From c47e03cf2d446e301cf3609fa9acb90e3f6a6ccc Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Mon, 9 Mar 2009 17:05:23 +0100 Subject: use fixed paths to sockets to make sure clients and server are using the same --- server/confdb/confdb.c | 4 + server/responder/common/responder_cmd.h | 4 +- server/responder/common/responder_common.c | 118 ++++++++++++++++------------- server/responder/common/responder_common.h | 1 + server/responder/nss/nsssrv.c | 5 ++ server/responder/nss/nsssrv.h | 2 +- server/responder/pam/pamsrv.c | 5 +- 7 files changed, 80 insertions(+), 59 deletions(-) diff --git a/server/confdb/confdb.c b/server/confdb/confdb.c index 9ada97f3..26c9e939 100644 --- a/server/confdb/confdb.c +++ b/server/confdb/confdb.c @@ -522,11 +522,13 @@ static int confdb_init_db(struct confdb_ctx *cdb) ret = confdb_add_param(cdb, false, "config/services/pam", "command", val); if (ret != EOK) goto done; +#if 0 /* for future use */ /* Set the sssd_pam socket path */ val[0] = talloc_asprintf(tmp_ctx, "%s/pam", PIPE_PATH); CONFDB_ZERO_CHECK_OR_JUMP(val[0], ret, ENOMEM, done); ret = confdb_add_param(cdb, false, "config/services/pam", "unixSocket", val); if (ret != EOK) goto done; +#endif /* for future use */ /* Add PAM to the list of active services */ val[0] = "pam"; @@ -545,11 +547,13 @@ static int confdb_init_db(struct confdb_ctx *cdb) ret = confdb_add_param(cdb, false, "config/services/nss", "command", val); if (ret != EOK) goto done; +#if 0 /* for future use */ /* Set the sssd_nss socket path */ val[0] = talloc_asprintf(tmp_ctx, "%s/sssd_nss", PIPE_PATH); CONFDB_ZERO_CHECK_OR_JUMP(val[0], ret, ENOMEM, done); ret = confdb_add_param(cdb, false, "config/services/nss", "unixSocket", val); if (ret != EOK) goto done; +#endif /* for future use */ /* Add NSS to the list of active services */ val[0] = "nss"; diff --git a/server/responder/common/responder_cmd.h b/server/responder/common/responder_cmd.h index e02d5f22..b70b297a 100644 --- a/server/responder/common/responder_cmd.h +++ b/server/responder/common/responder_cmd.h @@ -48,8 +48,8 @@ struct nss_ctx { int priv_lfd; struct sysdb_ctx *sysdb; struct confdb_ctx *cdb; - char *sock_name; - char *priv_sock_name; + const char *sock_name; + const char *priv_sock_name; struct service_sbus_ctx *ss_ctx; struct service_sbus_ctx *dp_ctx; struct btreemap *domain_map; diff --git a/server/responder/common/responder_common.c b/server/responder/common/responder_common.c index 490f4e6b..18d2f3da 100644 --- a/server/responder/common/responder_common.c +++ b/server/responder/common/responder_common.c @@ -329,6 +329,9 @@ static int sss_sbus_init(struct nss_ctx *nctx) static int set_unix_socket(struct nss_ctx *nctx) { struct sockaddr_un addr; + +/* for future use */ +#if 0 char *default_pipe; int ret; @@ -361,74 +364,79 @@ static int set_unix_socket(struct nss_ctx *nctx) return ret; } talloc_free(default_pipe); +#endif - nctx->lfd = socket(AF_UNIX, SOCK_STREAM, 0); - if (nctx->lfd == -1) { - return EIO; - } + if (nctx->sock_name != NULL ) { + nctx->lfd = socket(AF_UNIX, SOCK_STREAM, 0); + if (nctx->lfd == -1) { + return EIO; + } - nctx->priv_lfd = socket(AF_UNIX, SOCK_STREAM, 0); - if (nctx->priv_lfd == -1) { - close(nctx->lfd); - return EIO; - } + /* Set