search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
gpo: Add CSE for applying smb.conf
[Samba.git] / source3 / winbindd / idmap_script.c
blobf382f896b351eea5da661ac25255df4b7c2ec643
1 /*
2 Unix SMB/CIFS implementation.
3
4 idmap script backend, used for Samba setups where you need to map SIDs to
5 specific UIDs/GIDs.
6
7 Copyright (C) Richard Sharpe 2014.
8
9 This is heavily based upon idmap_tdb2.c, which is:
10
11 Copyright (C) Tim Potter 2000
12 Copyright (C) Jim McDonough <jmcd@us.ibm.com> 2003
13 Copyright (C) Jeremy Allison 2006
14 Copyright (C) Simo Sorce 2003-2006
15 Copyright (C) Michael Adam 2009-2010
16
17 This program is free software; you can redistribute it and/or modify
18 it under the terms of the GNU General Public License as published by
19 the Free Software Foundation; either version 2 of the License, or
20 (at your option) any later version.
21
22 This program is distributed in the hope that it will be useful,
23 but WITHOUT ANY WARRANTY; without even the implied warranty of
24 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
25 GNU General Public License for more details.
26
27 You should have received a copy of the GNU General Public License
28 along with this program; if not, write to the Free Software
29 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
30 */
31
32 #include "includes.h"
33 #include "system/filesys.h"
34 #include "winbindd.h"
35 #include "idmap.h"
36 #include "idmap_rw.h"
37 #include "../libcli/security/dom_sid.h"
38 #include "lib/util_file.h"
39 #include "lib/util/tevent_unix.h"
40
41 #undef DBGC_CLASS
42 #define DBGC_CLASS DBGC_IDMAP
43
44 struct idmap_script_context {
45 const char *script; /* script to provide idmaps */
46 };
47
48 /*
49 run a script to perform a mapping
50
51 The script should accept the following command lines:
52
53 SIDTOID S-1-xxxx -> XID:<id> | ERR:<str>
54 SIDTOID S-1-xxxx -> UID:<id> | ERR:<str>
55 SIDTOID S-1-xxxx -> GID:<id> | ERR:<str>
56 IDTOSID XID xxxx -> SID:<sid> | ERR:<str>
57 IDTOSID UID xxxx -> SID:<sid> | ERR:<str>
58 IDTOSID GID xxxx -> SID:<sid> | ERR:<str>
59
60 where XID means both a UID and a GID. This is the case for ID_TYPE_BOTH.
61
62 TODO: Needs more validation ... like that we got a UID when we asked for one.
63 */
64
65 struct idmap_script_xid2sid_state {
66 char **argl;
67 size_t idx;
68 uint8_t *out;
69 };
70
71 static void idmap_script_xid2sid_done(struct tevent_req *subreq);
72
73 static struct tevent_req *idmap_script_xid2sid_send(
74 TALLOC_CTX *mem_ctx, struct tevent_context *ev,
75 struct unixid xid, const char *script, size_t idx)
76 {
77 struct tevent_req *req, *subreq;
78 struct idmap_script_xid2sid_state *state;
79 char key;
80
81 req = tevent_req_create(mem_ctx, &state,
82 struct idmap_script_xid2sid_state);
83 if (req == NULL) {
84 return NULL;
85 }
86 state->idx = idx;
87
88 switch (xid.type) {
89 case ID_TYPE_UID:
90 key = 'U';
91 break;
92 case ID_TYPE_GID:
93 key = 'G';
94 break;
95 case ID_TYPE_BOTH:
96 key = 'X';
97 break;
98 default:
99 DBG_WARNING("INVALID unix ID type: 0x02%x\n", xid.type);
