nscd_selfcred.c revision dd3d4b51b900954355940eb01a31d9b66535adab
/*
* CDDL HEADER START
*
* The contents of this file are subject to the terms of the
* Common Development and Distribution License (the "License").
* You may not use this file except in compliance with the License.
*
* You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
* See the License for the specific language governing permissions
* and limitations under the License.
*
* When distributing Covered Code, include this CDDL HEADER in each
* file and include the License file at usr/src/OPENSOLARIS.LICENSE.
* If applicable, add the following below this CDDL HEADER, with the
* fields enclosed by brackets "[]" replaced with your own identifying
* information: Portions Copyright [yyyy] [name of copyright owner]
*
* CDDL HEADER END
*/
/*
*/
#include <stdio.h>
#include <stdlib.h>
#include <synch.h>
#include <thread.h>
#include <string.h>
#include <errno.h>
#include <dlfcn.h>
#include <door.h>
#include <libscf.h>
#include <ucred.h>
#include <signal.h>
#include <unistd.h>
#include <dirent.h>
#include <procfs.h>
#include <fcntl.h>
#include <libscf.h>
#include "nscd_door.h"
#include "nscd_config.h"
#include "nscd_log.h"
#include "nscd_frontend.h"
#include "nscd_selfcred.h"
#include "nscd_admin.h"
#include "nscd_common.h"
#include "ns_sldap.h"
extern int _logfd;
static char *execpath;
static char **execargv;
static char *selfcred_dbs = NULL;
/* current self-cred configuration data being used */
#define _NSCD_PUN_BLOCK 1024
static uint8_t pu_nscd_enabled;
static int max_pu_nscd = _NSCD_PUN_BLOCK;
static int pu_nscd_ttl;
static nscd_rc_t setup_ldap_backend();
static nscd_rc_t init_user_proc_monitor();
/*
* clild state
*/
typedef enum {
CHILD_STATE_NONE = 0,
typedef struct _child {
int child_slot;
int child_door;
int next_open;
} child_t;
static int open_head;
static int open_tail;
static int used_slot;
/* nscd door id */
extern int _doorfd;
/* nscd id: main, forker, or child */
extern int _whoami;
/* forker nscd pid */
static pid_t forker_pid = 0;
static pid_t forker_uid = 0;
long activity = 0;
static int forking_door = -1;
static void
free_slot(int s)
{
return;
}
void
{
int i;
(void) mutex_lock(&child_lock);
for (i = 0; i < max_pu_nscd; i++)
free_slot(i);
open_head = -1;
open_tail = -1;
used_slot = -1;
(void) mutex_unlock(&child_lock);
}
static int
init_slot(int s)
{
char *me = "init_slot";
return (-1);
return (-1);
}
return (-1);
}
(me, "slot %d allocated\n", s);
} else
ch->child_slot = s;
ch->child_door = 0;
(me, "slot %d initialized\n", s);
return (0);
}
static int
{
(void) mutex_lock(&child_lock);
return (-1);
open_head = -1;
open_tail = -1;
used_slot = -1;
(void) mutex_unlock(&child_lock);
return (0);
}
static child_t *
int no_alloc)
{
int i;
char *me = "get_cslot";
(void) mutex_lock(&child_lock);
/* first find the slot with a matching uid */
for (i = 0; i <= used_slot; i++) {
(void) mutex_unlock(&child_lock);
(me, "slot %d found with uid %d\n",
return (ret);
}
}
/* if no need to allocate a new slot, return NULL */
if (no_alloc == 1) {
(void) mutex_unlock(&child_lock);
return (ret);
}
/* no open slot ? get a new one */
if (open_head == -1) {
/* if no slot available, allocate more */
(void) mutex_unlock(&child_lock);
return (ret);
}
}
used_slot++;
used_slot--;
(void) mutex_unlock(&child_lock);
return (ret);
}
} else {
/* got last one ? reset tail */
if (open_head == -1)
open_tail = -1;
}
(void) mutex_unlock(&child_lock);
return (ret);
}
static void
