source3/lib/popt_common_cmdline.c

   1 /*
   2    Unix SMB/CIFS implementation.
   3    Common popt routines only used by cmdline utils
   4
   5    Copyright (C) Tim Potter 2001,2002
   6    Copyright (C) Jelmer Vernooij 2002,2003
   7    Copyright (C) James Peach 2006
   8    Copyright (C) Christof Schmitt 2018
   9
  10    This program is free software; you can redistribute it and/or modify
  11    it under the terms of the GNU General Public License as published by
  12    the Free Software Foundation; either version 3 of the License, or
  13    (at your option) any later version.
  14
  15    This program is distributed in the hope that it will be useful,
  16    but WITHOUT ANY WARRANTY; without even the implied warranty of
  17    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  18    GNU General Public License for more details.
  19
  20    You should have received a copy of the GNU General Public License
  21    along with this program.  If not, see <http://www.gnu.org/licenses/>.
  22 */
  23
  24 /* Handle command line options:
  25  *              -U,--user
  26  *              -A,--authentication-file
  27  *              -k,--use-kerberos
  28  *              -N,--no-pass
  29  *              -S,--signing
  30  *              -P --machine-pass
  31  *              -e --encrypt
  32  *              -C --use-ccache
  33  */
  34
  35 #include "popt_common_cmdline.h"
  36 #include "includes.h"
  37 #include "auth_info.h"
  38
  39 static struct user_auth_info *cmdline_auth_info;
  40
  41 struct user_auth_info *popt_get_cmdline_auth_info(void)
  42 {
  43         return cmdline_auth_info;
  44 }
  45 void popt_free_cmdline_auth_info(void)
  46 {
  47         TALLOC_FREE(cmdline_auth_info);
  48 }
  49
  50 static bool popt_common_credentials_ignore_missing_conf;
  51 static bool popt_common_credentials_delay_post;
  52
  53 void popt_common_credentials_set_ignore_missing_conf(void)
  54 {
  55         popt_common_credentials_delay_post = true;
  56 }
  57
  58 void popt_common_credentials_set_delay_post(void)
  59 {
  60         popt_common_credentials_delay_post = true;
  61 }
  62
  63 void popt_common_credentials_post(void)
  64 {
  65         if (get_cmdline_auth_info_use_machine_account(cmdline_auth_info) &&
  66             !set_cmdline_auth_info_machine_account_creds(cmdline_auth_info))
  67         {
  68                 fprintf(stderr,
  69                         "Failed to use machine account credentials\n");
  70                 exit(1);
  71         }
  72
  73         set_cmdline_auth_info_getpass(cmdline_auth_info);
  74
  75         /*
  76          * When we set the username during the handling of the options passed to
  77          * the binary we haven't loaded the config yet. This means that we
  78          * didn't take the 'winbind separator' into account.
  79          *
  80          * The username might contain the domain name and thus it hasn't been
  81          * correctly parsed yet. If we have a username we need to set it again
  82          * to run the string parser for the username correctly.
  83          */
  84         reset_cmdline_auth_info_username(cmdline_auth_info);
  85 }
  86
  87 static void popt_common_credentials_callback(poptContext con,
  88                                         enum poptCallbackReason reason,
  89                                         const struct poptOption *opt,
  90                                         const char *arg, const void *data)
  91 {
  92         if (reason == POPT_CALLBACK_REASON_PRE) {
  93                 struct user_auth_info *auth_info =
  94                                 user_auth_info_init(NULL);
  95                 if (auth_info == NULL) {
  96                         fprintf(stderr, "user_auth_info_init() failed\n");
  97                         exit(1);
  98                 }
  99                 cmdline_auth_info = auth_info;
 100                 return;
 101         }
 102
 103         if (reason == POPT_CALLBACK_REASON_POST) {
 104                 bool ok;
 105
 106                 ok = lp_load_client(get_dyn_CONFIGFILE());
 107                 if (!ok) {
 108                         const char *pname = poptGetInvocationName(con);
 109
 110                         fprintf(stderr, "%s: Can't load %s - run testparm to debug it\n",
 111                                 pname, get_dyn_CONFIGFILE());
 112                         if (!popt_common_credentials_ignore_missing_conf) {
 113                                 exit(1);
 114                         }
 115                 }
 116
 117                 load_interfaces();
 118
 119                 set_cmdline_auth_info_guess(cmdline_auth_info);
