a8d1a344e580f29699aed9b88d87fc3c6f5d113bSimo Sorce/*
a8d1a344e580f29699aed9b88d87fc3c6f5d113bSimo Sorce SSSD
a8d1a344e580f29699aed9b88d87fc3c6f5d113bSimo Sorce
a8d1a344e580f29699aed9b88d87fc3c6f5d113bSimo Sorce Secrets Responder
a8d1a344e580f29699aed9b88d87fc3c6f5d113bSimo Sorce
a8d1a344e580f29699aed9b88d87fc3c6f5d113bSimo Sorce Copyright (C) Simo Sorce <ssorce@redhat.com> 2016
a8d1a344e580f29699aed9b88d87fc3c6f5d113bSimo Sorce
a8d1a344e580f29699aed9b88d87fc3c6f5d113bSimo Sorce This program is free software; you can redistribute it and/or modify
a8d1a344e580f29699aed9b88d87fc3c6f5d113bSimo Sorce it under the terms of the GNU General Public License as published by
a8d1a344e580f29699aed9b88d87fc3c6f5d113bSimo Sorce the Free Software Foundation; either version 3 of the License, or
a8d1a344e580f29699aed9b88d87fc3c6f5d113bSimo Sorce (at your option) any later version.
a8d1a344e580f29699aed9b88d87fc3c6f5d113bSimo Sorce
a8d1a344e580f29699aed9b88d87fc3c6f5d113bSimo Sorce This program is distributed in the hope that it will be useful,
a8d1a344e580f29699aed9b88d87fc3c6f5d113bSimo Sorce but WITHOUT ANY WARRANTY; without even the implied warranty of
a8d1a344e580f29699aed9b88d87fc3c6f5d113bSimo Sorce MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
a8d1a344e580f29699aed9b88d87fc3c6f5d113bSimo Sorce GNU General Public License for more details.
a8d1a344e580f29699aed9b88d87fc3c6f5d113bSimo Sorce
a8d1a344e580f29699aed9b88d87fc3c6f5d113bSimo Sorce You should have received a copy of the GNU General Public License
a8d1a344e580f29699aed9b88d87fc3c6f5d113bSimo Sorce along with this program. If not, see <http://www.gnu.org/licenses/>.
a8d1a344e580f29699aed9b88d87fc3c6f5d113bSimo Sorce*/
a8d1a344e580f29699aed9b88d87fc3c6f5d113bSimo Sorce
a8d1a344e580f29699aed9b88d87fc3c6f5d113bSimo Sorce#include "util/util.h"
a8d1a344e580f29699aed9b88d87fc3c6f5d113bSimo Sorce#include <sys/socket.h>
a8d1a344e580f29699aed9b88d87fc3c6f5d113bSimo Sorce#include <sys/un.h>
a8d1a344e580f29699aed9b88d87fc3c6f5d113bSimo Sorce#include <popt.h>
a8d1a344e580f29699aed9b88d87fc3c6f5d113bSimo Sorce
a8d1a344e580f29699aed9b88d87fc3c6f5d113bSimo Sorce#include "responder/common/responder.h"
a8d1a344e580f29699aed9b88d87fc3c6f5d113bSimo Sorce#include "responder/secrets/secsrv.h"
8f2a34cc6964a1f80a1434e05315a7ae0bb5774eSimo Sorce#include "resolv/async_resolv.h"
a8d1a344e580f29699aed9b88d87fc3c6f5d113bSimo Sorce
a8d1a344e580f29699aed9b88d87fc3c6f5d113bSimo Sorce#define DEFAULT_SEC_FD_LIMIT 2048
efc65e78fa4e01e6cecc8690a9899af61213be62Fabiano Fidêncio#define DEFAULT_SEC_CONTAINERS_NEST_LEVEL 4
197da163943868216f704fb34031e7d5576e8aeeJakub Hrozek
6b3bab516355fdf4cc81e6da9d87ec3818ab190fJakub Hrozek#define DEFAULT_SEC_MAX_SECRETS 1024
6b3bab516355fdf4cc81e6da9d87ec3818ab190fJakub Hrozek#define DEFAULT_SEC_MAX_UID_SECRETS 256
7171a7584dda534dde5409f3e7f4657e845ece15Fabiano Fidêncio#define DEFAULT_SEC_MAX_PAYLOAD_SIZE 16
a8d1a344e580f29699aed9b88d87fc3c6f5d113bSimo Sorce
197da163943868216f704fb34031e7d5576e8aeeJakub Hrozek/* The number of secrets in the /kcm hive should be quite small,
197da163943868216f704fb34031e7d5576e8aeeJakub Hrozek * but the secret size must be large because one secret in the /kcm
197da163943868216f704fb34031e7d5576e8aeeJakub Hrozek * hive holds the whole ccache which consists of several credentials
197da163943868216f704fb34031e7d5576e8aeeJakub Hrozek */
197da163943868216f704fb34031e7d5576e8aeeJakub Hrozek#define DEFAULT_SEC_KCM_MAX_SECRETS 256
6b3bab516355fdf4cc81e6da9d87ec3818ab190fJakub Hrozek#define DEFAULT_SEC_KCM_MAX_UID_SECRETS 64
