search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
libnet: Add NULL checks to py_net_finddc
[Samba.git] / source3 / winbindd / idmap_script.c
blob7b7f8844c36c7301ed0948225dc73268f6a72045
1 /*
2 Unix SMB/CIFS implementation.
3
4 idmap script backend, used for Samba setups where you need to map SIDs to
5 specific UIDs/GIDs.
6
7 Copyright (C) Richard Sharpe 2014.
8
9 This is heavily based upon idmap_tdb2.c, which is:
10
11 Copyright (C) Tim Potter 2000
12 Copyright (C) Jim McDonough <jmcd@us.ibm.com> 2003
13 Copyright (C) Jeremy Allison 2006
14 Copyright (C) Simo Sorce 2003-2006
15 Copyright (C) Michael Adam 2009-2010
16
17 This program is free software; you can redistribute it and/or modify
18 it under the terms of the GNU General Public License as published by
19 the Free Software Foundation; either version 2 of the License, or
20 (at your option) any later version.
21
22 This program is distributed in the hope that it will be useful,
23 but WITHOUT ANY WARRANTY; without even the implied warranty of
24 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
25 GNU General Public License for more details.
26
27 You should have received a copy of the GNU General Public License
28 along with this program; if not, write to the Free Software
29 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
30 */
31
32 #include "includes.h"
33 #include "system/filesys.h"
34 #include "winbindd.h"
35 #include "idmap.h"
36 #include "idmap_rw.h"
37 #include "../libcli/security/dom_sid.h"
38 #include "lib/util_file.h"
39 #include "lib/util/tevent_unix.h"
40
41 #undef DBGC_CLASS
42 #define DBGC_CLASS DBGC_IDMAP
43
44 struct idmap_script_context {
45 const char *script; /* script to provide idmaps */
46 };
47
48 /*
49 run a script to perform a mapping
50
51 The script should accept the following command lines:
52
53 SIDTOID S-1-xxxx -> XID:<id> | ERR:<str>
54 SIDTOID S-1-xxxx -> UID:<id> | ERR:<str>
55 SIDTOID S-1-xxxx -> GID:<id> | ERR:<str>
56 IDTOSID XID xxxx -> SID:<sid> | ERR:<str>
57 IDTOSID UID xxxx -> SID:<sid> | ERR:<str>
58 IDTOSID GID xxxx -> SID:<sid> | ERR:<str>
59
60 where XID means both a UID and a GID. This is the case for ID_TYPE_BOTH.
61
62 TODO: Needs more validation ... like that we got a UID when we asked for one.
63 */
64
65 struct idmap_script_xid2sid_state {
66 const char *syscmd;
67 size_t idx;
68 uint8_t *out;
69 };
70
71 static void idmap_script_xid2sid_done(struct tevent_req *subreq);
72
73 static struct tevent_req *idmap_script_xid2sid_send(
74 TALLOC_CTX *mem_ctx, struct tevent_context *ev,
75 struct unixid xid, const char *script, size_t idx)
76 {
77 struct tevent_req *req, *subreq;
78 struct idmap_script_xid2sid_state *state;
79 char key;
80
81 req = tevent_req_create(mem_ctx, &state,
82 struct idmap_script_xid2sid_state);
83 if (req == NULL) {
84 return NULL;
85 }
86 state->idx = idx;
87
88 switch (xid.type) {
89 case ID_TYPE_UID:
90 key = 'U';
91 break;
92 case ID_TYPE_GID:
93 key = 'G';
94 break;
95 case ID_TYPE_BOTH:
96 key = 'X';
97 break;
98 default:
99 DBG_WARNING("INVALID unix ID type: 0x02%x\n", xid.type);
100 tevent_req_error(req, EINVAL);
101 return tevent_req_post(req, ev);
102 }
103
104 state->syscmd = talloc_asprintf(state, "%s IDTOSID %cID %lu", script, key,
105 (unsigned long)xid.id);
106 if (tevent_req_nomem(state->syscmd, req)) {
107 return tevent_req_post(req, ev);
108 }
109
