cifs.upcall: clean up logging and add debug messages
[sfrench/samba-autobuild/.git] / client / cifs.upcall.c
index 4110de35fde43dacc0eaa6300bd08922fb90223a..da6b1b8d430ee1ad22725a8c22d4f9010165e5d8 100644 (file)
@@ -1,6 +1,7 @@
 /*
 * CIFS user-space helper.
 * Copyright (C) Igor Mammedov (niallain@gmail.com) 2007
+* Copyright (C) Jeff Layton (jlayton@redhat.com) 2009
 *
 * Used by /sbin/request-key for handling
 * cifs upcall for kerberos authorization of access to share and
@@ -37,6 +38,62 @@ typedef enum _secType {
        MS_KRB5
 } secType_t;
 
+/*
+ * given a process ID, get the value of the KRB5CCNAME environment variable
+ * in the context of that process. On error, just return NULL.
+ */
+static char *
+get_krb5_ccname(pid_t pid)
+{
+       int fd;
+       ssize_t len, left;
+
+       /*
+        * FIXME: sysconf for ARG_MAX instead? Kernel seems to be limited to a
+        * page however, so it may not matter.
+        */
+       char buf[4096];
+       char *p, *value = NULL;
+       
+       buf[4095] = '\0';
+       snprintf(buf, 4095, "/proc/%d/environ", pid);
+       fd = open(buf, O_RDONLY);
+       if (fd < 0) {
+               syslog(LOG_DEBUG, "%s: unable to open %s: %d", __func__, buf,
+                       errno);
+               return NULL;
+       }
+
+       /* FIXME: don't assume that we get it all in the first read? */
+       len = read(fd, buf, 4096);
+       close(fd);
+       if (len < 0) {
+               syslog(LOG_DEBUG, "%s: unable to read from /proc/%d/environ: "
+                                 "%d", __func__, pid, errno);
+               return NULL;
+       }
+
+       left = len;
+       p = buf;
+
+       /* can't have valid KRB5CCNAME if there are < 13 bytes left */
+       while (left > 12) {
+               if (strncmp("KRB5CCNAME=", p, 11)) {
+                       p += strnlen(p, left);
+                       ++p;
+                       left = buf + len - p;
+                       continue;
+               }
+               p += 11;
+               left -= 11;
+               value = SMB_STRNDUP(p, left);
+               break;
+       }
+       syslog(LOG_DEBUG, "%s: KRB5CCNAME=%s", __func__,
+                               value ? value : "(null)");
+       return value;
+}
+
 /*
  * Prepares AP-REQ data for mechToken and gets session key
  * Uses credentials from cache. It will not ask for password
@@ -58,18 +115,26 @@ typedef enum _secType {
  * ret: 0 - success, others - failure
 */
 static int
-handle_krb5_mech(const char *oid, const char *principal,
-                    DATA_BLOB * secblob, DATA_BLOB * sess_key)
+handle_krb5_mech(const char *oid, const char *principal, DATA_BLOB *secblob,
+                DATA_BLOB *sess_key, const char *ccname)
 {
        int retval;
        DATA_BLOB tkt, tkt_wrapped;
 
+       syslog(LOG_DEBUG, "%s: getting service ticket for %s", __func__,
+                         principal);
+
        /* get a kerberos ticket for the service and extract the session key */
-       retval = cli_krb5_get_ticket(principal, 0,
-                                    &tkt, sess_key, 0, NULL, NULL);
+       retval = cli_krb5_get_ticket(principal, 0, &tkt, sess_key, 0, ccname,
+                                    NULL);
 
-       if (retval)
+       if (retval) {
+               syslog(LOG_DEBUG, "%s: failed to obtain service ticket (%d)",
+                                 __func__, retval);
                return retval;
+       }
+
+       syslog(LOG_DEBUG, "%s: obtained service ticket", __func__);
 
        /* wrap that up in a nice GSS-API wrapping */
        tkt_wrapped = spnego_gen_krb5_wrap(tkt, TOK_ID_KRB_AP_REQ);
@@ -82,17 +147,18 @@ handle_krb5_mech(const char *oid, const char *principal,
        return retval;
 }
 