{
/* have open slot ? add to and reset tail */
if (open_tail != -1) {
} else {
/* no open slot ? make one */
}
}
static void
{
char *me = "return_cslot";
/* return if the slot has been returned by another thread */
return;
(void) mutex_lock(&child_lock);
/* check one more time */
(void) mutex_unlock(&child_lock);
return;
}
(void) mutex_unlock(&child_lock);
}
static int
int fd)
{
int ret;
char *me = "selfcred_kill";
if (fd != -1)
else
return (ret);
}
void
{
(void) mutex_lock(&forking_lock);
if (forking_door != -1)
(void) selfcred_kill(forking_door);
forking_door = -1;
(void) mutex_unlock(&forking_lock);
}
void
{
int i;
int ret;
char *me = "_nscd_kill_all_children";
(void) mutex_lock(&child_lock);
for (i = 0; i <= used_slot; i++) {
continue;
(me, "killing child process %d (doorfd %d)\n",
if (ret != -1)
}
(void) return_cslot_nolock(child[i]);
}
(void) mutex_unlock(&child_lock);
}
static int
int fd)
{
int ret;
char *me = "selfcred_pulse";
/* Close door because the other side exited. */
return (ret);
}
/*ARGSUSED*/
static void *
void *arg)
{
char *fmri;
char *me = "forker_monitor";
/* wait until forker exits */
fpid = forker_pid;
(void) selfcred_pulse(forking_door);
(me, "forker (pid = %d) exited or crashed, "
"killing all child processes\n", fpid);
(void) mutex_lock(&forking_lock);
forking_door = -1;
forker_pid = -1;
(void) mutex_unlock(&forking_lock);
/* restart forker */
(me, "restarting the forker ...\n");
case (pid_t)-1:
(me, "unable to fork and start the forker ...\n");
/* enter the maintenance mode */
(me, "entering maintenance mode ...\n");
}
return ((void *)1);
break;
case 0:
exit(0);
break;
default:
forker_pid = fpid;
break;
}
return (NULL);
}
static void *
void *arg)
{
char *me = "child_monitor";
/* wait until child exits */
/* return the slot used by the child */
return (NULL);
}
void
void *buf,
int iam)
{
int cslot;
int errnum;
char *me = "_nscd_proc_iamhere";
if (door_ucred(&uc) != 0) {
}
switch (iam) {
case NSCD_MAIN:
/*
* I'm main, or uid from door is not correct,
* this must be an imposter
*/
(me, "MAIN IMPOSTER CAUGHT!\n");
}
break;
case NSCD_FORKER:
/*
* I'm forker, or uid from door is not correct,
* this must be an imposter
*/
(me, "FORKER IMPOSTER CAUGHT!\n");
break;
}
/* only main needs to know the forker */
break;
}
(me, "FORKER IMPOSTER CAUGHT: pid = %d should be %d\n",
break;
}
if (n_desc < 1) {
(me, "BAD FORKER, NO DOOR!\n");
break;
}
(void) mutex_lock(&forking_lock);
if (forking_door != -1)
(void) close(forking_door);
(void) mutex_unlock(&forking_lock);
} else {
break;
}
/* monitor the forker nscd */
THR_DETACHED, NULL);
break;
case NSCD_CHILD:
/* child nscd can only talk to the main nscd */
(me, "CHILD IMPOSTER CAUGHT!\n");
break;
}
/* get the main nscd assigned slot number */
(void) mutex_lock(&child_lock);
else
(void) mutex_unlock(&child_lock);
/* Bad slot number */
break;
}
(me, "CHILD IMPOSTER CAUGHT: uid = %d should be %d\n",
break;
}
break;
}
(me, "d_descriptor = %d, d_id = %lld\n",
(me, "child in slot %d has door %d\n",
/*
* let waiters know that the child is ready to
* serve
*/
/* monitor the child nscd */
break;
} else {
}
break;
}
ucred_free(uc);
}
void
void *buf,
int iam)
{
long last_active;
int done = 0;
char *me = "_nscd_proc_pulse";
/* only main nscd sends pulse */
}
/* forker doesn't return stats, it just pauses */
if (_whoami == NSCD_FORKER) {
(me, "forker ready to pause ...\n");
/*CONSTCOND*/
while (1)
(void) pause();
}
/* remember the current activity sequence number */
