2 Unix SMB/CIFS implementation.
4 winbind client common code
6 Copyright (C) Tim Potter 2000
7 Copyright (C) Andrew Tridgell 2000
8 Copyright (C) Andrew Bartlett 2002
9 Copyright (C) Matthew Newton 2015
12 This library is free software; you can redistribute it and/or
13 modify it under the terms of the GNU Lesser General Public
14 License as published by the Free Software Foundation; either
15 version 3 of the License, or (at your option) any later version.
17 This library is distributed in the hope that it will be useful,
18 but WITHOUT ANY WARRANTY; without even the implied warranty of
19 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
20 Library General Public License for more details.
22 You should have received a copy of the GNU Lesser General Public License
23 along with this program. If not, see <http://www.gnu.org/licenses/>.
27 #include "system/select.h"
28 #include "winbind_client.h"
34 static char client_name[32];
38 struct winbindd_context {
39 int winbindd_fd; /* winbind file descriptor */
40 bool is_privileged; /* using the privileged socket? */
41 pid_t our_pid; /* calling process pid */
45 static pthread_mutex_t wb_global_ctx_mutex = PTHREAD_MUTEX_INITIALIZER;
48 static struct winbindd_context *get_wb_global_ctx(void)
50 static struct winbindd_context wb_global_ctx = {
52 .is_privileged = false,
57 pthread_mutex_lock(&wb_global_ctx_mutex);
59 return &wb_global_ctx;
62 static void put_wb_global_ctx(void)
65 pthread_mutex_unlock(&wb_global_ctx_mutex);
70 /* Free a response structure */
72 void winbindd_free_response(struct winbindd_response *response)
74 /* Free any allocated extra_data */
77 SAFE_FREE(response->extra_data.data);
80 void winbind_set_client_name(const char *name)
82 if (name == NULL || strlen(name) == 0) {
86 (void)snprintf(client_name, sizeof(client_name), "%s", name);
89 static const char *winbind_get_client_name(void)
91 if (client_name[0] == '\0') {
94 len = snprintf(client_name,
106 /* Initialise a request structure */
108 static void winbindd_init_request(struct winbindd_request *request,
111 request->length = sizeof(struct winbindd_request);
113 request->cmd = (enum winbindd_cmd)request_type;
114 request->pid = getpid();
116 (void)snprintf(request->client_name,
117 sizeof(request->client_name),
119 winbind_get_client_name());
122 /* Initialise a response structure */
124 static void init_response(struct winbindd_response *response)
126 /* Initialise return value */
128 response->result = WINBINDD_ERROR;
131 /* Close established socket */
133 static void winbind_close_sock(struct winbindd_context *ctx)
139 if (ctx->winbindd_fd != -1) {
140 close(ctx->winbindd_fd);
141 ctx->winbindd_fd = -1;
145 /* Destructor for global context to ensure fd is closed */
147 #if HAVE_DESTRUCTOR_ATTRIBUTE
148 __attribute__((destructor))
150 static void winbind_destructor(void)
152 struct winbindd_context *ctx;
154 ctx = get_wb_global_ctx();
155 winbind_close_sock(ctx);
159 #define CONNECT_TIMEOUT 30
161 /* Make sure socket handle isn't stdin, stdout or stderr */
162 #define RECURSION_LIMIT 3
164 static int make_nonstd_fd_internals(int fd, int limit /* Recursion limiter */)
167 if (fd >= 0 && fd <= 2) {
169 if ((new_fd = fcntl(fd, F_DUPFD, 3)) == -1) {
187 /* use the program stack to hold our list of FDs to close */
188 new_fd = make_nonstd_fd_internals(new_fd, limit - 1);
196 /****************************************************************************
197 Set a fd into blocking/nonblocking mode. Uses POSIX O_NONBLOCK if available,
201 Set close on exec also.
202 ****************************************************************************/
204 static int make_safe_fd(int fd)
207 int new_fd = make_nonstd_fd_internals(fd, RECURSION_LIMIT);
213 /* Socket should be nonblocking. */
215 #define FLAG_TO_SET O_NONBLOCK
218 #define FLAG_TO_SET O_NDELAY
220 #define FLAG_TO_SET FNDELAY
224 if ((flags = fcntl(new_fd, F_GETFL)) == -1) {
229 flags |= FLAG_TO_SET;
230 if (fcntl(new_fd, F_SETFL, flags) == -1) {
237 /* Socket should be closed on exec() */
239 result = flags = fcntl(new_fd, F_GETFD, 0);
242 result = fcntl( new_fd, F_SETFD, flags );
255 * @brief Check if we talk to the priviliged pipe which should be owned by root.