197da163943868216f704fb34031e7d5576e8aeeJakub Hrozek#define DEFAULT_SEC_KCM_MAX_PAYLOAD_SIZE 65536
197da163943868216f704fb34031e7d5576e8aeeJakub Hrozek
4db56d8c90a6467a216590e5ba3bdcd2a2bf1ae9Jakub Hrozekstatic int sec_get_quota(struct sec_ctx *sctx,
4db56d8c90a6467a216590e5ba3bdcd2a2bf1ae9Jakub Hrozek const char *section_config_path,
4db56d8c90a6467a216590e5ba3bdcd2a2bf1ae9Jakub Hrozek int default_max_containers_nest_level,
4db56d8c90a6467a216590e5ba3bdcd2a2bf1ae9Jakub Hrozek int default_max_num_secrets,
6b3bab516355fdf4cc81e6da9d87ec3818ab190fJakub Hrozek int default_max_num_uid_secrets,
4db56d8c90a6467a216590e5ba3bdcd2a2bf1ae9Jakub Hrozek int default_max_payload,
4db56d8c90a6467a216590e5ba3bdcd2a2bf1ae9Jakub Hrozek struct sec_quota *quota)
a8d1a344e580f29699aed9b88d87fc3c6f5d113bSimo Sorce{
a8d1a344e580f29699aed9b88d87fc3c6f5d113bSimo Sorce int ret;
a8d1a344e580f29699aed9b88d87fc3c6f5d113bSimo Sorce
a8d1a344e580f29699aed9b88d87fc3c6f5d113bSimo Sorce ret = confdb_get_int(sctx->rctx->cdb,
4db56d8c90a6467a216590e5ba3bdcd2a2bf1ae9Jakub Hrozek section_config_path,
4db56d8c90a6467a216590e5ba3bdcd2a2bf1ae9Jakub Hrozek CONFDB_SEC_CONTAINERS_NEST_LEVEL,
4db56d8c90a6467a216590e5ba3bdcd2a2bf1ae9Jakub Hrozek default_max_containers_nest_level,
4db56d8c90a6467a216590e5ba3bdcd2a2bf1ae9Jakub Hrozek &quota->containers_nest_level);
4db56d8c90a6467a216590e5ba3bdcd2a2bf1ae9Jakub Hrozek
a8d1a344e580f29699aed9b88d87fc3c6f5d113bSimo Sorce if (ret != EOK) {
a8d1a344e580f29699aed9b88d87fc3c6f5d113bSimo Sorce DEBUG(SSSDBG_FATAL_FAILURE,
4db56d8c90a6467a216590e5ba3bdcd2a2bf1ae9Jakub Hrozek "Failed to get container nesting level for %s\n",
4db56d8c90a6467a216590e5ba3bdcd2a2bf1ae9Jakub Hrozek section_config_path);
4db56d8c90a6467a216590e5ba3bdcd2a2bf1ae9Jakub Hrozek return ret;
a8d1a344e580f29699aed9b88d87fc3c6f5d113bSimo Sorce }
a8d1a344e580f29699aed9b88d87fc3c6f5d113bSimo Sorce
efc65e78fa4e01e6cecc8690a9899af61213be62Fabiano Fidêncio ret = confdb_get_int(sctx->rctx->cdb,
4db56d8c90a6467a216590e5ba3bdcd2a2bf1ae9Jakub Hrozek section_config_path,
4db56d8c90a6467a216590e5ba3bdcd2a2bf1ae9Jakub Hrozek CONFDB_SEC_MAX_SECRETS,
4db56d8c90a6467a216590e5ba3bdcd2a2bf1ae9Jakub Hrozek default_max_num_secrets,
4db56d8c90a6467a216590e5ba3bdcd2a2bf1ae9Jakub Hrozek &quota->max_secrets);
efc65e78fa4e01e6cecc8690a9899af61213be62Fabiano Fidêncio
efc65e78fa4e01e6cecc8690a9899af61213be62Fabiano Fidêncio if (ret != EOK) {
efc65e78fa4e01e6cecc8690a9899af61213be62Fabiano Fidêncio DEBUG(SSSDBG_FATAL_FAILURE,
4db56d8c90a6467a216590e5ba3bdcd2a2bf1ae9Jakub Hrozek "Failed to get maximum number of entries for %s\n",
4db56d8c90a6467a216590e5ba3bdcd2a2bf1ae9Jakub Hrozek section_config_path);
4db56d8c90a6467a216590e5ba3bdcd2a2bf1ae9Jakub Hrozek return ret;
efc65e78fa4e01e6cecc8690a9899af61213be62Fabiano Fidêncio }
efc65e78fa4e01e6cecc8690a9899af61213be62Fabiano Fidêncio
6b3bab516355fdf4cc81e6da9d87ec3818ab190fJakub Hrozek ret = confdb_get_int(sctx->rctx->cdb,
6b3bab516355fdf4cc81e6da9d87ec3818ab190fJakub Hrozek section_config_path,
6b3bab516355fdf4cc81e6da9d87ec3818ab190fJakub Hrozek CONFDB_SEC_MAX_UID_SECRETS,
6b3bab516355fdf4cc81e6da9d87ec3818ab190fJakub Hrozek default_max_num_uid_secrets,
6b3bab516355fdf4cc81e6da9d87ec3818ab190fJakub Hrozek &quota->max_uid_secrets);
6b3bab516355fdf4cc81e6da9d87ec3818ab190fJakub Hrozek
6b3bab516355fdf4cc81e6da9d87ec3818ab190fJakub Hrozek if (ret != EOK) {
6b3bab516355fdf4cc81e6da9d87ec3818ab190fJakub Hrozek DEBUG(SSSDBG_FATAL_FAILURE,
6b3bab516355fdf4cc81e6da9d87ec3818ab190fJakub Hrozek "Failed to get maximum number of per-UID entries for %s\n",
6b3bab516355fdf4cc81e6da9d87ec3818ab190fJakub Hrozek section_config_path);
