/* SSSD Common Responder methods Copyright (C) Simo Sorce 2008 This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see . */ #include #include #include #include #include #include #include #include #include #include #include "popt.h" #include "util/util.h" #include "db/sysdb.h" #include "confdb/confdb.h" #include "dbus/dbus.h" #include "sbus/sssd_dbus.h" #include "util/btreemap.h" #include "responder/common/responder.h" #include "responder/common/responder_packet.h" #include "providers/data_provider.h" #include "monitor/monitor_sbus.h" #include "monitor/monitor_interfaces.h" #include "sbus/sbus_client.h" #define NAMES_CONFIG "config/names" static void set_nonblocking(int fd) { unsigned v; v = fcntl(fd, F_GETFL, 0); fcntl(fd, F_SETFL, v | O_NONBLOCK); } static void set_close_on_exec(int fd) { unsigned v; v = fcntl(fd, F_GETFD, 0); fcntl(fd, F_SETFD, v | FD_CLOEXEC); } static int client_destructor(struct cli_ctx *ctx) { if (ctx->cfd > 0) close(ctx->cfd); return 0; } static void client_send(struct tevent_context *ev, struct cli_ctx *cctx) { int ret; ret = sss_packet_send(cctx->creq->out, cctx->cfd); if (ret == EAGAIN) { /* not all data was sent, loop again */ return; } if (ret != EOK) { DEBUG(0, ("Failed to read request, aborting client!\n")); talloc_free(cctx); return; } /* ok all sent */ TEVENT_FD_NOT_WRITEABLE(cctx->cfde); TEVENT_FD_READABLE(cctx->cfde); talloc_free(cctx->creq); cctx->creq = NULL; return; } static void client_recv(struct tevent_context *ev, struct cli_ctx *cctx) { int ret; if (!cctx->creq) { cctx->creq = talloc_zero(cctx, struct cli_request); if (!cctx->creq) { DEBUG(0, ("Failed to alloc request, aborting client!\n")); talloc_free(cctx); return; } } if (!cctx->creq->in) { ret = sss_packet_new(cctx->creq, SSS_PACKET_MAX_RECV_SIZE, 0, &cctx->creq->in); if (ret != EOK) { DEBUG(0, ("Failed to alloc request, aborting client!\n")); talloc_free(cctx); return; } } ret = sss_packet_recv(cctx->creq->in, cctx->cfd); switch (ret) { case EOK: /* do not read anymore */ TEVENT_FD_NOT_READABLE(cctx->cfde); /* execute command */ ret = sss_cmd_execute(cctx, cctx->rctx->sss_cmds); if (ret != EOK) { DEBUG(0, ("Failed to execute request, aborting client!\n")); talloc_free(cctx); } /* past this point cctx can be freed at any time by callbacks * in case of error, do not use it */ return; case EAGAIN: /* need to read still some data, loop again */ break; case EINVAL: DEBUG(6, ("Invalid data from client, closing connection!\n")); talloc_free(cctx); break; case ENODATA: DEBUG(5, ("Client disconnected!\n")); talloc_free(cctx); break; default: DEBUG(6, ("Failed to read request, aborting client!\n")); talloc_free(cctx); } return; } static void client_fd_handler(struct tevent_context *ev, struct tevent_fd *fde, uint16_t flags, void *ptr) { struct cli_ctx *cctx = talloc_get_type(ptr, struct cli_ctx); if (flags & TEVENT_FD_READ) { client_recv(ev, cctx); return; } if (flags & TEVENT_FD_WRITE) { client_send(ev, cctx); return; } } /* TODO: this is a copy of accept_fd_handler, maybe both can be put into on * handler. */ static void accept_priv_fd_handler(struct tevent_context *ev, struct tevent_fd *fde, uint16_t flags, void *ptr) { /* accept and attach new event handler */ struct resp_ctx *rctx = talloc_get_type(ptr, struct resp_ctx); struct cli_ctx *cctx; socklen_t len; struct stat stat_buf; int ret; ret = stat(rctx->priv_sock_name, &stat_buf); if (ret == -1) { DEBUG(1, ("stat on privileged pipe failed: [%d][%s].