100 tevent_req_error(req, EINVAL);
101 return tevent_req_post(req, ev);
102 }
103
104 state->argl = talloc_zero_array(state,
105 char *,
106 5);
107 if (tevent_req_nomem(state->argl, req)) {
108 return tevent_req_post(req, ev);
109 }
110 state->argl[0] = talloc_strdup(state->argl, script);
111 if (tevent_req_nomem(state->argl[0], req)) {
112 return tevent_req_post(req, ev);
113 }
114 state->argl[1] = talloc_strdup(state->argl, "IDTOSID");
115 if (tevent_req_nomem(state->argl[1], req)) {
116 return tevent_req_post(req, ev);
117 }
118 state->argl[2] = talloc_asprintf(state->argl, "%cID", key);
119 if (tevent_req_nomem(state->argl[2], req)) {
120 return tevent_req_post(req, ev);
121 }
122 state->argl[3] = talloc_asprintf(state->argl, "%lu",
123 (unsigned long)xid.id);
124 if (tevent_req_nomem(state->argl[3], req)) {
125 return tevent_req_post(req, ev);
126 }
127 state->argl[4] = NULL;
128
129 subreq = file_ploadv_send(state, ev, state->argl, 1024);
130 if (tevent_req_nomem(subreq, req)) {
131 return tevent_req_post(req, ev);
132 }
133 tevent_req_set_callback(subreq, idmap_script_xid2sid_done, req);
134 return req;
135 }
136
137 static void idmap_script_xid2sid_done(struct tevent_req *subreq)
138 {
139 struct tevent_req *req = tevent_req_callback_data(
140 subreq, struct tevent_req);
141 struct idmap_script_xid2sid_state *state = tevent_req_data(
142 req, struct idmap_script_xid2sid_state);
143 int ret;
144
145 ret = file_ploadv_recv(subreq, state, &state->out);
146 TALLOC_FREE(subreq);
147 if (tevent_req_error(req, ret)) {
148 return;
149 }
150 tevent_req_done(req);
151 }
152
153 static int idmap_script_xid2sid_recv(struct tevent_req *req, size_t *idx,
154 enum id_mapping *status,
155 struct dom_sid *sid)
156 {
157 struct idmap_script_xid2sid_state *state = tevent_req_data(
158 req, struct idmap_script_xid2sid_state);
159 char *out = (char *)state->out;
160 size_t out_size = talloc_get_size(out);
161 int err;
162
163 if (tevent_req_is_unix_error(req, &err)) {
164 return err;
165 }
166
167 if (out_size == 0) {
168 goto unmapped;
169 }
170 if (state->out[out_size-1] != '\0') {
171 goto unmapped;
172 }
173
174 *idx = state->idx;
175
176 if ((strncmp(out, "SID:S-", 6) != 0) ||
177 !dom_sid_parse(out+4, sid)) {
178 DBG_WARNING("Bad sid from script: %s\n", out);
179 goto unmapped;
180 }
181
182 *status = ID_MAPPED;
183 return 0;
184
185 unmapped:
186 *sid = (struct dom_sid) {0};
187 *status = ID_UNMAPPED;
188 return 0;
189 }
190
191 struct idmap_script_xids2sids_state {
192 struct id_map **ids;
193 size_t num_ids;
194 size_t num_done;
195 };
196
197 static void idmap_script_xids2sids_done(struct tevent_req *subreq);
198
199 static struct tevent_req *idmap_script_xids2sids_send(
200 TALLOC_CTX *mem_ctx, struct tevent_context *ev,
201 struct id_map **ids, size_t num_ids, const char *script)
202 {
203 struct tevent_req *req;
204 struct idmap_script_xids2sids_state *state;
205 size_t i;
206
207 req = tevent_req_create(mem_ctx, &state,
208 struct idmap_script_xids2sids_state);
209 if (req == NULL) {