6b3bab516355fdf4cc81e6da9d87ec3818ab190fJakub Hrozek return ret;
6b3bab516355fdf4cc81e6da9d87ec3818ab190fJakub Hrozek }
6b3bab516355fdf4cc81e6da9d87ec3818ab190fJakub Hrozek
65a38b8c9cabde6c46cc0e9868f54cb9bb10afbfFabiano Fidêncio ret = confdb_get_int(sctx->rctx->cdb,
4db56d8c90a6467a216590e5ba3bdcd2a2bf1ae9Jakub Hrozek section_config_path,
4db56d8c90a6467a216590e5ba3bdcd2a2bf1ae9Jakub Hrozek CONFDB_SEC_MAX_PAYLOAD_SIZE,
4db56d8c90a6467a216590e5ba3bdcd2a2bf1ae9Jakub Hrozek default_max_payload,
4db56d8c90a6467a216590e5ba3bdcd2a2bf1ae9Jakub Hrozek &quota->max_payload_size);
65a38b8c9cabde6c46cc0e9868f54cb9bb10afbfFabiano Fidêncio
65a38b8c9cabde6c46cc0e9868f54cb9bb10afbfFabiano Fidêncio if (ret != EOK) {
65a38b8c9cabde6c46cc0e9868f54cb9bb10afbfFabiano Fidêncio DEBUG(SSSDBG_FATAL_FAILURE,
4db56d8c90a6467a216590e5ba3bdcd2a2bf1ae9Jakub Hrozek "Failed to get payload's maximum size for an entry in %s\n",
4db56d8c90a6467a216590e5ba3bdcd2a2bf1ae9Jakub Hrozek section_config_path);
4db56d8c90a6467a216590e5ba3bdcd2a2bf1ae9Jakub Hrozek return ret;
4db56d8c90a6467a216590e5ba3bdcd2a2bf1ae9Jakub Hrozek }
4db56d8c90a6467a216590e5ba3bdcd2a2bf1ae9Jakub Hrozek
4db56d8c90a6467a216590e5ba3bdcd2a2bf1ae9Jakub Hrozek return EOK;
4db56d8c90a6467a216590e5ba3bdcd2a2bf1ae9Jakub Hrozek}
4db56d8c90a6467a216590e5ba3bdcd2a2bf1ae9Jakub Hrozek
4db56d8c90a6467a216590e5ba3bdcd2a2bf1ae9Jakub Hrozekstatic int sec_get_hive_config(struct sec_ctx *sctx,
4db56d8c90a6467a216590e5ba3bdcd2a2bf1ae9Jakub Hrozek const char *hive_name,
4db56d8c90a6467a216590e5ba3bdcd2a2bf1ae9Jakub Hrozek struct sec_hive_config *hive_config,
4db56d8c90a6467a216590e5ba3bdcd2a2bf1ae9Jakub Hrozek int default_max_containers_nest_level,
4db56d8c90a6467a216590e5ba3bdcd2a2bf1ae9Jakub Hrozek int default_max_num_secrets,
6b3bab516355fdf4cc81e6da9d87ec3818ab190fJakub Hrozek int default_max_num_uid_secrets,
4db56d8c90a6467a216590e5ba3bdcd2a2bf1ae9Jakub Hrozek int default_max_payload)
4db56d8c90a6467a216590e5ba3bdcd2a2bf1ae9Jakub Hrozek{
4db56d8c90a6467a216590e5ba3bdcd2a2bf1ae9Jakub Hrozek int ret;
4db56d8c90a6467a216590e5ba3bdcd2a2bf1ae9Jakub Hrozek TALLOC_CTX *tmp_ctx;
4db56d8c90a6467a216590e5ba3bdcd2a2bf1ae9Jakub Hrozek
4db56d8c90a6467a216590e5ba3bdcd2a2bf1ae9Jakub Hrozek tmp_ctx = talloc_new(sctx);
4db56d8c90a6467a216590e5ba3bdcd2a2bf1ae9Jakub Hrozek if (tmp_ctx == NULL) {
4db56d8c90a6467a216590e5ba3bdcd2a2bf1ae9Jakub Hrozek return ENOMEM;
4db56d8c90a6467a216590e5ba3bdcd2a2bf1ae9Jakub Hrozek }
4db56d8c90a6467a216590e5ba3bdcd2a2bf1ae9Jakub Hrozek
4db56d8c90a6467a216590e5ba3bdcd2a2bf1ae9Jakub Hrozek hive_config->confdb_section = talloc_asprintf(sctx,
4db56d8c90a6467a216590e5ba3bdcd2a2bf1ae9Jakub Hrozek "config/secrets/%s",
4db56d8c90a6467a216590e5ba3bdcd2a2bf1ae9Jakub Hrozek hive_name);
4db56d8c90a6467a216590e5ba3bdcd2a2bf1ae9Jakub Hrozek if (hive_config->confdb_section == NULL) {
4db56d8c90a6467a216590e5ba3bdcd2a2bf1ae9Jakub Hrozek ret = ENOMEM;
4db56d8c90a6467a216590e5ba3bdcd2a2bf1ae9Jakub Hrozek goto done;
4db56d8c90a6467a216590e5ba3bdcd2a2bf1ae9Jakub Hrozek }
4db56d8c90a6467a216590e5ba3bdcd2a2bf1ae9Jakub Hrozek
4db56d8c90a6467a216590e5ba3bdcd2a2bf1ae9Jakub Hrozek ret = sec_get_quota(sctx,
4db56d8c90a6467a216590e5ba3bdcd2a2bf1ae9Jakub Hrozek hive_config->confdb_section,
4db56d8c90a6467a216590e5ba3bdcd2a2bf1ae9Jakub Hrozek default_max_containers_nest_level,
4db56d8c90a6467a216590e5ba3bdcd2a2bf1ae9Jakub Hrozek default_max_num_secrets,
6b3bab516355fdf4cc81e6da9d87ec3818ab190fJakub Hrozek default_max_num_uid_secrets,
4db56d8c90a6467a216590e5ba3bdcd2a2bf1ae9Jakub Hrozek default_max_payload,
