s4-auth: use TALLOC_FREE() shortcut
[Samba.git] / nsswitch / wb_common.c
blob42b341b8c1c60c19c3e204ed5286f1d3564f8344
1 /*
2 Unix SMB/CIFS implementation.
4 winbind client common code
6 Copyright (C) Tim Potter 2000
7 Copyright (C) Andrew Tridgell 2000
8 Copyright (C) Andrew Bartlett 2002
9 Copyright (C) Matthew Newton 2015
12 This library is free software; you can redistribute it and/or
13 modify it under the terms of the GNU Lesser General Public
14 License as published by the Free Software Foundation; either
15 version 3 of the License, or (at your option) any later version.
17 This library is distributed in the hope that it will be useful,
18 but WITHOUT ANY WARRANTY; without even the implied warranty of
19 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
20 Library General Public License for more details.
22 You should have received a copy of the GNU Lesser General Public License
23 along with this program. If not, see <http://www.gnu.org/licenses/>.
26 #include "replace.h"
27 #include "system/select.h"
28 #include "winbind_client.h"
30 /* Global context */
32 struct winbindd_context {
33 int winbindd_fd; /* winbind file descriptor */
34 bool is_privileged; /* using the privileged socket? */
35 pid_t our_pid; /* calling process pid */
38 static struct winbindd_context wb_global_ctx = {
39 .winbindd_fd = -1,
40 .is_privileged = false,
41 .our_pid = 0
44 /* Free a response structure */
46 void winbindd_free_response(struct winbindd_response *response)
48 /* Free any allocated extra_data */
50 if (response)
51 SAFE_FREE(response->extra_data.data);
54 /* Initialise a request structure */
56 static void winbindd_init_request(struct winbindd_request *request,
57 int request_type)
59 request->length = sizeof(struct winbindd_request);
61 request->cmd = (enum winbindd_cmd)request_type;
62 request->pid = getpid();
66 /* Initialise a response structure */
68 static void init_response(struct winbindd_response *response)
70 /* Initialise return value */
72 response->result = WINBINDD_ERROR;
75 /* Close established socket */
77 static void winbind_close_sock(struct winbindd_context *ctx)
79 if (!ctx) {
80 return;
83 if (ctx->winbindd_fd != -1) {
84 close(ctx->winbindd_fd);
85 ctx->winbindd_fd = -1;
89 /* Destructor for global context to ensure fd is closed */
91 #if HAVE_DESTRUCTOR_ATTRIBUTE
92 __attribute__((destructor))
93 #endif
94 static void winbind_destructor(void)
96 winbind_close_sock(&wb_global_ctx);
99 #define CONNECT_TIMEOUT 30
101 /* Make sure socket handle isn't stdin, stdout or stderr */
102 #define RECURSION_LIMIT 3
104 static int make_nonstd_fd_internals(int fd, int limit /* Recursion limiter */)
106 int new_fd;
107 if (fd >= 0 && fd <= 2) {
108 #ifdef F_DUPFD
109 if ((new_fd = fcntl(fd, F_DUPFD, 3)) == -1) {
110 return -1;
112 /* Paranoia */
113 if (new_fd < 3) {
114 close(new_fd);
115 return -1;
117 close(fd);
118 return new_fd;
119 #else
120 if (limit <= 0)
121 return -1;
123 new_fd = dup(fd);
124 if (new_fd == -1)
125 return -1;
127 /* use the program stack to hold our list of FDs to close */
128 new_fd = make_nonstd_fd_internals(new_fd, limit - 1);
129 close(fd);
130 return new_fd;
131 #endif
133 return fd;
136 /****************************************************************************