210 return NULL;
211 }
212 state->ids = ids;
213 state->num_ids = num_ids;
214
215 if (state->num_ids == 0) {
216 tevent_req_done(req);
217 return tevent_req_post(req, ev);
218 }
219
220 for (i=0; i<num_ids; i++) {
221 struct tevent_req *subreq;
222
223 subreq = idmap_script_xid2sid_send(
224 state, ev, ids[i]->xid, script, i);
225 if (tevent_req_nomem(subreq, req)) {
226 return tevent_req_post(req, ev);
227 }
228 tevent_req_set_callback(subreq, idmap_script_xids2sids_done,
229 req);
230 }
231
232 return req;
233 }
234
235 static void idmap_script_xids2sids_done(struct tevent_req *subreq)
236 {
237 struct tevent_req *req = tevent_req_callback_data(
238 subreq, struct tevent_req);
239 struct idmap_script_xids2sids_state *state = tevent_req_data(
240 req, struct idmap_script_xids2sids_state);
241 size_t idx = 0;
242 enum id_mapping status = ID_UNKNOWN;
243 struct dom_sid sid = {0};
244 int ret;
245
246 ret = idmap_script_xid2sid_recv(subreq, &idx, &status, &sid);
247 TALLOC_FREE(subreq);
248 if (tevent_req_error(req, ret)) {
249 return;
250 }
251
252 if (idx >= state->num_ids) {
253 tevent_req_error(req, EINVAL);
254 return;
255 }
256
257 state->ids[idx]->status = status;
258
259 state->ids[idx]->sid = dom_sid_dup(state->ids, &sid);
260 if (tevent_req_nomem(state->ids[idx]->sid, req)) {
261 return;
262 }
263
264 state->num_done += 1;
265
266 if (state->num_done >= state->num_ids) {
267 tevent_req_done(req);
268 }
269 }
270
271 static int idmap_script_xids2sids_recv(struct tevent_req *req)
272 {
273 return tevent_req_simple_recv_unix(req);
274 }
275
276 static int idmap_script_xids2sids(struct id_map **ids, size_t num_ids,
277 const char *script)
278 {
279 TALLOC_CTX *frame = talloc_stackframe();
280 struct tevent_context *ev;
281 struct tevent_req *req;
282 int ret = ENOMEM;
283
284 ev = samba_tevent_context_init(frame);
285 if (ev == NULL) {
286 goto fail;
287 }
288 req = idmap_script_xids2sids_send(frame, ev, ids, num_ids, script);
289 if (req == NULL) {
290 goto fail;
291 }
292 if (!tevent_req_poll(req, ev)) {
293 ret = errno;
294 goto fail;
295 }
296 ret = idmap_script_xids2sids_recv(req);
297 fail:
298 TALLOC_FREE(frame);
299 return ret;
300 }
301
302 static NTSTATUS idmap_script_unixids_to_sids(struct idmap_domain *dom,
303 struct id_map **ids)
304 {
305 struct idmap_script_context *ctx = talloc_get_type_abort(
306 dom->private_data, struct idmap_script_context);
307 int ret;
308 size_t i, num_ids, num_mapped;
309
310 DEBUG(10, ("%s called ...\n", __func__));
311 /* Init status to avoid surprise ... */
312 for (i = 0; ids[i]; i++) {
313 ids[i]->status = ID_UNKNOWN;
314 }
315 num_ids = i;
316
317 ret = idmap_script_xids2sids(ids, num_ids, ctx->script);
318 if (ret != 0) {
319 DBG_DEBUG("idmap_script_xids2sids returned %s\n",
320 strerror(ret));
321 return map_nt_error_from_unix(ret);
322 }
323
324 num_mapped = 0;
325
326 for (i = 0; ids[i]; i++) {
327 if (ids[i]->status == ID_MAPPED) {
328 num_mapped += 1;
329 }
330 }
331
332 if (num_mapped == 0) {
333 return NT_STATUS_NONE_MAPPED;
334 }
335 if (num_mapped < num_ids) {