 120
 121                 if (popt_common_credentials_delay_post) {
 122                         return;
 123                 }
 124
 125                 popt_common_credentials_post();
 126                 return;
 127         }
 128
 129         switch(opt->val) {
 130         case 'U':
 131                 set_cmdline_auth_info_username(cmdline_auth_info, arg);
 132                 break;
 133
 134         case 'A':
 135                 set_cmdline_auth_info_from_file(cmdline_auth_info, arg);
 136                 break;
 137
 138         case 'k':
 139 #ifndef HAVE_KRB5
 140                 d_printf("No kerberos support compiled in\n");
 141                 exit(1);
 142 #else
 143                 set_cmdline_auth_info_use_krb5_ticket(cmdline_auth_info);
 144 #endif
 145                 break;
 146
 147         case 'S':
 148                 if (!set_cmdline_auth_info_signing_state(cmdline_auth_info,
 149                                 arg)) {
 150                         fprintf(stderr, "Unknown signing option %s\n", arg );
 151                         exit(1);
 152                 }
 153                 break;
 154         case 'P':
 155                 set_cmdline_auth_info_use_machine_account(cmdline_auth_info);
 156                 break;
 157         case 'N':
 158                 set_cmdline_auth_info_password(cmdline_auth_info, "");
 159                 break;
 160         case 'e':
 161                 set_cmdline_auth_info_smb_encrypt(cmdline_auth_info);
 162                 break;
 163         case 'C':
 164                 set_cmdline_auth_info_use_ccache(cmdline_auth_info, true);
 165                 break;
 166         case 'H':
 167                 set_cmdline_auth_info_use_pw_nt_hash(cmdline_auth_info, true);
 168                 break;
 169         }
 170 }
 171
 172 /**
 173  * @brief Burn the commandline password.
 174  *
 175  * This function removes the password from the command line so we
 176  * don't leak the password e.g. in 'ps aux'.
 177  *
 178  * It should be called after processing the options and you should pass down
 179  * argv from main().
 180  *
 181  * @param[in]  argc     The number of arguments.
 182  *
 183  * @param[in]  argv[]   The argument array we will find the array.
 184  */
 185 void popt_burn_cmdline_password(int argc, char *argv[])
 186 {
 187         bool found = false;
 188         char *p = NULL;
 189         int i, ulen = 0;
 190
 191         for (i = 0; i < argc; i++) {
 192                 p = argv[i];
 193                 if (strncmp(p, "-U", 2) == 0) {
 194                         ulen = 2;
 195                         found = true;
 196                 } else if (strncmp(p, "--user", 6) == 0) {
 197                         ulen = 6;
 198                         found = true;
 199                 }
 200
 201                 if (found) {
 202                         if (p == NULL) {
 203                                 return;
 204                         }
 205
 206                         if (strlen(p) == ulen) {
 207                                 continue;
 208                         }
 209
 210                         p = strchr_m(p, '%');
 211                         if (p != NULL) {
 212                                 memset(p, '\0', strlen(p));
 213                         }
 214                         found = false;
 215                 }
 216         }
 217 }
 218
 219 struct poptOption popt_common_credentials[] = {
 220         { NULL, 0, POPT_ARG_CALLBACK|POPT_CBFLAG_PRE|POPT_CBFLAG_POST,
 221           (void *)popt_common_credentials_callback, 0, NULL },
 222         { "user", 'U', POPT_ARG_STRING, NULL, 'U',
 223           "Set the network username", "USERNAME" },
 224         { "no-pass", 'N', POPT_ARG_NONE, NULL, 'N',
 225           "Don't ask for a password" },
 226         { "kerberos", 'k', POPT_ARG_NONE, NULL, 'k',
 227           "Use kerberos (active directory) authentication" },
 228         { "authentication-file", 'A', POPT_ARG_STRING, NULL, 'A',
 229           "Get the credentials from a file", "FILE" },
 230         { "signing", 'S', POPT_ARG_STRING, NULL, 'S',
 231           "Set the client signing state", "on|off|required" },
 232         {"machine-pass", 'P', POPT_ARG_NONE, NULL, 'P',
 233          "Use stored machine account password" },
 234         {"encrypt", 'e', POPT_ARG_NONE, NULL, 'e',
 235          "Encrypt SMB transport" },
 236         {"use-ccache", 'C', POPT_ARG_NONE, NULL, 'C',
 237          "Use the winbind ccache for authentication" },
 238         {"pw-nt-hash", '\0', POPT_ARG_NONE, NULL, 'H',
 239          "The supplied password is the NT hash" },
 240         POPT_TABLEEND
 241 };