(void) mutex_lock(&activity_lock);
(void) mutex_unlock(&activity_lock);
while (!done) {
/* allow per_user_nscd_ttl seconds of inactivity */
(void) sleep(pu_nscd_ttl);
(void) mutex_lock(&activity_lock);
if (last_active == activity)
done = 1;
else {
(me, "active, sleep again for %d seconds\n",
}
(void) mutex_unlock(&activity_lock);
}
/* no activity in the specified seconds, exit and disconnect */
exit(0);
}
void
void *buf,
int iam)
{
int slot;
int ret;
char *fmri;
char *me = "_nscd_proc_fork";
nscd_fork_t *f;
/* only main nscd sends fork requests */
}
/* only forker handles fork requests */
if (_whoami != NSCD_FORKER) {
(me, "MAIN IMPOSTER CAUGHT! I AM NOT FORKER!\n");
}
/* fork a child for the slot assigned by the main nscd */
/* ignore bad slot number */
(me, "bas slot number\n");
}
(me, "before fork1() ...\n");
/*
* remember when this child nscd starts
* (replace the forker start time)
*/
/* close all except the log file */
if (_logfd > 0) {
int i;
for (i = 0; i < _logfd; i++)
(void) close(i);
} else
closefrom(0);
/* set up the door and server thread pool */
exit(-1);
/* tell libsldap to do self cred only */
(void) setup_ldap_backend();
/* notify main that child is active */
(me, "forker unable to fork ...\n");
/* enter the maintenance mode */
(me, "entering maintenance mode ...\n");
}
exit(0);
} else {
/*
* start the monitor so as to exit as early as
* possible if no other processes are running
* with the same PUN uid (i.e., this PUN is
* not needed any more)
*/
(void) init_user_proc_monitor();
(me, "child forked: parent pid = %d, child pid = %d\n",
}
(me, "after fork\n");
}
static void
void *buf,
int doorfd,
int cslot,
{
int ret;
nscd_fork_t f;
char *me = "selfcred_fork";
/* if no door fd, do nothing */
if (doorfd == -1) {
}
(me, "sending fork request to door %d for slot %d "
(me, "fork request sent to door %d for slot %d (rc = %d)\n",
if (NSCD_STATUS_IS_NOT_OK(phdr)) {
(me, "fork request sent to door %d for slot %d failed: "
"status = %d, errno = %s, nscd status = %d\n", doorfd,
}
}
void
void *buf,
int *door)
{
int errnum;
char *me = "_nscd_proc_alt_get";
(me, "getting an alternate door ...\n");
/* make sure there is a door to talk to the forker */
if (forking_door == -1) {
(me, "no door to talk to the forker\n");
}
/* get door client's credential information */
if (door_ucred(&uc) != 0) {
}
/* get door client's effective uid and effective gid */
ucred_free(uc);
/* is a slot available ? if not, no one to serve */
(me, "no child slot available (child array = %p, slot = %d)\n",
}
/* create the per user nscd if necessary */
/* ask forker to fork a new child */
if (NSCD_STATUS_IS_NOT_OK(&phdr1)) {
return;
}
}
(me, "waiting for door (slot = %d, uid = %d, gid = %d)\n",
/* wait for the per user nscd to become available */
int err;
int ttl = 5;
(me, "door wait timedout (slot = %d)\n",
ch->child_slot);
break;
}
}
}
}
(me, "returning door %d for slot %d, uid %d, gid = %d\n",
}
static char **
int argc,
char **inargv)
{
char **newargv;
int c = 4;
int i = 0, j, k = 0, n = 0;
return (NULL);
return (NULL);
}
return (NULL);
}
for (i = 1; i < argc; i++) {
k = 2;
if (k == 0)
continue;
for (j = 0; j < n; j++)
return (NULL);
}
k--;
n++;
}
return (newargv);
}
void
char *path,
int argc,
char **argv)
{
/* if self cred is not configured, do nothing */
return;
/* save pathname and generate the new argv for the forker */
exit(1);
case (pid_t)-1:
exit(1);
break;
case 0:
/* start the forker nscd */
exit(0);
break;
default:
/* main nscd */