the umask so that permissions are set right on the socket. + * It must be readable and writable by anybody on the system. */ + umask(0111); - /* Set the umask so that permissions are set right on the socket. - * It must be readable and writable by anybody on the system. */ - umask(0111); + set_nonblocking(nctx->lfd); + set_close_on_exec(nctx->lfd); - set_nonblocking(nctx->lfd); - set_close_on_exec(nctx->lfd); + memset(&addr, 0, sizeof(addr)); + addr.sun_family = AF_UNIX; + strncpy(addr.sun_path, nctx->sock_name, sizeof(addr.sun_path)); - memset(&addr, 0, sizeof(addr)); - addr.sun_family = AF_UNIX; - strncpy(addr.sun_path, nctx->sock_name, sizeof(addr.sun_path)); + /* make sure we have no old sockets around */ + unlink(nctx->sock_name); - /* make sure we have no old sockets around */ - unlink(nctx->sock_name); + if (bind(nctx->lfd, (struct sockaddr *)&addr, sizeof(addr)) == -1) { + DEBUG(0,("Unable to bind on socket '%s'\n", nctx->sock_name)); + goto failed; + } + if (listen(nctx->lfd, 10) != 0) { + DEBUG(0,("Unable to listen on socket '%s'\n", nctx->sock_name)); + goto failed; + } - if (bind(nctx->lfd, (struct sockaddr *)&addr, sizeof(addr)) == -1) { - DEBUG(0,("Unable to bind on socket '%s'\n", nctx->sock_name)); - goto failed; - } - if (listen(nctx->lfd, 10) != 0) { - DEBUG(0,("Unable to listen on socket '%s'\n", nctx->sock_name)); - goto failed; + nctx->lfde = tevent_add_fd(nctx->ev, nctx, nctx->lfd, + TEVENT_FD_READ, accept_fd_handler, nctx); + if (!nctx->lfde) { + DEBUG(0, ("Failed to queue handler on pipe\n")); + goto failed; + } } - /* create privileged pipe */ - umask(0177); + if (nctx->priv_sock_name != NULL ) { + /* create privileged pipe */ + nctx->priv_lfd = socket(AF_UNIX, SOCK_STREAM, 0); + if (nctx->priv_lfd == -1) { + close(nctx->lfd); + return EIO; + } - set_nonblocking(nctx->priv_lfd); - set_close_on_exec(nctx->priv_lfd); + umask(0177); - memset(&addr, 0, sizeof(addr)); - addr.sun_family = AF_UNIX; - strncpy(addr.sun_path, nctx->priv_sock_name, sizeof(addr.sun_path)); + set_nonblocking(nctx->priv_lfd); + set_close_on_exec(nctx->priv_lfd); - unlink(nctx->priv_sock_name); + memset(&addr, 0, sizeof(addr)); + addr.sun_family = AF_UNIX; + strncpy(addr.sun_path, nctx->priv_sock_name, sizeof(addr.sun_path)); - if (bind(nctx->priv_lfd, (struct sockaddr *)&addr, sizeof(addr)) == -1) { - DEBUG(0,("Unable to bind on socket '%s'\n", nctx->priv_sock_name)); - goto failed; - } - if (listen(nctx->priv_lfd, 10) != 0) { - DEBUG(0,("Unable to listen on socket '%s'\n", nctx->priv_sock_name)); - goto failed; - } + unlink(nctx->priv_sock_name); - nctx->lfde = tevent_add_fd(nctx->ev, nctx, nctx->lfd, - TEVENT_FD_READ, accept_fd_handler, nctx); - if (!nctx->lfde) { - DEBUG(0, ("Failed to queue handler on pipe\n")); - goto failed; - } + if (bind(nctx->priv_lfd, (struct sockaddr *)&addr, sizeof(addr)) == -1) { + DEBUG(0,("Unable to bind on socket '%s'\n", nctx->priv_sock_name)); + goto failed; + } + if (listen(nctx->priv_lfd, 10) != 0) { + DEBUG(0,("Unable to listen on socket '%s'\n", nctx->priv_sock_name)); + goto failed; + } - nctx->priv_lfde = tevent_add_fd(nctx->ev, nctx, nctx->priv_lfd, - TEVENT_FD_READ, accept_priv_fd_handler, nctx); - if (!nctx->priv_lfde) { - DEBUG(0, ("Failed