110 subreq = file_pload_send(state, ev, state->syscmd, 1024);
111 if (tevent_req_nomem(subreq, req)) {
112 return tevent_req_post(req, ev);
113 }
114 tevent_req_set_callback(subreq, idmap_script_xid2sid_done, req);
115 return req;
116 }
117
118 static void idmap_script_xid2sid_done(struct tevent_req *subreq)
119 {
120 struct tevent_req *req = tevent_req_callback_data(
121 subreq, struct tevent_req);
122 struct idmap_script_xid2sid_state *state = tevent_req_data(
123 req, struct idmap_script_xid2sid_state);
124 int ret;
125
126 ret = file_pload_recv(subreq, state, &state->out);
127 TALLOC_FREE(subreq);
128 if (tevent_req_error(req, ret)) {
129 return;
130 }
131 tevent_req_done(req);
132 }
133
134 static int idmap_script_xid2sid_recv(struct tevent_req *req, size_t *idx,
135 enum id_mapping *status,
136 struct dom_sid *sid)
137 {
138 struct idmap_script_xid2sid_state *state = tevent_req_data(
139 req, struct idmap_script_xid2sid_state);
140 char *out = (char *)state->out;
141 size_t out_size = talloc_get_size(out);
142 int err;
143
144 if (tevent_req_is_unix_error(req, &err)) {
145 return err;
146 }
147
148 if (out_size == 0) {
149 goto unmapped;
150 }
151 if (state->out[out_size-1] != '\0') {
152 goto unmapped;
153 }
154
155 *idx = state->idx;
156
157 if ((strncmp(out, "SID:S-", 6) != 0) ||
158 !dom_sid_parse(out+4, sid)) {
159 DBG_WARNING("Bad sid from script: %s\n", out);
160 goto unmapped;
161 }
162
163 *status = ID_MAPPED;
164 return 0;
165
166 unmapped:
167 *sid = (struct dom_sid) {0};
168 *status = ID_UNMAPPED;
169 return 0;
170 }
171
172 struct idmap_script_xids2sids_state {
173 struct id_map **ids;
174 size_t num_ids;
175 size_t num_done;
176 };
177
178 static void idmap_script_xids2sids_done(struct tevent_req *subreq);
179
180 static struct tevent_req *idmap_script_xids2sids_send(
181 TALLOC_CTX *mem_ctx, struct tevent_context *ev,
182 struct id_map **ids, size_t num_ids, const char *script)
183 {
184 struct tevent_req *req;
185 struct idmap_script_xids2sids_state *state;
186 size_t i;
187
188 req = tevent_req_create(mem_ctx, &state,
189 struct idmap_script_xids2sids_state);
190 if (req == NULL) {
191 return NULL;
192 }
193 state->ids = ids;
194 state->num_ids = num_ids;
195
196 if (state->num_ids == 0) {
197 tevent_req_done(req);
198 return tevent_req_post(req, ev);
199 }
200
201 for (i=0; i<num_ids; i++) {
202 struct tevent_req *subreq;
203
204 subreq = idmap_script_xid2sid_send(
205 state, ev, ids[i]->xid, script, i);
206 if (tevent_req_nomem(subreq, req)) {
207 return tevent_req_post(req, ev);
208 }
209 tevent_req_set_callback(subreq, idmap_script_xids2sids_done,
210 req);
211 }
212
213 return req;
214 }
215
216 static void idmap_script_xids2sids_done(struct tevent_req *subreq)
217 {
218 struct tevent_req *req = tevent_req_callback_data(
219 subreq, struct tevent_req);
220 struct idmap_script_xids2sids_state *state = tevent_req_data(
221 req, struct idmap_script_xids2sids_state);
222 size_t idx = 0;
223 enum id_mapping status = ID_UNKNOWN;
224 struct dom_sid sid = {0};
225 int ret;
226
227 ret = idmap_script_xid2sid_recv(subreq, &idx, &status, &sid);
228 TALLOC_FREE(subreq);
229 if (tevent_req_error(req, ret)) {
230 return;
231 }
232
233 if (idx >= state->num_ids) {
234 tevent_req_error(req, EINVAL);
235 return;
236 }
237
238 state->ids[idx]->status = status;
239
240 state->ids[idx]->sid = dom_sid_dup(state->ids, &sid);