4db56d8c90a6467a216590e5ba3bdcd2a2bf1ae9Jakub Hrozek &hive_config->quota);
4db56d8c90a6467a216590e5ba3bdcd2a2bf1ae9Jakub Hrozek if (ret != EOK) {
4db56d8c90a6467a216590e5ba3bdcd2a2bf1ae9Jakub Hrozek DEBUG(SSSDBG_OP_FAILURE,
4db56d8c90a6467a216590e5ba3bdcd2a2bf1ae9Jakub Hrozek "Cannot read quota settings for %s [%d]: %s\n",
4db56d8c90a6467a216590e5ba3bdcd2a2bf1ae9Jakub Hrozek hive_name, ret, sss_strerror(ret));
4db56d8c90a6467a216590e5ba3bdcd2a2bf1ae9Jakub Hrozek goto done;
65a38b8c9cabde6c46cc0e9868f54cb9bb10afbfFabiano Fidêncio }
65a38b8c9cabde6c46cc0e9868f54cb9bb10afbfFabiano Fidêncio
109ed7ca1a82420798efdc6a9b019675a5bd0f4fJakub Hrozek if (hive_config->quota.max_payload_size == 0
109ed7ca1a82420798efdc6a9b019675a5bd0f4fJakub Hrozek || (sctx->max_payload_size != 0
109ed7ca1a82420798efdc6a9b019675a5bd0f4fJakub Hrozek && hive_config->quota.max_payload_size > sctx->max_payload_size)) {
109ed7ca1a82420798efdc6a9b019675a5bd0f4fJakub Hrozek /* If the quota is unlimited or it's larger than what
109ed7ca1a82420798efdc6a9b019675a5bd0f4fJakub Hrozek * we already have, save the total limit so we know how much to
109ed7ca1a82420798efdc6a9b019675a5bd0f4fJakub Hrozek * accept from clients
109ed7ca1a82420798efdc6a9b019675a5bd0f4fJakub Hrozek */
109ed7ca1a82420798efdc6a9b019675a5bd0f4fJakub Hrozek sctx->max_payload_size = hive_config->quota.max_payload_size;
109ed7ca1a82420798efdc6a9b019675a5bd0f4fJakub Hrozek }
109ed7ca1a82420798efdc6a9b019675a5bd0f4fJakub Hrozek
4db56d8c90a6467a216590e5ba3bdcd2a2bf1ae9Jakub Hrozek ret = EOK;
4db56d8c90a6467a216590e5ba3bdcd2a2bf1ae9Jakub Hrozek
4db56d8c90a6467a216590e5ba3bdcd2a2bf1ae9Jakub Hrozekdone:
4db56d8c90a6467a216590e5ba3bdcd2a2bf1ae9Jakub Hrozek talloc_free(tmp_ctx);
4db56d8c90a6467a216590e5ba3bdcd2a2bf1ae9Jakub Hrozek return ret;
4db56d8c90a6467a216590e5ba3bdcd2a2bf1ae9Jakub Hrozek}
4db56d8c90a6467a216590e5ba3bdcd2a2bf1ae9Jakub Hrozek
4db56d8c90a6467a216590e5ba3bdcd2a2bf1ae9Jakub Hrozekstatic int sec_get_config(struct sec_ctx *sctx)
4db56d8c90a6467a216590e5ba3bdcd2a2bf1ae9Jakub Hrozek{
4db56d8c90a6467a216590e5ba3bdcd2a2bf1ae9Jakub Hrozek int ret;
4db56d8c90a6467a216590e5ba3bdcd2a2bf1ae9Jakub Hrozek
7171a7584dda534dde5409f3e7f4657e845ece15Fabiano Fidêncio ret = confdb_get_int(sctx->rctx->cdb,
7171a7584dda534dde5409f3e7f4657e845ece15Fabiano Fidêncio sctx->rctx->confdb_service_path,
4db56d8c90a6467a216590e5ba3bdcd2a2bf1ae9Jakub Hrozek CONFDB_SERVICE_FD_LIMIT,
4db56d8c90a6467a216590e5ba3bdcd2a2bf1ae9Jakub Hrozek DEFAULT_SEC_FD_LIMIT,
4db56d8c90a6467a216590e5ba3bdcd2a2bf1ae9Jakub Hrozek &sctx->fd_limit);
4db56d8c90a6467a216590e5ba3bdcd2a2bf1ae9Jakub Hrozek if (ret != EOK) {
4db56d8c90a6467a216590e5ba3bdcd2a2bf1ae9Jakub Hrozek DEBUG(SSSDBG_FATAL_FAILURE,
4db56d8c90a6467a216590e5ba3bdcd2a2bf1ae9Jakub Hrozek "Failed to get file descriptors limit\n");
4db56d8c90a6467a216590e5ba3bdcd2a2bf1ae9Jakub Hrozek goto fail;
4db56d8c90a6467a216590e5ba3bdcd2a2bf1ae9Jakub Hrozek }
4db56d8c90a6467a216590e5ba3bdcd2a2bf1ae9Jakub Hrozek
109ed7ca1a82420798efdc6a9b019675a5bd0f4fJakub Hrozek /* Set the global max_payload to ridiculously small value so that either 0 (unlimited)
109ed7ca1a82420798efdc6a9b019675a5bd0f4fJakub Hrozek * or any sensible value overwrite it
109ed7ca1a82420798efdc6a9b019675a5bd0f4fJakub Hrozek */
109ed7ca1a82420798efdc6a9b019675a5bd0f4fJakub Hrozek sctx->max_payload_size = 1;
109ed7ca1a82420798efdc6a9b019675a5bd0f4fJakub Hrozek
4db56d8c90a6467a216590e5ba3bdcd2a2bf1ae9Jakub Hrozek /* Read the global quota first -- this should be removed in a future release */