137 Set a fd into blocking/nonblocking mode. Uses POSIX O_NONBLOCK if available,
138 else
139 if SYSV use O_NDELAY
140 if BSD use FNDELAY
141 Set close on exec also.
142 ****************************************************************************/
144 static int make_safe_fd(int fd)
146 int result, flags;
147 int new_fd = make_nonstd_fd_internals(fd, RECURSION_LIMIT);
148 if (new_fd == -1) {
149 close(fd);
150 return -1;
153 /* Socket should be nonblocking. */
154 #ifdef O_NONBLOCK
155 #define FLAG_TO_SET O_NONBLOCK
156 #else
157 #ifdef SYSV
158 #define FLAG_TO_SET O_NDELAY
159 #else /* BSD */
160 #define FLAG_TO_SET FNDELAY
161 #endif
162 #endif
164 if ((flags = fcntl(new_fd, F_GETFL)) == -1) {
165 close(new_fd);
166 return -1;
169 flags |= FLAG_TO_SET;
170 if (fcntl(new_fd, F_SETFL, flags) == -1) {
171 close(new_fd);
172 return -1;
175 #undef FLAG_TO_SET
177 /* Socket should be closed on exec() */
178 #ifdef FD_CLOEXEC
179 result = flags = fcntl(new_fd, F_GETFD, 0);
180 if (flags >= 0) {
181 flags |= FD_CLOEXEC;
182 result = fcntl( new_fd, F_SETFD, flags );
184 if (result < 0) {
185 close(new_fd);
186 return -1;
188 #endif
189 return new_fd;
193 * @internal
195 * @brief Check if we talk to the priviliged pipe which should be owned by root.
197 * This checks if we have uid_wrapper running and if this is the case it will
198 * allow one to connect to the winbind privileged pipe even it is not owned by root.
200 * @param[in] uid The uid to check if we can safely talk to the pipe.
202 * @return If we have access it returns true, else false.
204 static bool winbind_privileged_pipe_is_root(uid_t uid)
206 if (uid == 0) {
207 return true;
210 if (uid_wrapper_enabled()) {
211 return true;
214 return false;
217 /* Connect to winbindd socket */
219 static int winbind_named_pipe_sock(const char *dir)
221 struct sockaddr_un sunaddr;
222 struct stat st;
223 int fd;
224 int wait_time;
225 int slept;
226 int ret;
228 /* Check permissions on unix socket directory */
230 if (lstat(dir, &st) == -1) {
231 errno = ENOENT;
232 return -1;
236 * This tells us that the pipe is owned by a privileged
237 * process, as we will be sending passwords to it.
239 if (!S_ISDIR(st.st_mode) ||
240 !winbind_privileged_pipe_is_root(st.st_uid)) {
241 errno = ENOENT;
242 return -1;
245 /* Connect to socket */
247 sunaddr = (struct sockaddr_un) { .sun_family = AF_UNIX };
249 ret = snprintf(sunaddr.sun_path, sizeof(sunaddr.sun_path),
250 "%s/%s", dir, WINBINDD_SOCKET_NAME);
251 if ((ret == -1) || (ret >= sizeof(sunaddr.sun_path))) {
252 errno = ENAMETOOLONG;
253 return -1;
256 /* If socket file doesn't exist, don't bother trying to connect
257 with retry. This is an attempt to make the system usable when
258 the winbindd daemon is not running. */
260 if (lstat(sunaddr.sun_path, &st) == -1) {
261 errno = ENOENT;
262 return -1;
265 /* Check permissions on unix socket file */
268 * This tells us that the pipe is owned by a privileged
269 * process, as we will be sending passwords to it.