241 if (tevent_req_nomem(state->ids[idx]->sid, req)) {
242 return;
243 }
244
245 state->num_done += 1;
246
247 if (state->num_done >= state->num_ids) {
248 tevent_req_done(req);
249 }
250 }
251
252 static int idmap_script_xids2sids_recv(struct tevent_req *req)
253 {
254 return tevent_req_simple_recv_unix(req);
255 }
256
257 static int idmap_script_xids2sids(struct id_map **ids, size_t num_ids,
258 const char *script)
259 {
260 TALLOC_CTX *frame = talloc_stackframe();
261 struct tevent_context *ev;
262 struct tevent_req *req;
263 int ret = ENOMEM;
264
265 ev = samba_tevent_context_init(frame);
266 if (ev == NULL) {
267 goto fail;
268 }
269 req = idmap_script_xids2sids_send(frame, ev, ids, num_ids, script);
270 if (req == NULL) {
271 goto fail;
272 }
273 if (!tevent_req_poll(req, ev)) {
274 ret = errno;
275 goto fail;
276 }
277 ret = idmap_script_xids2sids_recv(req);
278 fail:
279 TALLOC_FREE(frame);
280 return ret;
281 }
282
283 static NTSTATUS idmap_script_unixids_to_sids(struct idmap_domain *dom,
284 struct id_map **ids)
285 {
286 struct idmap_script_context *ctx = talloc_get_type_abort(
287 dom->private_data, struct idmap_script_context);
288 int ret;
289 size_t i, num_ids, num_mapped;
290
291 DEBUG(10, ("%s called ...\n", __func__));
292 /* Init status to avoid surprise ... */
293 for (i = 0; ids[i]; i++) {
294 ids[i]->status = ID_UNKNOWN;
295 }
296 num_ids = i;
297
298 ret = idmap_script_xids2sids(ids, num_ids, ctx->script);
299 if (ret != 0) {
300 DBG_DEBUG("idmap_script_xids2sids returned %s\n",
301 strerror(ret));
302 return map_nt_error_from_unix(ret);
303 }
304
305 num_mapped = 0;
306
307 for (i = 0; ids[i]; i++) {
308 if (ids[i]->status == ID_MAPPED) {
309 num_mapped += 1;
310 }
311 }
312
313 if (num_mapped == 0) {
314 return NT_STATUS_NONE_MAPPED;
315 }
316 if (num_mapped < num_ids) {
317 return STATUS_SOME_UNMAPPED;
318 }
319 return NT_STATUS_OK;
320 }
321
322 struct idmap_script_sid2xid_state {
323 const char *syscmd;
324 size_t idx;
325 uint8_t *out;
326 };
327
328 static void idmap_script_sid2xid_done(struct tevent_req *subreq);
329
330 static struct tevent_req *idmap_script_sid2xid_send(
331 TALLOC_CTX *mem_ctx, struct tevent_context *ev,
332 const struct dom_sid *sid, const char *script, size_t idx)
333 {
334 struct tevent_req *req, *subreq;
335 struct idmap_script_sid2xid_state *state;
336 char sidbuf[DOM_SID_STR_BUFLEN];
337
338 req = tevent_req_create(mem_ctx, &state,
339 struct idmap_script_sid2xid_state);
340 if (req == NULL) {
341 return NULL;
342 }
343 state->idx = idx;
344
345 dom_sid_string_buf(sid, sidbuf, sizeof(sidbuf));
346
347 state->syscmd = talloc_asprintf(state, "%s SIDTOID %s",
348 script, sidbuf);
349 if (tevent_req_nomem(state->syscmd, req)) {
350 return tevent_req_post(req, ev);
351 }
352
353 subreq = file_pload_send(state, ev, state->syscmd, 1024);
354 if (tevent_req_nomem(subreq, req)) {
355 return tevent_req_post(req, ev);
356 }
357 tevent_req_set_callback(subreq, idmap_script_sid2xid_done, req);
358 return req;
359 }
360
361 static void idmap_script_sid2xid_done(struct tevent_req *subreq)
362 {
363 struct tevent_req *req = tevent_req_callback_data(
364 subreq, struct tevent_req);
365 struct idmap_script_sid2xid_state *state = tevent_req_data(
366 req, struct idmap_script_sid2xid_state);
367 int ret;
368
369 ret = file_pload_recv(subreq, state, &state->out);
370 TALLOC_FREE(subreq);
371 if (tevent_req_error(req, ret)) {