4db56d8c90a6467a216590e5ba3bdcd2a2bf1ae9Jakub Hrozek /* Note that this sets the defaults for the sec_config quota to be used
4db56d8c90a6467a216590e5ba3bdcd2a2bf1ae9Jakub Hrozek * in sec_get_hive_config()
4db56d8c90a6467a216590e5ba3bdcd2a2bf1ae9Jakub Hrozek */
4db56d8c90a6467a216590e5ba3bdcd2a2bf1ae9Jakub Hrozek ret = sec_get_quota(sctx,
4db56d8c90a6467a216590e5ba3bdcd2a2bf1ae9Jakub Hrozek sctx->rctx->confdb_service_path,
4db56d8c90a6467a216590e5ba3bdcd2a2bf1ae9Jakub Hrozek DEFAULT_SEC_CONTAINERS_NEST_LEVEL,
4db56d8c90a6467a216590e5ba3bdcd2a2bf1ae9Jakub Hrozek DEFAULT_SEC_MAX_SECRETS,
6b3bab516355fdf4cc81e6da9d87ec3818ab190fJakub Hrozek DEFAULT_SEC_MAX_UID_SECRETS,
4db56d8c90a6467a216590e5ba3bdcd2a2bf1ae9Jakub Hrozek DEFAULT_SEC_MAX_PAYLOAD_SIZE,
4db56d8c90a6467a216590e5ba3bdcd2a2bf1ae9Jakub Hrozek &sctx->sec_config.quota);
4db56d8c90a6467a216590e5ba3bdcd2a2bf1ae9Jakub Hrozek if (ret != EOK) {
4db56d8c90a6467a216590e5ba3bdcd2a2bf1ae9Jakub Hrozek DEBUG(SSSDBG_FATAL_FAILURE,
4db56d8c90a6467a216590e5ba3bdcd2a2bf1ae9Jakub Hrozek "Failed to get legacy global quotas\n");
4db56d8c90a6467a216590e5ba3bdcd2a2bf1ae9Jakub Hrozek goto fail;
4db56d8c90a6467a216590e5ba3bdcd2a2bf1ae9Jakub Hrozek }
7171a7584dda534dde5409f3e7f4657e845ece15Fabiano Fidêncio
4db56d8c90a6467a216590e5ba3bdcd2a2bf1ae9Jakub Hrozek /* Read the per-hive configuration */
4db56d8c90a6467a216590e5ba3bdcd2a2bf1ae9Jakub Hrozek ret = sec_get_hive_config(sctx,
4db56d8c90a6467a216590e5ba3bdcd2a2bf1ae9Jakub Hrozek "secrets",
4db56d8c90a6467a216590e5ba3bdcd2a2bf1ae9Jakub Hrozek &sctx->sec_config,
4db56d8c90a6467a216590e5ba3bdcd2a2bf1ae9Jakub Hrozek sctx->sec_config.quota.containers_nest_level,
4db56d8c90a6467a216590e5ba3bdcd2a2bf1ae9Jakub Hrozek sctx->sec_config.quota.max_secrets,
6b3bab516355fdf4cc81e6da9d87ec3818ab190fJakub Hrozek sctx->sec_config.quota.max_uid_secrets,
4db56d8c90a6467a216590e5ba3bdcd2a2bf1ae9Jakub Hrozek sctx->sec_config.quota.max_payload_size);
7171a7584dda534dde5409f3e7f4657e845ece15Fabiano Fidêncio if (ret != EOK) {
7171a7584dda534dde5409f3e7f4657e845ece15Fabiano Fidêncio DEBUG(SSSDBG_FATAL_FAILURE,
4db56d8c90a6467a216590e5ba3bdcd2a2bf1ae9Jakub Hrozek "Failed to get configuration of the secrets hive\n");
7171a7584dda534dde5409f3e7f4657e845ece15Fabiano Fidêncio goto fail;
197da163943868216f704fb34031e7d5576e8aeeJakub Hrozek }
197da163943868216f704fb34031e7d5576e8aeeJakub Hrozek
197da163943868216f704fb34031e7d5576e8aeeJakub Hrozek ret = sec_get_hive_config(sctx,
197da163943868216f704fb34031e7d5576e8aeeJakub Hrozek "kcm",
197da163943868216f704fb34031e7d5576e8aeeJakub Hrozek &sctx->kcm_config,
197da163943868216f704fb34031e7d5576e8aeeJakub Hrozek DEFAULT_SEC_CONTAINERS_NEST_LEVEL,
197da163943868216f704fb34031e7d5576e8aeeJakub Hrozek DEFAULT_SEC_KCM_MAX_SECRETS,
6b3bab516355fdf4cc81e6da9d87ec3818ab190fJakub Hrozek DEFAULT_SEC_KCM_MAX_UID_SECRETS,
197da163943868216f704fb34031e7d5576e8aeeJakub Hrozek DEFAULT_SEC_KCM_MAX_PAYLOAD_SIZE);
197da163943868216f704fb34031e7d5576e8aeeJakub Hrozek if (ret != EOK) {
197da163943868216f704fb34031e7d5576e8aeeJakub Hrozek DEBUG(SSSDBG_FATAL_FAILURE,
197da163943868216f704fb34031e7d5576e8aeeJakub Hrozek "Failed to get configuration of the secrets hive\n");
197da163943868216f704fb34031e7d5576e8aeeJakub Hrozek goto fail;
7171a7584dda534dde5409f3e7f4657e845ece15Fabiano Fidêncio }
7171a7584dda534dde5409f3e7f4657e845ece15Fabiano Fidêncio
a8d1a344e580f29699aed9b88d87fc3c6f5d113bSimo Sorce ret = confdb_get_int(sctx->rctx->cdb, sctx->rctx->confdb_service_path,
a8d1a344e580f29699aed9b88d87fc3c6f5d113bSimo Sorce CONFDB_RESPONDER_CLI_IDLE_TIMEOUT,