336 return STATUS_SOME_UNMAPPED;
337 }
338 return NT_STATUS_OK;
339 }
340
341 struct idmap_script_sid2xid_state {
342 char **argl;
343 size_t idx;
344 uint8_t *out;
345 };
346
347 static void idmap_script_sid2xid_done(struct tevent_req *subreq);
348
349 static struct tevent_req *idmap_script_sid2xid_send(
350 TALLOC_CTX *mem_ctx, struct tevent_context *ev,
351 const struct dom_sid *sid, const char *script, size_t idx)
352 {
353 struct tevent_req *req, *subreq;
354 struct idmap_script_sid2xid_state *state;
355 struct dom_sid_buf sidbuf;
356
357 req = tevent_req_create(mem_ctx, &state,
358 struct idmap_script_sid2xid_state);
359 if (req == NULL) {
360 return NULL;
361 }
362 state->idx = idx;
363
364 state->argl = talloc_zero_array(state,
365 char *,
366 4);
367 if (tevent_req_nomem(state->argl, req)) {
368 return tevent_req_post(req, ev);
369 }
370 state->argl[0] = talloc_strdup(state->argl, script);
371 if (tevent_req_nomem(state->argl[0], req)) {
372 return tevent_req_post(req, ev);
373 }
374 state->argl[1] = talloc_strdup(state->argl, "SIDTOID");
375 if (tevent_req_nomem(state->argl[1], req)) {
376 return tevent_req_post(req, ev);
377 }
378 state->argl[2] = talloc_asprintf(state->argl, "%s",
379 dom_sid_str_buf(sid, &sidbuf));
380 if (tevent_req_nomem(state->argl[2], req)) {
381 return tevent_req_post(req, ev);
382 }
383 state->argl[3] = NULL;
384
385 subreq = file_ploadv_send(state, ev, state->argl, 1024);
386 if (tevent_req_nomem(subreq, req)) {
387 return tevent_req_post(req, ev);
388 }
389 tevent_req_set_callback(subreq, idmap_script_sid2xid_done, req);
390 return req;
391 }
392
393 static void idmap_script_sid2xid_done(struct tevent_req *subreq)
394 {
395 struct tevent_req *req = tevent_req_callback_data(
396 subreq, struct tevent_req);
397 struct idmap_script_sid2xid_state *state = tevent_req_data(
398 req, struct idmap_script_sid2xid_state);
399 int ret;
400
401 ret = file_ploadv_recv(subreq, state, &state->out);
402 TALLOC_FREE(subreq);
403 if (tevent_req_error(req, ret)) {
404 return;
405 }
406 tevent_req_done(req);
407 }
408
409 static int idmap_script_sid2xid_recv(struct tevent_req *req,
410 size_t *idx, enum id_mapping *status,
411 struct unixid *xid)
412 {
413 struct idmap_script_sid2xid_state *state = tevent_req_data(
414 req, struct idmap_script_sid2xid_state);
415 char *out = (char *)state->out;
416 size_t out_size = talloc_get_size(out);
417 unsigned long v;
418 int err;
419
420 if (tevent_req_is_unix_error(req, &err)) {
421 return err;
422 }
423
424 if (out_size == 0) {
425 goto unmapped;
426 }
427 if (state->out[out_size-1] != '\0') {
428 goto unmapped;
429 }
430
431 *idx = state->idx;
432
433 if (sscanf(out, "XID:%lu\n", &v) == 1) {
434 *xid = (struct unixid) { .id = v, .type = ID_TYPE_BOTH };
435 } else if (sscanf(out, "UID:%lu\n", &v) == 1) {
436 *xid = (struct unixid) { .id = v, .type = ID_TYPE_UID };
437 } else if (sscanf(out, "GID:%lu\n", &v) == 1) {
438 *xid = (struct unixid) { .id = v, .type = ID_TYPE_GID };
439 } else {
440 goto unmapped;
441 }
442
443 *status = ID_MAPPED;