372 return;
373 }
374 tevent_req_done(req);
375 }
376
377 static int idmap_script_sid2xid_recv(struct tevent_req *req,
378 size_t *idx, enum id_mapping *status,
379 struct unixid *xid)
380 {
381 struct idmap_script_sid2xid_state *state = tevent_req_data(
382 req, struct idmap_script_sid2xid_state);
383 char *out = (char *)state->out;
384 size_t out_size = talloc_get_size(out);
385 unsigned long v;
386 int err;
387
388 if (tevent_req_is_unix_error(req, &err)) {
389 return err;
390 }
391
392 if (out_size == 0) {
393 goto unmapped;
394 }
395 if (state->out[out_size-1] != '\0') {
396 goto unmapped;
397 }
398
399 *idx = state->idx;
400
401 if (sscanf(out, "XID:%lu\n", &v) == 1) {
402 *xid = (struct unixid) { .id = v, .type = ID_TYPE_BOTH };
403 } else if (sscanf(out, "UID:%lu\n", &v) == 1) {
404 *xid = (struct unixid) { .id = v, .type = ID_TYPE_UID };
405 } else if (sscanf(out, "GID:%lu\n", &v) == 1) {
406 *xid = (struct unixid) { .id = v, .type = ID_TYPE_GID };
407 } else {
408 goto unmapped;
409 }
410
411 *status = ID_MAPPED;
412 return 0;
413
414 unmapped:
415 *xid = (struct unixid) { .id = UINT32_MAX,
416 .type = ID_TYPE_NOT_SPECIFIED };
417 *status = ID_UNMAPPED;
418 return 0;
419 }
420
421 struct idmap_script_sids2xids_state {
422 struct id_map **ids;
423 size_t num_ids;
424 size_t num_done;
425 };
426
427 static void idmap_script_sids2xids_done(struct tevent_req *subreq);
428
429 static struct tevent_req *idmap_script_sids2xids_send(
430 TALLOC_CTX *mem_ctx, struct tevent_context *ev,
431 struct id_map **ids, size_t num_ids, const char *script)
432 {
433 struct tevent_req *req;
434 struct idmap_script_sids2xids_state *state;
435 size_t i;
436
437 req = tevent_req_create(mem_ctx, &state,
438 struct idmap_script_sids2xids_state);
439 if (req == NULL) {
440 return NULL;
441 }
442 state->ids = ids;
443 state->num_ids = num_ids;
444
445 if (state->num_ids == 0) {
446 tevent_req_done(req);
447 return tevent_req_post(req, ev);
448 }
449
450 for (i=0; i<num_ids; i++) {
451 struct tevent_req *subreq;
452
453 subreq = idmap_script_sid2xid_send(
454 state, ev, ids[i]->sid, script, i);
455 if (tevent_req_nomem(subreq, req)) {
456 return tevent_req_post(req, ev);
457 }
458 tevent_req_set_callback(subreq, idmap_script_sids2xids_done,
459 req);
460 }
461
462 return req;
463 }
464
465 static void idmap_script_sids2xids_done(struct tevent_req *subreq)
466 {
467 struct tevent_req *req = tevent_req_callback_data(
468 subreq, struct tevent_req);
469 struct idmap_script_sids2xids_state *state = tevent_req_data(
470 req, struct idmap_script_sids2xids_state);
471 size_t idx = 0;
472 enum id_mapping status = ID_UNKNOWN;
473 struct unixid xid = { .id = UINT32_MAX,
474 .type = ID_TYPE_NOT_SPECIFIED };
475 int ret;
476
477 ret = idmap_script_sid2xid_recv(subreq, &idx, &status, &xid);
478 TALLOC_FREE(subreq);
479 if (tevent_req_error(req, ret)) {
480 return;
481 }
482
483 if (idx >= state->num_ids) {
484 tevent_req_error(req, EINVAL);
485 return;
486 }
487
488 state->ids[idx]->status = status;
489 state->ids[idx]->xid = xid;
490
491 state->num_done += 1;
492
493 if (state->num_done >= state->num_ids) {
494 tevent_req_done(req);
495 }
496 }
497
498 static int idmap_script_sids2xids_recv(struct tevent_req *req)
499 {
500 return tevent_req_simple_recv_unix(req);
501 }
502
503 static int idmap_script_sids2xids(struct id_map **ids, size_t num_ids,