a8d1a344e580f29699aed9b88d87fc3c6f5d113bSimo Sorce CONFDB_RESPONDER_CLI_IDLE_DEFAULT_TIMEOUT,
a8d1a344e580f29699aed9b88d87fc3c6f5d113bSimo Sorce &sctx->rctx->client_idle_timeout);
a8d1a344e580f29699aed9b88d87fc3c6f5d113bSimo Sorce if (ret != EOK) {
a8d1a344e580f29699aed9b88d87fc3c6f5d113bSimo Sorce DEBUG(SSSDBG_OP_FAILURE,
a8d1a344e580f29699aed9b88d87fc3c6f5d113bSimo Sorce "Cannot get the client idle timeout [%d]: %s\n",
a8d1a344e580f29699aed9b88d87fc3c6f5d113bSimo Sorce ret, strerror(ret));
a8d1a344e580f29699aed9b88d87fc3c6f5d113bSimo Sorce goto fail;
a8d1a344e580f29699aed9b88d87fc3c6f5d113bSimo Sorce }
a8d1a344e580f29699aed9b88d87fc3c6f5d113bSimo Sorce
a8d1a344e580f29699aed9b88d87fc3c6f5d113bSimo Sorce /* Ensure that the client timeout is at least ten seconds */
a8d1a344e580f29699aed9b88d87fc3c6f5d113bSimo Sorce if (sctx->rctx->client_idle_timeout < 10) {
a8d1a344e580f29699aed9b88d87fc3c6f5d113bSimo Sorce sctx->rctx->client_idle_timeout = 10;
a8d1a344e580f29699aed9b88d87fc3c6f5d113bSimo Sorce }
a8d1a344e580f29699aed9b88d87fc3c6f5d113bSimo Sorce
4358d76475f0292461a2a479d2149472db103c1dFabiano Fidêncio ret = responder_setup_idle_timeout_config(sctx->rctx);
4358d76475f0292461a2a479d2149472db103c1dFabiano Fidêncio if (ret != EOK) {
4358d76475f0292461a2a479d2149472db103c1dFabiano Fidêncio goto fail;
4358d76475f0292461a2a479d2149472db103c1dFabiano Fidêncio }
4358d76475f0292461a2a479d2149472db103c1dFabiano Fidêncio
a8d1a344e580f29699aed9b88d87fc3c6f5d113bSimo Sorce ret = EOK;
a8d1a344e580f29699aed9b88d87fc3c6f5d113bSimo Sorce
a8d1a344e580f29699aed9b88d87fc3c6f5d113bSimo Sorcefail:
a8d1a344e580f29699aed9b88d87fc3c6f5d113bSimo Sorce return ret;
a8d1a344e580f29699aed9b88d87fc3c6f5d113bSimo Sorce}
a8d1a344e580f29699aed9b88d87fc3c6f5d113bSimo Sorce
a8d1a344e580f29699aed9b88d87fc3c6f5d113bSimo Sorcestatic int sec_responder_ctx_destructor(void *ptr)
a8d1a344e580f29699aed9b88d87fc3c6f5d113bSimo Sorce{
a8d1a344e580f29699aed9b88d87fc3c6f5d113bSimo Sorce struct resp_ctx *rctx = talloc_get_type(ptr, struct resp_ctx);
a8d1a344e580f29699aed9b88d87fc3c6f5d113bSimo Sorce
a8d1a344e580f29699aed9b88d87fc3c6f5d113bSimo Sorce /* mark that we are shutting down the responder, so it is propagated
a8d1a344e580f29699aed9b88d87fc3c6f5d113bSimo Sorce * into underlying contexts that are freed right before rctx */
a8d1a344e580f29699aed9b88d87fc3c6f5d113bSimo Sorce DEBUG(SSSDBG_TRACE_FUNC, "Responder is being shut down\n");
a8d1a344e580f29699aed9b88d87fc3c6f5d113bSimo Sorce rctx->shutting_down = true;
a8d1a344e580f29699aed9b88d87fc3c6f5d113bSimo Sorce
a8d1a344e580f29699aed9b88d87fc3c6f5d113bSimo Sorce return 0;
a8d1a344e580f29699aed9b88d87fc3c6f5d113bSimo Sorce}
a8d1a344e580f29699aed9b88d87fc3c6f5d113bSimo Sorce
a8d1a344e580f29699aed9b88d87fc3c6f5d113bSimo Sorcestatic int sec_process_init(TALLOC_CTX *mem_ctx,
a8d1a344e580f29699aed9b88d87fc3c6f5d113bSimo Sorce struct tevent_context *ev,
a8d1a344e580f29699aed9b88d87fc3c6f5d113bSimo Sorce struct confdb_ctx *cdb)
a8d1a344e580f29699aed9b88d87fc3c6f5d113bSimo Sorce{
a8d1a344e580f29699aed9b88d87fc3c6f5d113bSimo Sorce struct resp_ctx *rctx;
a8d1a344e580f29699aed9b88d87fc3c6f5d113bSimo Sorce struct sec_ctx *sctx;
a8d1a344e580f29699aed9b88d87fc3c6f5d113bSimo Sorce int ret;
a8d1a344e580f29699aed9b88d87fc3c6f5d113bSimo Sorce
a8d1a344e580f29699aed9b88d87fc3c6f5d113bSimo Sorce rctx = talloc_zero(mem_ctx, struct resp_ctx);
a8d1a344e580f29699aed9b88d87fc3c6f5d113bSimo Sorce if (!rctx) {
a8d1a344e580f29699aed9b88d87fc3c6f5d113bSimo Sorce DEBUG(SSSDBG_FATAL_FAILURE, "fatal error initializing resp_ctx\n");
a8d1a344e580f29699aed9b88d87fc3c6f5d113bSimo Sorce return ENOMEM;