-#define DKD_HAVE_HOSTNAME      1
-#define DKD_HAVE_VERSION       2
-#define DKD_HAVE_SEC           4
-#define DKD_HAVE_IPV4          8
-#define DKD_HAVE_IPV6          16
-#define DKD_HAVE_UID           32
+#define DKD_HAVE_HOSTNAME      0x1
+#define DKD_HAVE_VERSION       0x2
+#define DKD_HAVE_SEC           0x4
+#define DKD_HAVE_IPV4          0x8
+#define DKD_HAVE_IPV6          0x10
+#define DKD_HAVE_UID           0x20
+#define DKD_HAVE_PID           0x40
 #define DKD_MUSTHAVE_SET (DKD_HAVE_HOSTNAME|DKD_HAVE_VERSION|DKD_HAVE_SEC)
 
 static int
-decode_key_description(const char *desc, int *ver, secType_t * sec,
-                          char **hostname, uid_t * uid)
+decode_key_description(const char *desc, int *ver, secType_t *sec,
+                          char **hostname, uid_t *uid, pid_t *pid)
 {
        int retval = 0;
        char *pos;
@@ -117,6 +183,16 @@ decode_key_description(const char *desc, int *ver, secType_t * sec,
                        /* BB: do we need it if we have hostname already? */
                } else if (strncmp(tkn, "ipv6=", 5) == 0) {
                        /* BB: do we need it if we have hostname already? */
+               } else if (strncmp(tkn, "pid=", 4) == 0) {
+                       errno = 0;
+                       *pid = strtol(tkn + 4, NULL, 0);
+                       if (errno != 0) {
+                               syslog(LOG_ERR, "Invalid pid format: %s",
+                                      strerror(errno));
+                               return 1;
+                       } else {
+                               retval |= DKD_HAVE_PID;
+                       }
                } else if (strncmp(tkn, "sec=", 4) == 0) {
                        if (strncmp(tkn + 4, "krb5", 4) == 0) {
                                retval |= DKD_HAVE_SEC;
@@ -129,7 +205,7 @@ decode_key_description(const char *desc, int *ver, secType_t * sec,
                        errno = 0;
                        *uid = strtol(tkn + 4, NULL, 16);
                        if (errno != 0) {
-                               syslog(LOG_WARNING, "Invalid uid format: %s",
+                               syslog(LOG_ERR, "Invalid uid format: %s",
                                       strerror(errno));
                                return 1;
                        } else {
@@ -139,8 +215,7 @@ decode_key_description(const char *desc, int *ver, secType_t * sec,
                        errno = 0;
                        *ver = strtol(tkn + 4, NULL, 16);
                        if (errno != 0) {
-                               syslog(LOG_WARNING,
-                                      "Invalid version format: %s",
+                               syslog(LOG_ERR, "Invalid version format: %s",
                                       strerror(errno));
                                return 1;
                        } else {
@@ -166,7 +241,7 @@ cifs_resolver(const key_serial_t key, const char *key_descr)
        for (c = 1; c <= 4; c++) {
                keyend = index(keyend+1, ';');
                if (!keyend) {
-                       syslog(LOG_WARNING, "invalid key description: %s",
+                       syslog(LOG_ERR, "invalid key description: %s",
                                        key_descr);
                        return 1;
                }
@@ -176,7 +251,7 @@ cifs_resolver(const key_serial_t key, const char *key_descr)
        /* resolve name to ip */
        c = getaddrinfo(keyend, NULL, NULL, &addr);
        if (c) {
-               syslog(LOG_WARNING, "unable to resolve hostname: %s [%s]",
+               syslog(LOG_ERR, "unable to resolve hostname: %s [%s]",
                                keyend, gai_strerror(c));
                return 1;
        }
@@ -188,8 +263,7 @@ cifs_resolver(const key_serial_t key, const char *key_descr)
                p = &(((struct sockaddr_in6 *)addr->ai_addr)->sin6_addr);
        }
        if (!inet_ntop(addr->ai_family, p, ip, sizeof(ip))) {
-               syslog(LOG_WARNING, "%s: inet_ntop: %s",
-                               __FUNCTION__, strerror(errno));
+               syslog(LOG_ERR, "%s: inet_ntop: %s", __func__, strerror(errno));
                freeaddrinfo(addr);
                return 1;
        }
@@ -197,8 +271,8 @@ cifs_resolver(const key_serial_t key, const char *key_descr)
        /* setup key */
        c = keyctl_instantiate(key, ip, strlen(ip)+1, 0);
        if (c == -1) {
-               syslog(LOG_WARNING, "%s: keyctl_instantiate: %s",
-                               __FUNCTION__, strerror(errno));
+               syslog(LOG_ERR, "%s: keyctl_instantiate: %s", __func__,
+                               strerror(errno));
                freeaddrinfo(addr);
                return 1;
        }
@@ -210,7 +284,7 @@ cifs_resolver(const key_serial_t key, const char *key_descr)
 static void
 usage(void)
 {
-       syslog(LOG_WARNING, "Usage: %s [-c] [-v] key_serial", prog);
+       syslog(LOG_INFO, "Usage: %s [-c] [-v] key_serial", prog);
        fprintf(stderr, "Usage: %s [-c] [-v] key_serial\n", prog);
 }
 