271 if (!S_ISSOCK(st.st_mode) ||
272 !winbind_privileged_pipe_is_root(st.st_uid)) {
273 errno = ENOENT;
274 return -1;
277 /* Connect to socket */
279 if ((fd = socket(AF_UNIX, SOCK_STREAM, 0)) == -1) {
280 return -1;
283 /* Set socket non-blocking and close on exec. */
285 if ((fd = make_safe_fd( fd)) == -1) {
286 return fd;
289 for (wait_time = 0; connect(fd, (struct sockaddr *)&sunaddr, sizeof(sunaddr)) == -1;
290 wait_time += slept) {
291 struct pollfd pfd;
292 int connect_errno = 0;
293 socklen_t errnosize;
295 if (wait_time >= CONNECT_TIMEOUT)
296 goto error_out;
298 switch (errno) {
299 case EINPROGRESS:
300 pfd.fd = fd;
301 pfd.events = POLLOUT;
303 ret = poll(&pfd, 1, (CONNECT_TIMEOUT - wait_time) * 1000);
305 if (ret > 0) {
306 errnosize = sizeof(connect_errno);
308 ret = getsockopt(fd, SOL_SOCKET,
309 SO_ERROR, &connect_errno, &errnosize);
311 if (ret >= 0 && connect_errno == 0) {
312 /* Connect succeed */
313 goto out;
317 slept = CONNECT_TIMEOUT;
318 break;
319 case EAGAIN:
320 slept = rand() % 3 + 1;
321 sleep(slept);
322 break;
323 default:
324 goto error_out;
329 out:
331 return fd;
333 error_out:
335 close(fd);
336 return -1;
339 static const char *winbindd_socket_dir(void)
341 if (nss_wrapper_enabled()) {
342 const char *env_dir;
344 env_dir = getenv("SELFTEST_WINBINDD_SOCKET_DIR");
345 if (env_dir != NULL) {
346 return env_dir;
350 return WINBINDD_SOCKET_DIR;
353 /* Connect to winbindd socket */
355 static int winbind_open_pipe_sock(struct winbindd_context *ctx,
356 int recursing, int need_priv)
358 #ifdef HAVE_UNIXSOCKET
359 struct winbindd_request request;
360 struct winbindd_response response;
362 ZERO_STRUCT(request);
363 ZERO_STRUCT(response);
365 if (!ctx) {
366 return -1;
369 if (ctx->our_pid != getpid()) {
370 winbind_close_sock(ctx);
371 ctx->our_pid = getpid();
374 if ((need_priv != 0) && !ctx->is_privileged) {
375 winbind_close_sock(ctx);
378 if (ctx->winbindd_fd != -1) {
379 return ctx->winbindd_fd;
382 if (recursing) {
383 return -1;
386 ctx->winbindd_fd = winbind_named_pipe_sock(winbindd_socket_dir());
388 if (ctx->winbindd_fd == -1) {
389 return -1;
392 ctx->is_privileged = false;
394 /* version-check the socket */
396 request.wb_flags = WBFLAG_RECURSE;
397 if ((winbindd_request_response(ctx, WINBINDD_INTERFACE_VERSION, &request,
398 &response) != NSS_STATUS_SUCCESS) ||
399 (response.data.interface_version != WINBIND_INTERFACE_VERSION)) {
400 winbind_close_sock(ctx);
401 return -1;
404 if (need_priv == 0) {
405 return ctx->winbindd_fd;
408 /* try and get priv pipe */
410 request.wb_flags = WBFLAG_RECURSE;
412 /* Note that response needs to be initialized to avoid
413 * crashing on clean up after WINBINDD_PRIV_PIPE_DIR call failed
414 * as interface version (from the first request) returned as a fstring,
415 * thus response.extra_data.data will not be NULL even though
416 * winbindd response did not write over it due to a failure */
417 ZERO_STRUCT(response);
418 if (winbindd_request_response(ctx, WINBINDD_PRIV_PIPE_DIR, &request,
419 &response) == NSS_STATUS_SUCCESS) {
420 int fd;
421 fd = winbind_named_pipe_sock((char *)response.extra_data.data);
422 if (fd != -1) {
423 close(ctx->winbindd_fd);
424 ctx->winbindd_fd = fd;
425 ctx->is_privileged = true;
428 SAFE_FREE(response.extra_data.data);
431 if (!ctx->is_privileged) {
432 return -1;
435 return ctx->winbindd_fd;
436 #else
437 return -1;
438 #endif /* HAVE_UNIXSOCKET */