257 * This checks if we have uid_wrapper running and if this is the case it will
258 * allow one to connect to the winbind privileged pipe even it is not owned by root.
260 * @param[in] uid The uid to check if we can safely talk to the pipe.
262 * @return If we have access it returns true, else false.
264 static bool winbind_privileged_pipe_is_root(uid_t uid)
270 if (uid_wrapper_enabled()) {
277 /* Connect to winbindd socket */
279 static int winbind_named_pipe_sock(const char *dir)
281 struct sockaddr_un sunaddr;
288 /* Check permissions on unix socket directory */
290 if (lstat(dir, &st) == -1) {
296 * This tells us that the pipe is owned by a privileged
297 * process, as we will be sending passwords to it.
299 if (!S_ISDIR(st.st_mode) ||
300 !winbind_privileged_pipe_is_root(st.st_uid)) {
305 /* Connect to socket */
307 sunaddr = (struct sockaddr_un) { .sun_family = AF_UNIX };
309 ret = snprintf(sunaddr.sun_path, sizeof(sunaddr.sun_path),
310 "%s/%s", dir, WINBINDD_SOCKET_NAME);
311 if ((ret == -1) || (ret >= sizeof(sunaddr.sun_path))) {
312 errno = ENAMETOOLONG;
316 /* If socket file doesn't exist, don't bother trying to connect
317 with retry. This is an attempt to make the system usable when
318 the winbindd daemon is not running. */
320 if (lstat(sunaddr.sun_path, &st) == -1) {
325 /* Check permissions on unix socket file */
328 * This tells us that the pipe is owned by a privileged
329 * process, as we will be sending passwords to it.
331 if (!S_ISSOCK(st.st_mode) ||
332 !winbind_privileged_pipe_is_root(st.st_uid)) {
337 /* Connect to socket */
339 if ((fd = socket(AF_UNIX, SOCK_STREAM, 0)) == -1) {
343 /* Set socket non-blocking and close on exec. */
345 if ((fd = make_safe_fd( fd)) == -1) {
349 for (wait_time = 0; connect(fd, (struct sockaddr *)&sunaddr, sizeof(sunaddr)) == -1;
350 wait_time += slept) {
352 int connect_errno = 0;
355 if (wait_time >= CONNECT_TIMEOUT)
361 pfd.events = POLLOUT;
363 ret = poll(&pfd, 1, (CONNECT_TIMEOUT - wait_time) * 1000);
366 errnosize = sizeof(connect_errno);
368 ret = getsockopt(fd, SOL_SOCKET,
369 SO_ERROR, &connect_errno, &errnosize);
371 if (ret >= 0 && connect_errno == 0) {
372 /* Connect succeed */
377 slept = CONNECT_TIMEOUT;
380 slept = rand() % 3 + 1;
399 static const char *winbindd_socket_dir(void)
401 if (nss_wrapper_enabled()) {
404 env_dir = getenv("SELFTEST_WINBINDD_SOCKET_DIR");
405 if (env_dir != NULL) {
410 return WINBINDD_SOCKET_DIR;
413 /* Connect to winbindd socket */
415 static int winbind_open_pipe_sock(struct winbindd_context *ctx,
416 int recursing, int need_priv)
418 #ifdef HAVE_UNIXSOCKET
419 struct winbindd_request request;
420 struct winbindd_response response;
422 ZERO_STRUCT(request);
423 ZERO_STRUCT(response);
429 if (ctx->our_pid != getpid()) {
430 winbind_close_sock(ctx);
431 ctx->our_pid = getpid();
434 if ((need_priv != 0) && !ctx->is_privileged) {
435 winbind_close_sock(ctx);
438 if (ctx->winbindd_fd != -1) {
439 return ctx->winbindd_fd;
446 ctx->winbindd_fd = winbind_named_pipe_sock(winbindd_socket_dir());
448 if (ctx->winbindd_fd == -1) {
452 ctx->is_privileged = false;
454 /* version-check the socket */
456 request.wb_flags = WBFLAG_RECURSE;
457 if ((winbindd_request_response(ctx, WINBINDD_INTERFACE_VERSION, &request,
458 &response) != NSS_STATUS_SUCCESS) ||
459 (response.data.interface_version != WINBIND_INTERFACE_VERSION)) {