a8d1a344e580f29699aed9b88d87fc3c6f5d113bSimo Sorce }
a8d1a344e580f29699aed9b88d87fc3c6f5d113bSimo Sorce rctx->ev = ev;
a8d1a344e580f29699aed9b88d87fc3c6f5d113bSimo Sorce rctx->cdb = cdb;
a8d1a344e580f29699aed9b88d87fc3c6f5d113bSimo Sorce rctx->sock_name = SSS_SEC_SOCKET_NAME;
a8d1a344e580f29699aed9b88d87fc3c6f5d113bSimo Sorce rctx->confdb_service_path = CONFDB_SEC_CONF_ENTRY;
a8d1a344e580f29699aed9b88d87fc3c6f5d113bSimo Sorce rctx->shutting_down = false;
b1829f05cf9bdc3d89c1058481281198ebc968d0Fabiano Fidêncio rctx->lfd = -1;
b1829f05cf9bdc3d89c1058481281198ebc968d0Fabiano Fidêncio rctx->priv_lfd = -1;
a8d1a344e580f29699aed9b88d87fc3c6f5d113bSimo Sorce
a8d1a344e580f29699aed9b88d87fc3c6f5d113bSimo Sorce talloc_set_destructor((TALLOC_CTX*)rctx, sec_responder_ctx_destructor);
a8d1a344e580f29699aed9b88d87fc3c6f5d113bSimo Sorce
a8d1a344e580f29699aed9b88d87fc3c6f5d113bSimo Sorce sctx = talloc_zero(rctx, struct sec_ctx);
a8d1a344e580f29699aed9b88d87fc3c6f5d113bSimo Sorce if (!sctx) {
a8d1a344e580f29699aed9b88d87fc3c6f5d113bSimo Sorce DEBUG(SSSDBG_FATAL_FAILURE, "fatal error initializing sec_ctx\n");
a8d1a344e580f29699aed9b88d87fc3c6f5d113bSimo Sorce ret = ENOMEM;
a8d1a344e580f29699aed9b88d87fc3c6f5d113bSimo Sorce goto fail;
a8d1a344e580f29699aed9b88d87fc3c6f5d113bSimo Sorce }
a8d1a344e580f29699aed9b88d87fc3c6f5d113bSimo Sorce
a8d1a344e580f29699aed9b88d87fc3c6f5d113bSimo Sorce sctx->rctx = rctx;
a8d1a344e580f29699aed9b88d87fc3c6f5d113bSimo Sorce sctx->rctx->pvt_ctx = sctx;
a8d1a344e580f29699aed9b88d87fc3c6f5d113bSimo Sorce
a8d1a344e580f29699aed9b88d87fc3c6f5d113bSimo Sorce ret = sec_get_config(sctx);
a8d1a344e580f29699aed9b88d87fc3c6f5d113bSimo Sorce if (ret != EOK) {
a8d1a344e580f29699aed9b88d87fc3c6f5d113bSimo Sorce DEBUG(SSSDBG_FATAL_FAILURE, "fatal error getting secrets config\n");
a8d1a344e580f29699aed9b88d87fc3c6f5d113bSimo Sorce goto fail;
a8d1a344e580f29699aed9b88d87fc3c6f5d113bSimo Sorce }
a8d1a344e580f29699aed9b88d87fc3c6f5d113bSimo Sorce
a8d1a344e580f29699aed9b88d87fc3c6f5d113bSimo Sorce /* Set up file descriptor limits */
a8d1a344e580f29699aed9b88d87fc3c6f5d113bSimo Sorce responder_set_fd_limit(sctx->fd_limit);
a8d1a344e580f29699aed9b88d87fc3c6f5d113bSimo Sorce
a8d1a344e580f29699aed9b88d87fc3c6f5d113bSimo Sorce ret = activate_unix_sockets(rctx, sec_connection_setup);
a8d1a344e580f29699aed9b88d87fc3c6f5d113bSimo Sorce if (ret != EOK) goto fail;
a8d1a344e580f29699aed9b88d87fc3c6f5d113bSimo Sorce
a8d1a344e580f29699aed9b88d87fc3c6f5d113bSimo Sorce DEBUG(SSSDBG_TRACE_FUNC, "Secrets Initialization complete\n");
a8d1a344e580f29699aed9b88d87fc3c6f5d113bSimo Sorce
a8d1a344e580f29699aed9b88d87fc3c6f5d113bSimo Sorce return EOK;
a8d1a344e580f29699aed9b88d87fc3c6f5d113bSimo Sorce
a8d1a344e580f29699aed9b88d87fc3c6f5d113bSimo Sorcefail:
a8d1a344e580f29699aed9b88d87fc3c6f5d113bSimo Sorce talloc_free(rctx);
a8d1a344e580f29699aed9b88d87fc3c6f5d113bSimo Sorce return ret;
a8d1a344e580f29699aed9b88d87fc3c6f5d113bSimo Sorce}
a8d1a344e580f29699aed9b88d87fc3c6f5d113bSimo Sorce
a8d1a344e580f29699aed9b88d87fc3c6f5d113bSimo Sorceint main(int argc, const char *argv[])
a8d1a344e580f29699aed9b88d87fc3c6f5d113bSimo Sorce{
a8d1a344e580f29699aed9b88d87fc3c6f5d113bSimo Sorce int opt;
a8d1a344e580f29699aed9b88d87fc3c6f5d113bSimo Sorce poptContext pc;
cb75b275d15beedd1fdecc1f8ced657fba282218Lukas Slebodnik char *opt_logger = NULL;
a8d1a344e580f29699aed9b88d87fc3c6f5d113bSimo Sorce struct main_context *main_ctx;
a8d1a344e580f29699aed9b88d87fc3c6f5d113bSimo Sorce int ret;
a8d1a344e580f29699aed9b88d87fc3c6f5d113bSimo Sorce uid_t uid;
a8d1a344e580f29699aed9b88d87fc3c6f5d113bSimo Sorce gid_t gid;