444 return 0;
445
446 unmapped:
447 *xid = (struct unixid) { .id = UINT32_MAX,
448 .type = ID_TYPE_NOT_SPECIFIED };
449 *status = ID_UNMAPPED;
450 return 0;
451 }
452
453 struct idmap_script_sids2xids_state {
454 struct id_map **ids;
455 size_t num_ids;
456 size_t num_done;
457 };
458
459 static void idmap_script_sids2xids_done(struct tevent_req *subreq);
460
461 static struct tevent_req *idmap_script_sids2xids_send(
462 TALLOC_CTX *mem_ctx, struct tevent_context *ev,
463 struct id_map **ids, size_t num_ids, const char *script)
464 {
465 struct tevent_req *req;
466 struct idmap_script_sids2xids_state *state;
467 size_t i;
468
469 req = tevent_req_create(mem_ctx, &state,
470 struct idmap_script_sids2xids_state);
471 if (req == NULL) {
472 return NULL;
473 }
474 state->ids = ids;
475 state->num_ids = num_ids;
476
477 if (state->num_ids == 0) {
478 tevent_req_done(req);
479 return tevent_req_post(req, ev);
480 }
481
482 for (i=0; i<num_ids; i++) {
483 struct tevent_req *subreq;
484
485 subreq = idmap_script_sid2xid_send(
486 state, ev, ids[i]->sid, script, i);
487 if (tevent_req_nomem(subreq, req)) {
488 return tevent_req_post(req, ev);
489 }
490 tevent_req_set_callback(subreq, idmap_script_sids2xids_done,
491 req);
492 }
493
494 return req;
495 }
496
497 static void idmap_script_sids2xids_done(struct tevent_req *subreq)
498 {
499 struct tevent_req *req = tevent_req_callback_data(
500 subreq, struct tevent_req);
501 struct idmap_script_sids2xids_state *state = tevent_req_data(
502 req, struct idmap_script_sids2xids_state);
503 size_t idx = 0;
504 enum id_mapping status = ID_UNKNOWN;
505 struct unixid xid = { .id = UINT32_MAX,
506 .type = ID_TYPE_NOT_SPECIFIED };
507 int ret;
508
509 ret = idmap_script_sid2xid_recv(subreq, &idx, &status, &xid);
510 TALLOC_FREE(subreq);
511 if (tevent_req_error(req, ret)) {
512 return;
513 }
514
515 if (idx >= state->num_ids) {
516 tevent_req_error(req, EINVAL);
517 return;
518 }
519
520 state->ids[idx]->status = status;
521 state->ids[idx]->xid = xid;
522
523 state->num_done += 1;
524
525 if (state->num_done >= state->num_ids) {
526 tevent_req_done(req);
527 }
528 }
529
530 static int idmap_script_sids2xids_recv(struct tevent_req *req)
531 {
532 return tevent_req_simple_recv_unix(req);
533 }
534
535 static int idmap_script_sids2xids(struct id_map **ids, size_t num_ids,
536 const char *script)
537 {
538 TALLOC_CTX *frame = talloc_stackframe();
539 struct tevent_context *ev;
540 struct tevent_req *req;
541 int ret = ENOMEM;
542
543 ev = samba_tevent_context_init(frame);
544 if (ev == NULL) {
545 goto fail;
546 }
547 req = idmap_script_sids2xids_send(frame, ev, ids, num_ids, script);
548 if (req == NULL) {
549 goto fail;
550 }
551 if (!tevent_req_poll(req, ev)) {
552 ret = errno;
553 goto fail;
554 }
555 ret = idmap_script_sids2xids_recv(req);
556 fail:
557 TALLOC_FREE(frame);
558 return ret;
559 }
560
561 static NTSTATUS idmap_script_sids_to_unixids(struct idmap_domain *dom,
562 struct id_map **ids)
563 {
564 struct idmap_script_context *ctx = talloc_get_type_abort(