460 winbind_close_sock(ctx);
464 if (need_priv == 0) {
465 return ctx->winbindd_fd;
468 /* try and get priv pipe */
470 request.wb_flags = WBFLAG_RECURSE;
472 /* Note that response needs to be initialized to avoid
473 * crashing on clean up after WINBINDD_PRIV_PIPE_DIR call failed
474 * as interface version (from the first request) returned as a fstring,
475 * thus response.extra_data.data will not be NULL even though
476 * winbindd response did not write over it due to a failure */
477 ZERO_STRUCT(response);
478 if (winbindd_request_response(ctx, WINBINDD_PRIV_PIPE_DIR, &request,
479 &response) == NSS_STATUS_SUCCESS) {
481 fd = winbind_named_pipe_sock((char *)response.extra_data.data);
483 close(ctx->winbindd_fd);
484 ctx->winbindd_fd = fd;
485 ctx->is_privileged = true;
488 SAFE_FREE(response.extra_data.data);
491 if (!ctx->is_privileged) {
495 return ctx->winbindd_fd;
498 #endif /* HAVE_UNIXSOCKET */
501 /* Write data to winbindd socket */
503 static int winbind_write_sock(struct winbindd_context *ctx, void *buffer,
504 int count, int recursing, int need_priv)
506 int fd, result, nwritten;
508 /* Open connection to winbind daemon */
512 fd = winbind_open_pipe_sock(ctx, recursing, need_priv);
518 /* Write data to socket */
522 while(nwritten < count) {
526 /* Catch pipe close on other end by checking if a read()
527 call would not block by calling poll(). */
530 pfd.events = POLLIN|POLLOUT|POLLHUP;
532 ret = poll(&pfd, 1, -1);
534 winbind_close_sock(ctx);
535 return -1; /* poll error */
538 /* Write should be OK if fd not available for reading */
540 if ((ret == 1) && (pfd.revents & (POLLIN|POLLHUP|POLLERR))) {
542 /* Pipe has closed on remote end */
544 winbind_close_sock(ctx);
550 result = write(fd, (char *)buffer + nwritten,
553 if ((result == -1) || (result == 0)) {
557 winbind_close_sock(ctx);
567 /* Read data from winbindd socket */
569 static int winbind_read_sock(struct winbindd_context *ctx,
570 void *buffer, int count)
576 fd = winbind_open_pipe_sock(ctx, false, false);
581 /* Read data from socket */
582 while(nread < count) {
586 /* Catch pipe close on other end by checking if a read()
587 call would not block by calling poll(). */
590 pfd.events = POLLIN|POLLHUP;
592 /* Wait for 5 seconds for a reply. May need to parameterise this... */
594 ret = poll(&pfd, 1, 5000);
596 winbind_close_sock(ctx);
597 return -1; /* poll error */
601 /* Not ready for read yet... */
602 if (total_time >= 300) {
604 winbind_close_sock(ctx);
611 if ((ret == 1) && (pfd.revents & (POLLIN|POLLHUP|POLLERR))) {
615 int result = read(fd, (char *)buffer + nread,
618 if ((result == -1) || (result == 0)) {
620 /* Read failed. I think the only useful thing we
621 can do here is just return -1 and fail since the
622 transaction has failed half way through. */
624 winbind_close_sock(ctx);
638 static int winbindd_read_reply(struct winbindd_context *ctx,
639 struct winbindd_response *response)
641 int result1, result2 = 0;
647 /* Read fixed length response */
649 result1 = winbind_read_sock(ctx, response,
650 sizeof(struct winbindd_response));
652 /* We actually send the pointer value of the extra_data field from
653 the server. This has no meaning in the client's address space
654 so we clear it out. */
656 response->extra_data.data = NULL;
662 if (response->length < sizeof(struct winbindd_response)) {