441 /* Write data to winbindd socket */
443 static int winbind_write_sock(struct winbindd_context *ctx, void *buffer,
444 int count, int recursing, int need_priv)
446 int fd, result, nwritten;
448 /* Open connection to winbind daemon */
450 restart:
452 fd = winbind_open_pipe_sock(ctx, recursing, need_priv);
453 if (fd == -1) {
454 errno = ENOENT;
455 return -1;
458 /* Write data to socket */
460 nwritten = 0;
462 while(nwritten < count) {
463 struct pollfd pfd;
464 int ret;
466 /* Catch pipe close on other end by checking if a read()
467 call would not block by calling poll(). */
469 pfd.fd = fd;
470 pfd.events = POLLIN|POLLOUT|POLLHUP;
472 ret = poll(&pfd, 1, -1);
473 if (ret == -1) {
474 winbind_close_sock(ctx);
475 return -1; /* poll error */
478 /* Write should be OK if fd not available for reading */
480 if ((ret == 1) && (pfd.revents & (POLLIN|POLLHUP|POLLERR))) {
482 /* Pipe has closed on remote end */
484 winbind_close_sock(ctx);
485 goto restart;
488 /* Do the write */
490 result = write(fd, (char *)buffer + nwritten,
491 count - nwritten);
493 if ((result == -1) || (result == 0)) {
495 /* Write failed */
497 winbind_close_sock(ctx);
498 return -1;
501 nwritten += result;
504 return nwritten;
507 /* Read data from winbindd socket */
509 static int winbind_read_sock(struct winbindd_context *ctx,
510 void *buffer, int count)
512 int fd;
513 int nread = 0;
514 int total_time = 0;
516 fd = winbind_open_pipe_sock(ctx, false, false);
517 if (fd == -1) {
518 return -1;
521 /* Read data from socket */
522 while(nread < count) {
523 struct pollfd pfd;
524 int ret;
526 /* Catch pipe close on other end by checking if a read()
527 call would not block by calling poll(). */
529 pfd.fd = fd;
530 pfd.events = POLLIN|POLLHUP;
532 /* Wait for 5 seconds for a reply. May need to parameterise this... */
534 ret = poll(&pfd, 1, 5000);
535 if (ret == -1) {
536 winbind_close_sock(ctx);
537 return -1; /* poll error */
540 if (ret == 0) {
541 /* Not ready for read yet... */
542 if (total_time >= 300) {
543 /* Timeout */
544 winbind_close_sock(ctx);
545 return -1;
547 total_time += 5;
548 continue;
551 if ((ret == 1) && (pfd.revents & (POLLIN|POLLHUP|POLLERR))) {
553 /* Do the Read */
555 int result = read(fd, (char *)buffer + nread,
556 count - nread);
558 if ((result == -1) || (result == 0)) {
560 /* Read failed. I think the only useful thing we
561 can do here is just return -1 and fail since the
562 transaction has failed half way through. */
564 winbind_close_sock(ctx);
565 return -1;
568 nread += result;
573 return nread;
576 /* Read reply */
578 static int winbindd_read_reply(struct winbindd_context *ctx,
579 struct winbindd_response *response)
581 int result1, result2 = 0;
583 if (!response) {
584 return -1;
587 /* Read fixed length response */
589 result1 = winbind_read_sock(ctx, response,
590 sizeof(struct winbindd_response));
592 /* We actually send the pointer value of the extra_data field from
593 the server. This has no meaning in the client's address space
594 so we clear it out. */
596 response->extra_data.data = NULL;
598 if (result1 == -1) {
599 return -1;
602 if (response->length < sizeof(struct winbindd_response)) {
603 return -1;
606 /* Read variable length response */
608 if (response->length > sizeof(struct winbindd_response)) {
609 int extra_data_len = response->length -
610 sizeof(struct winbindd_response);
612 /* Mallocate memory for extra data */