\n", errno, strerror(errno))); return; } if ( ! (stat_buf.st_uid == 0 && stat_buf.st_gid == 0 && (stat_buf.st_mode&(S_IFSOCK|S_IRUSR|S_IWUSR)) == stat_buf.st_mode)) { DEBUG(1, ("privileged pipe has an illegal status.\n")); /* TODO: what is the best response to this condition? Terminate? */ return; } cctx = talloc_zero(rctx, struct cli_ctx); if (!cctx) { struct sockaddr_un addr; int fd; DEBUG(0, ("Out of memory trying to setup client context on privileged pipe!\n")); /* accept and close to signal the client we have a problem */ memset(&addr, 0, sizeof(addr)); len = sizeof(addr); fd = accept(rctx->priv_lfd, (struct sockaddr *)&addr, &len); if (fd == -1) { return; } close(fd); return; } len = sizeof(cctx->addr); cctx->cfd = accept(rctx->priv_lfd, (struct sockaddr *)&cctx->addr, &len); if (cctx->cfd == -1) { DEBUG(1, ("Accept failed [%s]", strerror(errno))); talloc_free(cctx); return; } cctx->priv = 1; cctx->cfde = tevent_add_fd(ev, cctx, cctx->cfd, TEVENT_FD_READ, client_fd_handler, cctx); if (!cctx->cfde) { close(cctx->cfd); talloc_free(cctx); DEBUG(2, ("Failed to queue client handler on privileged pipe\n")); } cctx->ev = ev; cctx->rctx = rctx; talloc_set_destructor(cctx, client_destructor); DEBUG(4, ("Client connected to privileged pipe!\n")); return; } static void accept_fd_handler(struct tevent_context *ev, struct tevent_fd *fde, uint16_t flags, void *ptr) { /* accept and attach new event handler */ struct resp_ctx *rctx = talloc_get_type(ptr, struct resp_ctx); struct cli_ctx *cctx; socklen_t len; cctx = talloc_zero(rctx, struct cli_ctx); if (!cctx) { struct sockaddr_un addr; int fd; DEBUG(0, ("Out of memory trying to setup client context!\n")); /* accept and close to signal the client we have a problem */ memset(&addr, 0, sizeof(addr)); len = sizeof(addr); fd = accept(rctx->lfd, (struct sockaddr *)&addr, &len); if (fd == -1) { return; } close(fd); return; } len = sizeof(cctx->addr); cctx->cfd = accept(rctx->lfd, (struct sockaddr *)&cctx->addr, &len); if (cctx->cfd == -1) { DEBUG(1, ("Accept failed [%s]", strerror(errno))); talloc_free(cctx); return; } cctx->cfde = tevent_add_fd(ev, cctx, cctx->cfd, TEVENT_FD_READ, client_fd_handler, cctx); if (!cctx->cfde) { close(cctx->cfd); talloc_free(cctx); DEBUG(2, ("Failed to queue client handler\n")); } cctx->ev = ev; cctx->rctx = rctx; talloc_set_destructor(cctx, client_destructor); DEBUG(4, ("Client connected!\n")); return; } static int sss_sbus_init(struct resp_ctx *rctx) { int ret; char *sbus_address; struct service_sbus_ctx *ss_ctx; struct sbus_method_ctx *sm_ctx; /* Set up SBUS connection to the monitor */ ret = monitor_get_sbus_address(rctx, rctx->cdb, &sbus_address); if (ret != EOK) { DEBUG(0, ("Could not locate monitor address.\n")); return ret; } ret = monitor_init_sbus_methods(rctx, rctx->sss_sbus_methods, &sm_ctx); if (ret != EOK) { DEBUG(0, ("Could not initialize SBUS methods.\n")); return ret; } ret = sbus_client_init(rctx, rctx->ev, sbus_address, sm_ctx, NULL /* Private Data */, NULL /* Destructor */, &ss_ctx); if (ret != EOK) { DEBUG(0, ("Failed to connect to monitor services.