diff options
author | Andreas Schneider <asn@samba.org> | 2014-05-16 09:50:42 +0200 |
---|---|---|
committer | Andrew Bartlett <abartlet@samba.org> | 2014-05-16 10:23:26 +0200 |
commit | 1e9750a8324898f7182a0f7101f7cce4932f542b (patch) | |
tree | d1be1ff458907cb9fe572a78802986ddfe7bbf6a /nsswitch | |
parent | accb76b9a88a5fee2e0b7b3ddb92be0010fb1ee2 (diff) | |
download | samba-1e9750a8324898f7182a0f7101f7cce4932f542b.tar.gz samba-1e9750a8324898f7182a0f7101f7cce4932f542b.tar.xz samba-1e9750a8324898f7182a0f7101f7cce4932f542b.zip |
nsswitch: Fix the check for the privileged pipe.
Change-Id: I8f23ecc8444c3b25d5be2a7fdbf51ba7fe4a5ed9
Signed-off-by: Andreas Schneider <asn@samba.org>
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Diffstat (limited to 'nsswitch')
-rw-r--r-- | nsswitch/wb_common.c | 36 |
1 files changed, 19 insertions, 17 deletions
diff --git a/nsswitch/wb_common.c b/nsswitch/wb_common.c index b34ab33048..44bfaf42ce 100644 --- a/nsswitch/wb_common.c +++ b/nsswitch/wb_common.c @@ -171,30 +171,26 @@ static int make_safe_fd(int fd) /** * @internal * - * @brief Check if we have priviliged access. + * @brief Check if we talk to the priviliged pipe which should be owned by root. * - * This checks if we have uid_wrapper running and if yes turns it of so that we - * can check if we have access. + * This checks if we have uid_wrapper running and if this is the case it will + * allow to connect to the winbind privileged pipe even it is not owned by root. * - * @param[in] uid The uid to compare if we have access. + * @param[in] uid The uid to check if we can safely talk to the pipe. * * @return If we have access it returns true, else false. */ -static bool winbind_privileged_access(uid_t uid) +static bool winbind_privileged_pipe_is_root(uid_t uid) { - uid_t euid; - - if (uid_wrapper_enabled()) { - setenv("UID_WRAPPER_MYUID", "1", 1); + if (uid == 0) { + return true; } - euid = geteuid(); - if (uid_wrapper_enabled()) { - unsetenv("UID_WRAPPER_MYUID"); + return true; } - return (uid == euid); + return false; } /* Connect to winbindd socket */ @@ -215,9 +211,12 @@ static int winbind_named_pipe_sock(const char *dir) return -1; } - /* This tells uid_wrapper to return the userid for the geteuid check */ + /* + * This tells us that the pipe is owned by a privileged + * process, as we will be sending passwords to it. + */ if (!S_ISDIR(st.st_mode) || - !winbind_privileged_access(st.st_uid)) { + !winbind_privileged_pipe_is_root(st.st_uid)) { errno = ENOENT; return -1; } @@ -245,9 +244,12 @@ static int winbind_named_pipe_sock(const char *dir) SAFE_FREE(path); /* Check permissions on unix socket file */ - /* This tells uid_wrapper to return the userid for the geteuid check */ + /* + * This tells us that the pipe is owned by a privileged + * process, as we will be sending passwords to it. + */ if (!S_ISSOCK(st.st_mode) || - !winbind_privileged_access(st.st_uid)) { + !winbind_privileged_pipe_is_root(st.st_uid)) { errno = ENOENT; return -1; } |