@@ -224,9 +298,10 @@ int main(const int argc, char *const argv[])
        size_t datalen;
        long rc = 1;
        uid_t uid = 0;
+       pid_t pid = 0;
        int kernel_upcall_version = 0;
        int c, use_cifs_service_prefix = 0;
-       char *buf, *hostname = NULL;
+       char *buf, *ccname = NULL, *hostname = NULL;
        const char *oid;
 
        openlog(prog, 0, LOG_DAEMON);
@@ -242,7 +317,7 @@ int main(const int argc, char *const argv[])
                        goto out;
                        }
                default:{
-                       syslog(LOG_WARNING, "unknown option: %c", c);
+                       syslog(LOG_ERR, "unknown option: %c", c);
                        goto out;
                        }
                }
@@ -259,18 +334,20 @@ int main(const int argc, char *const argv[])
        key = strtol(argv[optind], NULL, 10);
        if (errno != 0) {
                key = 0;
-               syslog(LOG_WARNING, "Invalid key format: %s", strerror(errno));
+               syslog(LOG_ERR, "Invalid key format: %s", strerror(errno));
                goto out;
        }
 
        rc = keyctl_describe_alloc(key, &buf);
        if (rc == -1) {
-               syslog(LOG_WARNING, "keyctl_describe_alloc failed: %s",
+               syslog(LOG_ERR, "keyctl_describe_alloc failed: %s",
                       strerror(errno));
                rc = 1;
                goto out;
        }
 
+       syslog(LOG_DEBUG, "key description: %s", buf);
+
        if ((strncmp(buf, "cifs.resolver", sizeof("cifs.resolver")-1) == 0) ||
            (strncmp(buf, "dns_resolver", sizeof("dns_resolver")-1) == 0)) {
                rc = cifs_resolver(key, buf);
@@ -278,10 +355,10 @@ int main(const int argc, char *const argv[])
        }
 
        rc = decode_key_description(buf, &kernel_upcall_version, &sectype,
-                                   &hostname, &uid);
+                                   &hostname, &uid, &pid);
        if ((rc & DKD_MUSTHAVE_SET) != DKD_MUSTHAVE_SET) {
-               syslog(LOG_WARNING,
-                      "unable to get from description necessary params");
+               syslog(LOG_ERR, "unable to get necessary params from key "
+                               "description (0x%x)", rc);
                rc = 1;
                SAFE_FREE(buf);
                goto out;
@@ -289,24 +366,23 @@ int main(const int argc, char *const argv[])
        SAFE_FREE(buf);
 
        if (kernel_upcall_version > CIFS_SPNEGO_UPCALL_VERSION) {
-               syslog(LOG_WARNING,
-                      "incompatible kernel upcall version: 0x%x",
-                      kernel_upcall_version);
+               syslog(LOG_ERR, "incompatible kernel upcall version: 0x%x",
+                               kernel_upcall_version);
                rc = 1;
                goto out;
        }
 
+       if (rc & DKD_HAVE_PID)
+               ccname = get_krb5_ccname(pid);
+
        if (rc & DKD_HAVE_UID) {
                rc = setuid(uid);
                if (rc == -1) {
-                       syslog(LOG_WARNING, "setuid: %s", strerror(errno));
+                       syslog(LOG_ERR, "setuid: %s", strerror(errno));
                        goto out;
                }
        }
 
-       /* BB: someday upcall SPNEGO blob could be checked here to decide
-        * what mech to use */
-
        // do mech specific authorization
        switch (sectype) {
        case MS_KRB5:
@@ -333,12 +409,13 @@ int main(const int argc, char *const argv[])
                        else
                                oid = OID_KERBEROS5;
 
-                       rc = handle_krb5_mech(oid, princ, &secblob, &sess_key);
+                       rc = handle_krb5_mech(oid, princ, &secblob, &sess_key,
+                                             ccname);
                        SAFE_FREE(princ);
                        break;
                }
        default:{
-                       syslog(LOG_WARNING, "sectype: %d is not implemented",
+                       syslog(LOG_ERR, "sectype: %d is not implemented",
                               sectype);
                        rc = 1;
                        break;
@@ -368,7 +445,7 @@ int main(const int argc, char *const argv[])
        /* setup key */
        rc = keyctl_instantiate(key, keydata, datalen, 0);
        if (rc == -1) {
-               syslog(LOG_WARNING, "keyctl_instantiate: %s", strerror(errno));
+               syslog(LOG_ERR, "keyctl_instantiate: %s", strerror(errno));
                goto out;
        }
 
@@ -385,6 +462,7 @@ out:
                keyctl_negate(key, 1, KEY_REQKEY_DEFL_DEFAULT);
        data_blob_free(&secblob);
        data_blob_free(&sess_key);
+       SAFE_FREE(ccname);
        SAFE_FREE(hostname);
        SAFE_FREE(keydata);
        return rc;