565 dom->private_data, struct idmap_script_context);
566 int ret;
567 size_t i, num_ids, num_mapped;
568
569 DEBUG(10, ("%s called ...\n", __func__));
570 /* Init status to avoid surprise ... */
571 for (i = 0; ids[i]; i++) {
572 ids[i]->status = ID_UNKNOWN;
573 }
574 num_ids = i;
575
576 ret = idmap_script_sids2xids(ids, num_ids, ctx->script);
577 if (ret != 0) {
578 DBG_DEBUG("idmap_script_sids2xids returned %s\n",
579 strerror(ret));
580 return map_nt_error_from_unix(ret);
581 }
582
583 num_mapped = 0;
584
585 for (i=0; i<num_ids; i++) {
586 struct id_map *map = ids[i];
587
588 if ((map->status == ID_MAPPED) &&
589 !idmap_unix_id_is_in_range(map->xid.id, dom)) {
590 DBG_INFO("Script returned id (%u) out of range "
591 "(%u - %u). Filtered!\n",
592 map->xid.id, dom->low_id, dom->high_id);
593 map->status = ID_UNMAPPED;
594 }
595
596 if (map->status == ID_MAPPED) {
597 num_mapped += 1;
598 }
599 }
600
601 if (num_mapped == 0) {
602 return NT_STATUS_NONE_MAPPED;
603 }
604 if (num_mapped < num_ids) {
605 return STATUS_SOME_UNMAPPED;
606 }
607 return NT_STATUS_OK;
608 }
609
610 /*
611 * Initialise idmap_script database.
612 */
613 static NTSTATUS idmap_script_db_init(struct idmap_domain *dom)
614 {
615 NTSTATUS ret;
616 struct idmap_script_context *ctx;
617 const char * idmap_script = NULL;
618 const char *ctx_script = NULL;
619
620 DEBUG(10, ("%s called ...\n", __func__));
621
622 ctx = talloc_zero(dom, struct idmap_script_context);
623 if (!ctx) {
624 DEBUG(0, ("Out of memory!\n"));
625 ret = NT_STATUS_NO_MEMORY;
626 goto failed;
627 }
628
629 ctx_script = idmap_config_const_string(dom->name, "script", NULL);
630
631 /* Do we even need to handle this? */
632 idmap_script = lp_parm_const_string(-1, "idmap", "script", NULL);
633 if (idmap_script != NULL) {
634 DEBUG(0, ("Warning: 'idmap:script' is deprecated. "
635 " Please use 'idmap config * : script' instead!\n"));
636 }
637
638 if (strequal(dom->name, "*") && ctx_script == NULL) {
639 /* fall back to idmap:script for backwards compatibility */
640 ctx_script = idmap_script;
641 }
642
643 if (ctx_script) {
644 DEBUG(1, ("using idmap script '%s'\n", ctx->script));
645 /*
646 * We must ensure this memory is owned by ctx.
647 * The ctx_script const pointer is a pointer into
648 * the config file data and may become invalid
649 * on config file reload. BUG: 13956
650 */
651 ctx->script = talloc_strdup(ctx, ctx_script);
652 if (ctx->script == NULL) {
653 ret = NT_STATUS_NO_MEMORY;
654 goto failed;
655 }
656 }
657
658 dom->private_data = ctx;
659 dom->read_only = true; /* We do not allocate!*/
660
661 return NT_STATUS_OK;
662
663 failed:
664 talloc_free(ctx);
665 return ret;
666 }
667
668 static struct idmap_methods db_methods = {
669 .init = idmap_script_db_init,
670 .unixids_to_sids = idmap_script_unixids_to_sids,
671 .sids_to_unixids = idmap_script_sids_to_unixids,
672 };
673
674 static_decl_idmap;
675 NTSTATUS idmap_script_init(TALLOC_CTX *ctx)
676 {
677 return smb_register_idmap(SMB_IDMAP_INTERFACE_VERSION, "script", &db_methods);
678 }
Samba GIT mirror