614 if (!(response->extra_data.data = malloc(extra_data_len))) {
615 return -1;
618 result2 = winbind_read_sock(ctx, response->extra_data.data,
619 extra_data_len);
620 if (result2 == -1) {
621 winbindd_free_response(response);
622 return -1;
626 /* Return total amount of data read */
628 return result1 + result2;
632 * send simple types of requests
635 static NSS_STATUS winbindd_send_request(
636 struct winbindd_context *ctx,
637 int req_type,
638 int need_priv,
639 struct winbindd_request *request)
641 struct winbindd_request lrequest;
643 /* Check for our tricky environment variable */
645 if (winbind_env_set()) {
646 return NSS_STATUS_NOTFOUND;
649 if (!request) {
650 ZERO_STRUCT(lrequest);
651 request = &lrequest;
654 /* Fill in request and send down pipe */
656 winbindd_init_request(request, req_type);
658 if (winbind_write_sock(ctx, request, sizeof(*request),
659 request->wb_flags & WBFLAG_RECURSE,
660 need_priv) == -1)
662 /* Set ENOENT for consistency. Required by some apps */
663 errno = ENOENT;
665 return NSS_STATUS_UNAVAIL;
668 if ((request->extra_len != 0) &&
669 (winbind_write_sock(ctx, request->extra_data.data,
670 request->extra_len,
671 request->wb_flags & WBFLAG_RECURSE,
672 need_priv) == -1))
674 /* Set ENOENT for consistency. Required by some apps */
675 errno = ENOENT;
677 return NSS_STATUS_UNAVAIL;
680 return NSS_STATUS_SUCCESS;
684 * Get results from winbindd request
687 static NSS_STATUS winbindd_get_response(struct winbindd_context *ctx,
688 struct winbindd_response *response)
690 struct winbindd_response lresponse;
692 if (!response) {
693 ZERO_STRUCT(lresponse);
694 response = &lresponse;
697 init_response(response);
699 /* Wait for reply */
700 if (winbindd_read_reply(ctx, response) == -1) {
701 /* Set ENOENT for consistency. Required by some apps */
702 errno = ENOENT;
704 return NSS_STATUS_UNAVAIL;
707 /* Throw away extra data if client didn't request it */
708 if (response == &lresponse) {
709 winbindd_free_response(response);
712 /* Copy reply data from socket */
713 if (response->result != WINBINDD_OK) {
714 return NSS_STATUS_NOTFOUND;
717 return NSS_STATUS_SUCCESS;
720 /* Handle simple types of requests */
722 NSS_STATUS winbindd_request_response(struct winbindd_context *ctx,
723 int req_type,
724 struct winbindd_request *request,
725 struct winbindd_response *response)
727 NSS_STATUS status = NSS_STATUS_UNAVAIL;
729 if (ctx == NULL) {
730 ctx = &wb_global_ctx;
733 status = winbindd_send_request(ctx, req_type, 0, request);
734 if (status != NSS_STATUS_SUCCESS)
735 return (status);
736 status = winbindd_get_response(ctx, response);
738 return status;
741 NSS_STATUS winbindd_priv_request_response(struct winbindd_context *ctx,
742 int req_type,
743 struct winbindd_request *request,
744 struct winbindd_response *response)
746 NSS_STATUS status = NSS_STATUS_UNAVAIL;
748 if (ctx == NULL) {
749 ctx = &wb_global_ctx;
752 status = winbindd_send_request(ctx, req_type, 1, request);
753 if (status != NSS_STATUS_SUCCESS)
754 return (status);
755 status = winbindd_get_response(ctx, response);
757 return status;
760 /* Create and free winbindd context */
762 struct winbindd_context *winbindd_ctx_create(void)
764 struct winbindd_context *ctx;
766 ctx = calloc(1, sizeof(struct winbindd_context));
768 if (!ctx) {
769 return NULL;
772 ctx->winbindd_fd = -1;
774 return ctx;
777 void winbindd_ctx_free(struct winbindd_context *ctx)
779 winbind_close_sock(ctx);
780 free(ctx);