/* remember process id of the forker */
forker_pid = cid;
/* enable child nscd management */
(void) _nscd_init_cslots();
break;
}
}
static nscd_rc_t
char *name,
void **func_p)
{
char *me = "get_ldap_funcs";
void *sym;
return (NSCD_SUCCESS);
}
/* no handle to close, it's OK */
return (NSCD_SUCCESS);
(me, "unable to dlopen libsldap.so.1");
return (NSCD_CFG_DLOPEN_ERROR);
}
}
return (NSCD_CFG_DLSYM_ERROR);
} else
return (NSCD_SUCCESS);
}
int
{
static int checked = 0;
static int is_on = 0;
static int (*ldap_func)();
int ldap_on = 0;
char *ldap_sc_func = "__ns_ldap_self_gssapi_config";
*dblist = selfcred_dbs;
return (is_on);
}
if (selfcred_dbs != NULL)
if (selfcred_dbs == NULL) {
is_on = 0;
checked = 1;
return (0);
}
/*
* also check the ldap backend to see if
* the configuration there is good for
* doing self credentialing
*/
ldap_on = 1;
}
checked = 1;
*dblist = selfcred_dbs;
return (is_on);
}
static nscd_rc_t
{
static void (*ldap_func)();
char *ldap_sc_func = "__ns_ldap_self_gssapi_only_set";
ldap_func(1);
return (NSCD_SUCCESS);
}
return (rc);
}
/*ARGSUSED*/
void
void *buf,
int buf_size)
{
int errnum = 0;
int ret;
char *me = "_nscd_peruser_getadmin";
/* get door client's credential information */
if (door_ucred(&uc) != 0) {
}
/* get door client's effective uid */
ucred_free(uc);
/* is the per-user nscd running ? if not, no one to serve */
}
sizeof (nscd_admin_t), phdr);
if (ret == NSS_SUCCESS) {
return;
}
}
static void
char param,
void *data)
{
char *me = "set_selfcred_cfg";
if (param == 'e') {
}
if (param == 't') {
}
}
/* ARGSUSED */
void *data,
struct nscd_cfg_param_desc *pdesc,
void *cookie)
{
int off;
/*
* At init time, the whole group of config params are received.
* At update time, group or individual parameter value could
* be received.
*/
return (NSCD_SUCCESS);
}
/*
* individual config parameter
*/
return (NSCD_SUCCESS);
}
return (NSCD_SUCCESS);
}
return (NSCD_SUCCESS);
}
/* ARGSUSED */
void *data,
struct nscd_cfg_param_desc *pdesc,
void **cookie)
{
return (NSCD_SUCCESS);
}
/* ARGSUSED */
void **stat,
struct nscd_cfg_stat_desc *sdesc,
{
return (NSCD_SUCCESS);
}
static int
{
int pfd; /* file descriptor for /proc/<pid>/psinfo */
if (uid == 0) {
}
/* Process may have exited */
return (1);
}
/*
* Get the info structure for the process and close quickly.
*/
goto retry;
return (1);
}
return (0);
else
return (1);
}
/*
* FUNCTION: check_user_process
*/
/*ARGSUSED*/
static void *
check_user_process(void *arg)
{
int found;
char *me = "check_user_process";
/*CONSTCOND*/
while (1) {
(void) sleep(60);
found = 0;
/*
* search the /proc directory and look at each process
*/
(me, "unable to open the /proc directory\n");
continue;
}
/* for each active process */
continue;
found = 1;
break;
}
}
/*
* if no process running as the PUN uid found, exit
* to kill this PUN
*/
if (found == 0) {
exit(1);
}
}
/* NOTREACHED */
/*LINTED E_FUNC_HAS_NO_RETURN_STMT*/
}
static nscd_rc_t
int errnum;
char *me = "init_user_proc_monitor";
(me, "initializing the user process monitor\n");
/*
* start a thread to make sure there is at least a process
* running as the PUN user. If not, terminate this PUN.
*/
return (NSCD_THREAD_CREATE_ERROR);
}
return (NSCD_SUCCESS);
}
static void *
{
void *val;
char *me = "get_smf_prop";
if (prop) {
switch (type) {
case 'b':
break;
case 'i':
break;
}
}
char vs[64];
switch (type) {
case 'b':
else
break;
case 'i':
break;
}
(me, "no value for config/%s (%s). "
"Using default \"%s\"\n", var,
}
return (def_val);
}