to queue handler on privileged pipe\n")); - goto failed; + nctx->priv_lfde = tevent_add_fd(nctx->ev, nctx, nctx->priv_lfd, + TEVENT_FD_READ, accept_priv_fd_handler, nctx); + if (!nctx->priv_lfde) { + DEBUG(0, ("Failed to queue handler on privileged pipe\n")); + goto failed; + } } /* we want default permissions on created files to be very strict, @@ -488,6 +496,7 @@ int sss_process_init(TALLOC_CTX *mem_ctx, struct sbus_method sss_sbus_methods[], struct sss_cmd_table sss_cmds[], const char *sss_pipe_name, + const char *sss_priv_pipe_name, const char *confdb_socket_path, struct sbus_method dp_methods[]) { @@ -503,7 +512,8 @@ int sss_process_init(TALLOC_CTX *mem_ctx, nctx->cdb = cdb; nctx->sss_sbus_methods = sss_sbus_methods; nctx->sss_cmds = sss_cmds; - nctx->sss_pipe_name = sss_pipe_name; + nctx->sock_name = sss_pipe_name; + nctx->priv_sock_name = sss_priv_pipe_name; nctx->confdb_socket_path = confdb_socket_path; nctx->dp_methods = dp_methods; diff --git a/server/responder/common/responder_common.h b/server/responder/common/responder_common.h index 38180705..0a5b6274 100644 --- a/server/responder/common/responder_common.h +++ b/server/responder/common/responder_common.h @@ -15,6 +15,7 @@ int sss_process_init(TALLOC_CTX *mem_ctx, struct sbus_method sss_sbus_methods[], struct sss_cmd_table sss_cmds[], const char *sss_pipe_name, + const char *sss_priv_pipe_name, const char *confdb_socket_path, struct sbus_method dp_methods[]); diff --git a/server/responder/nss/nsssrv.c b/server/responder/nss/nsssrv.c index 248b8a1e..a26f5eda 100644 --- a/server/responder/nss/nsssrv.c +++ b/server/responder/nss/nsssrv.c @@ -330,6 +330,9 @@ static int nss_sbus_init(struct nss_ctx *nctx) static int set_unix_socket(struct nss_ctx *nctx) { struct sockaddr_un addr; + +/* for future use */ +#if 0 char *default_pipe; int ret; @@ -346,6 +349,8 @@ static int set_unix_socket(struct nss_ctx *nctx) return ret; } talloc_free(default_pipe); +#endif + nctx->sock_name = SSS_NSS_SOCKET_NAME; nctx->lfd = socket(AF_UNIX, SOCK_STREAM, 0); if (nctx->lfd == -1) { diff --git a/server/responder/nss/nsssrv.h b/server/responder/nss/nsssrv.h index b1f1ff7d..949961a4 100644 --- a/server/responder/nss/nsssrv.h +++ b/server/responder/nss/nsssrv.h @@ -57,7 +57,7 @@ struct nss_ctx { int lfd; struct sysdb_ctx *sysdb; struct confdb_ctx *cdb; - char *sock_name; + const char *sock_name; struct service_sbus_ctx *ss_ctx; struct service_sbus_ctx *dp_ctx; struct btreemap *domain_map; diff --git a/server/responder/pam/pamsrv.c b/server/responder/pam/pamsrv.c index b6593bcf..de62e035 100644 --- a/server/responder/pam/pamsrv.c +++ b/server/responder/pam/pamsrv.c @@ -44,8 +44,8 @@ #include "monitor/monitor_interfaces.h" #include "sbus/sbus_client.h" #include "responder/pam/pamsrv.h" +#include "../sss_client/sss_cli.h" -#define SSS_PAM_PIPE_NAME "pam" #define PAM_SBUS_SERVICE_VERSION 0x0001 #define PAM_SBUS_SERVICE_NAME "pam" #define CONFDB_SOCKET_PATH "config/services/pam" @@ -158,7 +158,8 @@ int main(int argc, const char *argv[]) main_ctx->confdb_ctx, sss_sbus_methods, sss_cmds, - SSS_PAM_PIPE_NAME, + SSS_PAM_SOCKET_NAME, + SSS_PAM_PRIV_SOCKET_NAME, CONFDB_SOCKET_PATH, pam_dp_methods); if (ret != EOK) return 3; -- cgit