\n")); return ret; } /* Set up NSS-specific listeners */ /* None currently used */ rctx->ss_ctx = ss_ctx; return EOK; } /* create a unix socket and listen to it */ static int set_unix_socket(struct resp_ctx *rctx) { struct sockaddr_un addr; /* for future use */ #if 0 char *default_pipe; int ret; default_pipe = talloc_asprintf(rctx, "%s/%s", PIPE_PATH, rctx->sss_pipe_name); if (!default_pipe) { return ENOMEM; } ret = confdb_get_string(rctx->cdb, rctx, rctx->confdb_socket_path, "unixSocket", default_pipe, &rctx->sock_name); if (ret != EOK) { talloc_free(default_pipe); return ret; } talloc_free(default_pipe); default_pipe = talloc_asprintf(rctx, "%s/private/%s", PIPE_PATH, rctx->sss_pipe_name); if (!default_pipe) { return ENOMEM; } ret = confdb_get_string(rctx->cdb, rctx, rctx->confdb_socket_path, "privUnixSocket", default_pipe, &rctx->priv_sock_name); if (ret != EOK) { talloc_free(default_pipe); return ret; } talloc_free(default_pipe); #endif if (rctx->sock_name != NULL ) { rctx->lfd = socket(AF_UNIX, SOCK_STREAM, 0); if (rctx->lfd == -1) { return EIO; } /* Set the umask so that permissions are set right on the socket. * It must be readable and writable by anybody on the system. */ umask(0111); set_nonblocking(rctx->lfd); set_close_on_exec(rctx->lfd); memset(&addr, 0, sizeof(addr)); addr.sun_family = AF_UNIX; strncpy(addr.sun_path, rctx->sock_name, sizeof(addr.sun_path)); /* make sure we have no old sockets around */ unlink(rctx->sock_name); if (bind(rctx->lfd, (struct sockaddr *)&addr, sizeof(addr)) == -1) { DEBUG(0,("Unable to bind on socket '%s'\n", rctx->sock_name)); goto failed; } if (listen(rctx->lfd, 10) != 0) { DEBUG(0,("Unable to listen on socket '%s'\n", rctx->sock_name)); goto failed; } rctx->lfde = tevent_add_fd(rctx->ev, rctx, rctx->lfd, TEVENT_FD_READ, accept_fd_handler, rctx); if (!rctx->lfde) { DEBUG(0, ("Failed to queue handler on pipe\n")); goto failed; } } if (rctx->priv_sock_name != NULL ) { /* create privileged pipe */ rctx->priv_lfd = socket(AF_UNIX, SOCK_STREAM, 0); if (rctx->priv_lfd == -1) { close(rctx->lfd); return EIO; } umask(0177); set_nonblocking(rctx->priv_lfd); set_close_on_exec(rctx->priv_lfd); memset(&addr, 0, sizeof(addr)); addr.sun_family = AF_UNIX; strncpy(addr.sun_path, rctx->priv_sock_name, sizeof(addr.sun_path)); unlink(rctx->priv_sock_name); if (bind(rctx->priv_lfd, (struct sockaddr *)&addr, sizeof(addr)) == -1) { DEBUG(0,("Unable to bind on socket '%s'\n", rctx->priv_sock_name)); goto failed; } if (listen(rctx->priv_lfd, 10) != 0) { DEBUG(0,("Unable to listen on socket '%s'\n", rctx->priv_sock_name)); goto failed; } rctx->priv_lfde = tevent_add_fd(rctx->ev, rctx, rctx->priv_lfd, TEVENT_FD_READ, accept_priv_fd_handler, rctx); if (!rctx->priv_lfde) { DEBUG(0, ("Failed to queue handler on privileged pipe\n")); goto failed; } } /* we want default permissions on created files to be very strict, so set our umask to 0177 */ umask(0177); return EOK; failed: /* we want default permissions on created files to be very strict, so set our umask to 0177 */ umask(0177); close(rctx->lfd); close(rctx->priv_lfd); return EIO; } int sss_names_init(struct resp_ctx *rctx) { struct sss_names_ctx *ctx; const char *errstr; int errval; int errpos; int ret; ctx = talloc_zero(rctx, struct sss_names_ctx); if (!ctx) return ENOMEM; ret = confdb_get_string(rctx->cdb, ctx, NAMES_CONFIG, "re-expression", NULL, &ctx->re_pattern); if (ret != EOK) goto done; if (!ctx->re_pattern) { ctx->re_pattern = talloc_strdup(ctx, "(?[^@]+)@?(?