666 /* Read variable length response */
668 if (response->length > sizeof(struct winbindd_response)) {
669 int extra_data_len = response->length -
670 sizeof(struct winbindd_response);
672 /* Mallocate memory for extra data */
674 if (!(response->extra_data.data = malloc(extra_data_len))) {
678 result2 = winbind_read_sock(ctx, response->extra_data.data,
681 winbindd_free_response(response);
686 /* Return total amount of data read */
688 return result1 + result2;
692 * send simple types of requests
695 static NSS_STATUS winbindd_send_request(
696 struct winbindd_context *ctx,
699 struct winbindd_request *request)
701 struct winbindd_request lrequest;
703 /* Check for our tricky environment variable */
705 if (winbind_env_set()) {
706 return NSS_STATUS_NOTFOUND;
710 ZERO_STRUCT(lrequest);
714 /* Fill in request and send down pipe */
716 winbindd_init_request(request, req_type);
718 if (winbind_write_sock(ctx, request, sizeof(*request),
719 request->wb_flags & WBFLAG_RECURSE,
722 /* Set ENOENT for consistency. Required by some apps */
725 return NSS_STATUS_UNAVAIL;
728 if ((request->extra_len != 0) &&
729 (winbind_write_sock(ctx, request->extra_data.data,
731 request->wb_flags & WBFLAG_RECURSE,
734 /* Set ENOENT for consistency. Required by some apps */
737 return NSS_STATUS_UNAVAIL;
740 return NSS_STATUS_SUCCESS;
744 * Get results from winbindd request
747 static NSS_STATUS winbindd_get_response(struct winbindd_context *ctx,
748 struct winbindd_response *response)
750 struct winbindd_response lresponse;
753 ZERO_STRUCT(lresponse);
754 response = &lresponse;
757 init_response(response);
760 if (winbindd_read_reply(ctx, response) == -1) {
761 /* Set ENOENT for consistency. Required by some apps */
764 return NSS_STATUS_UNAVAIL;
767 /* Throw away extra data if client didn't request it */
768 if (response == &lresponse) {
769 winbindd_free_response(response);
772 /* Copy reply data from socket */
773 if (response->result != WINBINDD_OK) {
774 return NSS_STATUS_NOTFOUND;
777 return NSS_STATUS_SUCCESS;
780 /* Handle simple types of requests */
782 NSS_STATUS winbindd_request_response(struct winbindd_context *ctx,
784 struct winbindd_request *request,
785 struct winbindd_response *response)
787 NSS_STATUS status = NSS_STATUS_UNAVAIL;
788 bool release_global_ctx = false;
791 ctx = get_wb_global_ctx();
792 release_global_ctx = true;
795 status = winbindd_send_request(ctx, req_type, 0, request);
796 if (status != NSS_STATUS_SUCCESS) {
799 status = winbindd_get_response(ctx, response);
802 if (release_global_ctx) {
808 NSS_STATUS winbindd_priv_request_response(struct winbindd_context *ctx,
810 struct winbindd_request *request,
811 struct winbindd_response *response)
813 NSS_STATUS status = NSS_STATUS_UNAVAIL;
814 bool release_global_ctx = false;
817 ctx = get_wb_global_ctx();
818 release_global_ctx = true;
821 status = winbindd_send_request(ctx, req_type, 1, request);
822 if (status != NSS_STATUS_SUCCESS) {
825 status = winbindd_get_response(ctx, response);
828 if (release_global_ctx) {
834 /* Create and free winbindd context */
836 struct winbindd_context *winbindd_ctx_create(void)
838 struct winbindd_context *ctx;
840 ctx = calloc(1, sizeof(struct winbindd_context));
846 ctx->winbindd_fd = -1;
851 void winbindd_ctx_free(struct winbindd_context *ctx)
853 winbind_close_sock(ctx);