
}
-#endif
return WINBINDD_SOCKET_DIR;
}
/* Connect to winbindd socket */
-static int winbind_open_pipe_sock(int recursing, int need_priv)
+static int winbind_open_pipe_sock(struct winbindd_context *ctx,
+ int recursing, int need_priv)
{
#ifdef HAVE_UNIXSOCKET
- static pid_t our_pid;
struct winbindd_request request;
struct winbindd_response response;
+
ZERO_STRUCT(request);
ZERO_STRUCT(response);
- if (our_pid != getpid()) {
- winbind_close_sock();
- our_pid = getpid();
+ if (!ctx) {
+ return -1;
}
- if ((need_priv != 0) && (is_privileged == 0)) {
- winbind_close_sock();
+ if (ctx->our_pid != getpid()) {
+ winbind_close_sock(ctx);
+ ctx->our_pid = getpid();
}
- if (winbindd_fd != -1) {
- return winbindd_fd;
+ if ((need_priv != 0) && (ctx->is_privileged == 0)) {
+ winbind_close_sock(ctx);
+ }
+
+ if (ctx->winbindd_fd != -1) {
+ return ctx->winbindd_fd;
}
if (recursing) {
return -1;
}
- if ((winbindd_fd = winbind_named_pipe_sock(winbindd_socket_dir())) == -1) {
+ ctx->winbindd_fd = winbind_named_pipe_sock(winbindd_socket_dir());
+
+ if (ctx->winbindd_fd == -1) {
return -1;
}
- is_privileged = 0;
+ ctx->is_privileged = 0;
/* version-check the socket */
request.wb_flags = WBFLAG_RECURSE;
- if ((winbindd_request_response(WINBINDD_INTERFACE_VERSION, &request, &response) != NSS_STATUS_SUCCESS) || (response.data.interface_version != WINBIND_INTERFACE_VERSION)) {
- winbind_close_sock();
+ if ((winbindd_request_response(ctx, WINBINDD_INTERFACE_VERSION, &request,
+ &response) != NSS_STATUS_SUCCESS) ||
+ (response.data.interface_version != WINBIND_INTERFACE_VERSION)) {
+ winbind_close_sock(ctx);
return -1;
}
/* try and get priv pipe */
request.wb_flags = WBFLAG_RECURSE;
- if (winbindd_request_response(WINBINDD_PRIV_PIPE_DIR, &request, &response) == NSS_STATUS_SUCCESS) {
+
+ /* Note that response needs to be initialized to avoid
+ * crashing on clean up after WINBINDD_PRIV_PIPE_DIR call failed
+ * as interface version (from the first request) returned as a fstring,
+ * thus response.extra_data.data will not be NULL even though
+ * winbindd response did not write over it due to a failure */
+ ZERO_STRUCT(response);
+ if (winbindd_request_response(ctx, WINBINDD_PRIV_PIPE_DIR, &request,
+ &response) == NSS_STATUS_SUCCESS) {
int fd;
- if ((fd = winbind_named_pipe_sock((char *)response.extra_data.data)) != -1) {
- close(winbindd_fd);
- winbindd_fd = fd;
- is_privileged = 1;
+ fd = winbind_named_pipe_sock((char *)response.extra_data.data);
+ if (fd != -1) {
+ close(ctx->winbindd_fd);
+ ctx->winbindd_fd = fd;
+ ctx->is_privileged = 1;
}
}
- if ((need_priv != 0) && (is_privileged == 0)) {
+ if ((need_priv != 0) && (ctx->is_privileged == 0)) {
return -1;
}
SAFE_FREE(response.extra_data.data);
- return winbindd_fd;
+ return ctx->winbindd_fd;
#else
return -1;
#endif /* HAVE_UNIXSOCKET */
/* Write data to winbindd socket */
-static int winbind_write_sock(void *buffer, int count, int recursing,
- int need_priv)
+static int winbind_write_sock(struct winbindd_context *ctx, void *buffer,
+ int count, int recursing, int need_priv)
{
int fd, result, nwritten;
restart:
- fd = winbind_open_pipe_sock(recursing, need_priv);
+ fd = winbind_open_pipe_sock(ctx, recursing, need_priv);
if (fd == -1) {
errno = ENOENT;
return -1;
ret = poll(&pfd, 1, -1);
if (ret == -1) {
- winbind_close_sock();
+ winbind_close_sock(ctx);
return -1; /* poll error */
}
/* Pipe has closed on remote end */
- winbind_close_sock();
+ winbind_close_sock(ctx);
goto restart;
}
/* Write failed */
- winbind_close_sock();
+ winbind_close_sock(ctx);
return -1;
}
/* Read data from winbindd socket */
-static int winbind_read_sock(void *buffer, int count)
+static int winbind_read_sock(struct winbindd_context *ctx,
+ void *buffer, int count)
{
int fd;
int nread = 0;
int total_time = 0;
- fd = winbind_open_pipe_sock(false, false);
+ fd = winbind_open_pipe_sock(ctx, false, false);
if (fd == -1) {
return -1;
}
ret = poll(&pfd, 1, 5000);
if (ret == -1) {
- winbind_close_sock();
+ winbind_close_sock(ctx);
return -1; /* poll error */
}
if (ret == 0) {
/* Not ready for read yet... */
- if (total_time >= 30) {
+ if (total_time >= 300) {
/* Timeout */
- winbind_close_sock();
+ winbind_close_sock(ctx);
return -1;
}
total_time += 5;
can do here is just return -1 and fail since the
transaction has failed half way through. */