[^@]*$)"); if (!ctx->re_pattern) { ret = ENOMEM; goto done; } } ret = confdb_get_string(rctx->cdb, ctx, NAMES_CONFIG, "full-name-format", NULL, &ctx->fq_fmt); if (ret != EOK) goto done; if (!ctx->fq_fmt) { ctx->fq_fmt = talloc_strdup(ctx, "%1$s@%2$s"); if (!ctx->fq_fmt) { ret = ENOMEM; goto done; } } ctx->re = pcre_compile2(ctx->re_pattern, PCRE_DUPNAMES | PCRE_EXTENDED, &errval, &errstr, &errpos, NULL); if (!ctx->re) { DEBUG(1, ("Invalid Regular Expression pattern at position %d." " (Error: %d [%s])\n", errpos, errval, errstr)); ret = EFAULT; goto done; } rctx->names = ctx; ret = EOK; done: if (ret != EOK) { talloc_free(ctx); } return ret; } int sss_process_init(TALLOC_CTX *mem_ctx, struct tevent_context *ev, struct confdb_ctx *cdb, struct sbus_method sss_sbus_methods[], struct sss_cmd_table sss_cmds[], const char *sss_pipe_name, const char *sss_priv_pipe_name, const char *confdb_service_path, struct sbus_method dp_methods[], struct resp_ctx **responder_ctx) { struct resp_ctx *rctx; int ret; rctx = talloc_zero(mem_ctx, struct resp_ctx); if (!rctx) { DEBUG(0, ("fatal error initializing resp_ctx\n")); return ENOMEM; } rctx->ev = ev; rctx->cdb = cdb; rctx->sss_sbus_methods = sss_sbus_methods; rctx->sss_cmds = sss_cmds; rctx->sock_name = sss_pipe_name; rctx->priv_sock_name = sss_priv_pipe_name; rctx->confdb_service_path = confdb_service_path; rctx->dp_methods = dp_methods; ret = confdb_get_domains(rctx->cdb, rctx, &rctx->domains); if (ret != EOK) { DEBUG(0, ("fatal error setting up domain map\n")); return ret; } ret = sss_sbus_init(rctx); if (ret != EOK) { DEBUG(0, ("fatal error setting up message bus\n")); return ret; } ret = sss_dp_init(rctx, rctx->dp_methods); if (ret != EOK) { DEBUG(0, ("fatal error setting up backend connector\n")); return ret; } else if (!rctx->dp_ctx) { DEBUG(0, ("Data Provider is not yet available. Retrying.\n")); return EIO; } ret = sysdb_init(rctx, ev, cdb, NULL, &rctx->sysdb); if (ret != EOK) { DEBUG(0, ("fatal error initializing resp_ctx\n")); return ret; } ret = sss_names_init(rctx); if (ret != EOK) { DEBUG(0, ("fatal error initializing regex data\n")); return ret; } /* after all initializations we are ready to listen on our socket */ ret = set_unix_socket(rctx); if (ret != EOK) { DEBUG(0, ("fatal error initializing socket\n")); return ret; } DEBUG(1, ("Responder Initialization complete\n")); *responder_ctx = rctx; return EOK; } int sss_parse_name(TALLOC_CTX *memctx, struct sss_names_ctx *snctx, const char *orig, char **domain, char **name) { pcre *re = snctx->re; const char *result; int ovec[30]; int origlen; int ret, strnum; origlen = strlen(orig); ret = pcre_exec(re, NULL, orig, origlen, 0, PCRE_NOTEMPTY, ovec, 30); if (ret < 0) { DEBUG(2, ("PCRE Matching error, %d\n", ret)); return EINVAL; } if (ret == 0) { DEBUG(1, ("Too many matches, the pattern is invalid.\n")); } strnum = ret; result = NULL; ret = pcre_get_named_substring(re, orig, ovec, strnum, "name", &result); if (ret < 0 || !result) { DEBUG(2, ("Name not found!\n")); return EINVAL; } *name = talloc_strdup(memctx, result); pcre_free_substring(result); if (!*name) return ENOMEM; result = NULL; ret = pcre_get_named_substring(re, orig, ovec, strnum, "domain", &result); if (ret < 0 || !result) { DEBUG(4, ("Domain not provided!\n")); *domain = NULL; } else { /* ignore "" string */ if (*result) { *domain = talloc_strdup(memctx, result); pcre_free_substring(result); if (!*domain) return ENOMEM; } else { pcre_free_substring(result); *domain = NULL; } } return EOK; }