504 const char *script)
505 {
506 TALLOC_CTX *frame = talloc_stackframe();
507 struct tevent_context *ev;
508 struct tevent_req *req;
509 int ret = ENOMEM;
510
511 ev = samba_tevent_context_init(frame);
512 if (ev == NULL) {
513 goto fail;
514 }
515 req = idmap_script_sids2xids_send(frame, ev, ids, num_ids, script);
516 if (req == NULL) {
517 goto fail;
518 }
519 if (!tevent_req_poll(req, ev)) {
520 ret = errno;
521 goto fail;
522 }
523 ret = idmap_script_sids2xids_recv(req);
524 fail:
525 TALLOC_FREE(frame);
526 return ret;
527 }
528
529 static NTSTATUS idmap_script_sids_to_unixids(struct idmap_domain *dom,
530 struct id_map **ids)
531 {
532 struct idmap_script_context *ctx = talloc_get_type_abort(
533 dom->private_data, struct idmap_script_context);
534 int ret;
535 size_t i, num_ids, num_mapped;
536
537 DEBUG(10, ("%s called ...\n", __func__));
538 /* Init status to avoid surprise ... */
539 for (i = 0; ids[i]; i++) {
540 ids[i]->status = ID_UNKNOWN;
541 }
542 num_ids = i;
543
544 ret = idmap_script_sids2xids(ids, num_ids, ctx->script);
545 if (ret != 0) {
546 DBG_DEBUG("idmap_script_sids2xids returned %s\n",
547 strerror(ret));
548 return map_nt_error_from_unix(ret);
549 }
550
551 num_mapped = 0;
552
553 for (i=0; i<num_ids; i++) {
554 struct id_map *map = ids[i];
555
556 if ((map->status == ID_MAPPED) &&
557 !idmap_unix_id_is_in_range(map->xid.id, dom)) {
558 DBG_INFO("Script returned id (%u) out of range "
559 "(%u - %u). Filtered!\n",
560 map->xid.id, dom->low_id, dom->high_id);
561 map->status = ID_UNMAPPED;
562 }
563
564 if (map->status == ID_MAPPED) {
565 num_mapped += 1;
566 }
567 }
568
569 if (num_mapped == 0) {
570 return NT_STATUS_NONE_MAPPED;
571 }
572 if (num_mapped < num_ids) {
573 return STATUS_SOME_UNMAPPED;
574 }
575 return NT_STATUS_OK;
576 }
577
578 /*
579 * Initialise idmap_script database.
580 */
581 static NTSTATUS idmap_script_db_init(struct idmap_domain *dom)
582 {
583 NTSTATUS ret;
584 struct idmap_script_context *ctx;
585 const char * idmap_script = NULL;
586
587 DEBUG(10, ("%s called ...\n", __func__));
588
589 ctx = talloc_zero(dom, struct idmap_script_context);
590 if (!ctx) {
591 DEBUG(0, ("Out of memory!\n"));
592 ret = NT_STATUS_NO_MEMORY;
593 goto failed;
594 }
595
596 ctx->script = idmap_config_const_string(dom->name, "script", NULL);
597
598 /* Do we even need to handle this? */
599 idmap_script = lp_parm_const_string(-1, "idmap", "script", NULL);
600 if (idmap_script != NULL) {
601 DEBUG(0, ("Warning: 'idmap:script' is deprecated. "
602 " Please use 'idmap config * : script' instead!\n"));
603 }
604
605 if (strequal(dom->name, "*") && ctx->script == NULL) {
606 /* fall back to idmap:script for backwards compatibility */
607 ctx->script = idmap_script;
608 }
609
610 if (ctx->script) {
611 DEBUG(1, ("using idmap script '%s'\n", ctx->script));
612 }
613
614 dom->private_data = ctx;
615 dom->read_only = true; /* We do not allocate!*/
616
617 return NT_STATUS_OK;
618
619 failed:
620 talloc_free(ctx);
621 return ret;
622 }
623
624 static struct idmap_methods db_methods = {
625 .init = idmap_script_db_init,
626 .unixids_to_sids = idmap_script_unixids_to_sids,
627 .sids_to_unixids = idmap_script_sids_to_unixids,
628 };
629
630 static_decl_idmap;
631 NTSTATUS idmap_script_init(TALLOC_CTX *ctx)
632 {
633 return smb_register_idmap(SMB_IDMAP_INTERFACE_VERSION, "script", &db_methods);
634 }
Samba GIT mirror