- winbind_close_sock();
+ winbind_close_sock(ctx);
return -1;
}
/* Read reply */
-static int winbindd_read_reply(struct winbindd_response *response)
+static int winbindd_read_reply(struct winbindd_context *ctx,
+ struct winbindd_response *response)
{
int result1, result2 = 0;
/* Read fixed length response */
- result1 = winbind_read_sock(response,
+ result1 = winbind_read_sock(ctx, response,
sizeof(struct winbindd_response));
+
+ /* We actually send the pointer value of the extra_data field from
+ the server. This has no meaning in the client's address space
+ so we clear it out. */
+
+ response->extra_data.data = NULL;
+
if (result1 == -1) {
return -1;
}
return -1;
}
- /* We actually send the pointer value of the extra_data field from
- the server. This has no meaning in the client's address space
- so we clear it out. */
-
- response->extra_data.data = NULL;
-
/* Read variable length response */
if (response->length > sizeof(struct winbindd_response)) {
return -1;
}
- result2 = winbind_read_sock(response->extra_data.data,
+ result2 = winbind_read_sock(ctx, response->extra_data.data,
extra_data_len);
if (result2 == -1) {
winbindd_free_response(response);
* send simple types of requests
*/
-NSS_STATUS winbindd_send_request(int req_type, int need_priv,
+NSS_STATUS winbindd_send_request(struct winbindd_context *ctx,
+ int req_type, int need_priv,
struct winbindd_request *request)
{
struct winbindd_request lrequest;
winbindd_init_request(request, req_type);
- if (winbind_write_sock(request, sizeof(*request),
+ if (winbind_write_sock(ctx, request, sizeof(*request),
request->wb_flags & WBFLAG_RECURSE,
need_priv) == -1)
{
}
if ((request->extra_len != 0) &&
- (winbind_write_sock(request->extra_data.data,
+ (winbind_write_sock(ctx, request->extra_data.data,
request->extra_len,
request->wb_flags & WBFLAG_RECURSE,
need_priv) == -1))
* Get results from winbindd request
*/
-NSS_STATUS winbindd_get_response(struct winbindd_response *response)
+NSS_STATUS winbindd_get_response(struct winbindd_context *ctx,
+ struct winbindd_response *response)
{
struct winbindd_response lresponse;
init_response(response);
/* Wait for reply */
- if (winbindd_read_reply(response) == -1) {
+ if (winbindd_read_reply(ctx, response) == -1) {
/* Set ENOENT for consistency. Required by some apps */
errno = ENOENT;
/* Handle simple types of requests */
-NSS_STATUS winbindd_request_response(int req_type,
- struct winbindd_request *request,
- struct winbindd_response *response)
+NSS_STATUS winbindd_request_response(struct winbindd_context *ctx,
+ int req_type,
+ struct winbindd_request *request,
+ struct winbindd_response *response)
{
NSS_STATUS status = NSS_STATUS_UNAVAIL;
- int count = 0;
- while ((status == NSS_STATUS_UNAVAIL) && (count < 10)) {
- status = winbindd_send_request(req_type, 0, request);
- if (status != NSS_STATUS_SUCCESS)
- return(status);
- status = winbindd_get_response(response);
- count += 1;
+ if (ctx == NULL) {
+ ctx = &wb_global_ctx;
}
+ status = winbindd_send_request(ctx, req_type, 0, request);
+ if (status != NSS_STATUS_SUCCESS)
+ return (status);
+ status = winbindd_get_response(ctx, response);
+
return status;
}
-NSS_STATUS winbindd_priv_request_response(int req_type,
+NSS_STATUS winbindd_priv_request_response(struct winbindd_context *ctx,
+ int req_type,
struct winbindd_request *request,
struct winbindd_response *response)
{
NSS_STATUS status = NSS_STATUS_UNAVAIL;
- int count = 0;
- while ((status == NSS_STATUS_UNAVAIL) && (count < 10)) {
- status = winbindd_send_request(req_type, 1, request);
- if (status != NSS_STATUS_SUCCESS)
- return(status);
- status = winbindd_get_response(response);
- count += 1;
+ if (ctx == NULL) {
+ ctx = &wb_global_ctx;
}
+ status = winbindd_send_request(ctx, req_type, 1, request);
+ if (status != NSS_STATUS_SUCCESS)
+ return (status);
+ status = winbindd_get_response(ctx, response);
+
return status;
}
+
+/* Create and free winbindd context */
+
+struct winbindd_context *winbindd_ctx_create(void)
+{
+ struct winbindd_context *ctx;
+
+ ctx = calloc(1, sizeof(struct winbindd_context));
+
+ if (!ctx) {
+ return NULL;
+ }
+
+ ctx->winbindd_fd = -1;
+
+ return ctx;
+}
+
+void winbindd_ctx_free(struct winbindd_context *ctx)
+{
+ winbind_close_sock(ctx);
+ free(ctx);
+}
git.samba.org / samba.git / blobdiff