diff options
author | Andreas Schneider <asn@samba.org> | 2013-09-09 16:28:18 +0200 |
---|---|---|
committer | Stefan Metzmacher <metze@samba.org> | 2014-04-17 14:56:06 +0200 |
commit | 486fa4a134a79e0a25091efc749ccc131dc18f69 (patch) | |
tree | f125b9d3fa308db69041bd0259c2750cc296f879 | |
parent | 28b87dd75e7292c4c451c753c44a640cbcf5d8cb (diff) | |
download | samba-486fa4a134a79e0a25091efc749ccc131dc18f69.tar.gz samba-486fa4a134a79e0a25091efc749ccc131dc18f69.tar.xz samba-486fa4a134a79e0a25091efc749ccc131dc18f69.zip |
libwbclient: Handle uid_wrapper for pipe access.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
-rw-r--r-- | nsswitch/wb_common.c | 35 |
1 files changed, 33 insertions, 2 deletions
diff --git a/nsswitch/wb_common.c b/nsswitch/wb_common.c index 23b78874c1..c1350aafd8 100644 --- a/nsswitch/wb_common.c +++ b/nsswitch/wb_common.c @@ -168,6 +168,35 @@ static int make_safe_fd(int fd) return new_fd; } +/** + * @internal + * + * @brief Check if we have priviliged access. + * + * This checks if we have uid_wrapper running and if yes turns it of so that we + * can check if we have access. + * + * @param[in] uid The uid to compare if we have access. + * + * @return If we have access it returns true, else false. + */ +static bool winbind_privileged_access(uid_t uid) +{ + uid_t euid; + + if (uid_wrapper_enabled()) { + setenv("UID_WRAPPER_MYUID", "1", 1); + } + + euid = geteuid(); + + if (uid_wrapper_enabled()) { + unsetenv("UID_WRAPPER_MYUID"); + } + + return (uid == euid); +} + /* Connect to winbindd socket */ static int winbind_named_pipe_sock(const char *dir) @@ -186,8 +215,9 @@ static int winbind_named_pipe_sock(const char *dir) return -1; } + /* This tells uid_wrapper to return the userid for the geteuid check */ if (!S_ISDIR(st.st_mode) || - (st.st_uid != 0 && st.st_uid != geteuid())) { + !winbind_privileged_access(st.st_uid)) { errno = ENOENT; return -1; } @@ -215,8 +245,9 @@ static int winbind_named_pipe_sock(const char *dir) SAFE_FREE(path); /* Check permissions on unix socket file */ + /* This tells uid_wrapper to return the userid for the geteuid check */ if (!S_ISSOCK(st.st_mode) || - (st.st_uid != 0 && st.st_uid != geteuid())) { + !winbind_privileged_access(st.st_uid)) { errno = ENOENT; return -1; } |