a8d1a344e580f29699aed9b88d87fc3c6f5d113bSimo Sorce
a8d1a344e580f29699aed9b88d87fc3c6f5d113bSimo Sorce struct poptOption long_options[] = {
a8d1a344e580f29699aed9b88d87fc3c6f5d113bSimo Sorce POPT_AUTOHELP
a8d1a344e580f29699aed9b88d87fc3c6f5d113bSimo Sorce SSSD_MAIN_OPTS
cb75b275d15beedd1fdecc1f8ced657fba282218Lukas Slebodnik SSSD_LOGGER_OPTS
a8d1a344e580f29699aed9b88d87fc3c6f5d113bSimo Sorce SSSD_SERVER_OPTS(uid, gid)
a8d1a344e580f29699aed9b88d87fc3c6f5d113bSimo Sorce POPT_TABLEEND
a8d1a344e580f29699aed9b88d87fc3c6f5d113bSimo Sorce };
a8d1a344e580f29699aed9b88d87fc3c6f5d113bSimo Sorce
677a31351c80453d9ce006481364399a96312052René Genz /* Set debug level to invalid value so we can decide if -d 0 was used. */
a8d1a344e580f29699aed9b88d87fc3c6f5d113bSimo Sorce debug_level = SSSDBG_INVALID;
a8d1a344e580f29699aed9b88d87fc3c6f5d113bSimo Sorce
a8d1a344e580f29699aed9b88d87fc3c6f5d113bSimo Sorce umask(DFL_RSP_UMASK);
a8d1a344e580f29699aed9b88d87fc3c6f5d113bSimo Sorce
a8d1a344e580f29699aed9b88d87fc3c6f5d113bSimo Sorce pc = poptGetContext(argv[0], argc, argv, long_options, 0);
a8d1a344e580f29699aed9b88d87fc3c6f5d113bSimo Sorce while((opt = poptGetNextOpt(pc)) != -1) {
a8d1a344e580f29699aed9b88d87fc3c6f5d113bSimo Sorce switch(opt) {
a8d1a344e580f29699aed9b88d87fc3c6f5d113bSimo Sorce default:
a8d1a344e580f29699aed9b88d87fc3c6f5d113bSimo Sorce fprintf(stderr, "\nInvalid option %s: %s\n\n",
a8d1a344e580f29699aed9b88d87fc3c6f5d113bSimo Sorce poptBadOption(pc, 0), poptStrerror(opt));
a8d1a344e580f29699aed9b88d87fc3c6f5d113bSimo Sorce poptPrintUsage(pc, stderr, 0);
a8d1a344e580f29699aed9b88d87fc3c6f5d113bSimo Sorce return 1;
a8d1a344e580f29699aed9b88d87fc3c6f5d113bSimo Sorce }
a8d1a344e580f29699aed9b88d87fc3c6f5d113bSimo Sorce }
a8d1a344e580f29699aed9b88d87fc3c6f5d113bSimo Sorce
a8d1a344e580f29699aed9b88d87fc3c6f5d113bSimo Sorce poptFreeContext(pc);
a8d1a344e580f29699aed9b88d87fc3c6f5d113bSimo Sorce
a8d1a344e580f29699aed9b88d87fc3c6f5d113bSimo Sorce DEBUG_INIT(debug_level);
a8d1a344e580f29699aed9b88d87fc3c6f5d113bSimo Sorce
677a31351c80453d9ce006481364399a96312052René Genz /* set up things like debug, signals, daemonization, etc. */
a8d1a344e580f29699aed9b88d87fc3c6f5d113bSimo Sorce debug_log_file = "sssd_secrets";
a8d1a344e580f29699aed9b88d87fc3c6f5d113bSimo Sorce
cb75b275d15beedd1fdecc1f8ced657fba282218Lukas Slebodnik sss_set_logger(opt_logger);
cb75b275d15beedd1fdecc1f8ced657fba282218Lukas Slebodnik
a8d1a344e580f29699aed9b88d87fc3c6f5d113bSimo Sorce ret = server_setup("sssd[secrets]", 0, uid, gid, CONFDB_SEC_CONF_ENTRY,
a8d1a344e580f29699aed9b88d87fc3c6f5d113bSimo Sorce &main_ctx);
a8d1a344e580f29699aed9b88d87fc3c6f5d113bSimo Sorce if (ret != EOK) return 2;
a8d1a344e580f29699aed9b88d87fc3c6f5d113bSimo Sorce
a8d1a344e580f29699aed9b88d87fc3c6f5d113bSimo Sorce ret = die_if_parent_died();
a8d1a344e580f29699aed9b88d87fc3c6f5d113bSimo Sorce if (ret != EOK) {
a8d1a344e580f29699aed9b88d87fc3c6f5d113bSimo Sorce /* This is not fatal, don't return */
a8d1a344e580f29699aed9b88d87fc3c6f5d113bSimo Sorce DEBUG(SSSDBG_OP_FAILURE,
a8d1a344e580f29699aed9b88d87fc3c6f5d113bSimo Sorce "Could not set up to exit when parent process does\n");
a8d1a344e580f29699aed9b88d87fc3c6f5d113bSimo Sorce }
a8d1a344e580f29699aed9b88d87fc3c6f5d113bSimo Sorce
a8d1a344e580f29699aed9b88d87fc3c6f5d113bSimo Sorce ret = sec_process_init(main_ctx,
a8d1a344e580f29699aed9b88d87fc3c6f5d113bSimo Sorce main_ctx->event_ctx,
a8d1a344e580f29699aed9b88d87fc3c6f5d113bSimo Sorce main_ctx->confdb_ctx);
a8d1a344e580f29699aed9b88d87fc3c6f5d113bSimo Sorce if (ret != EOK) return 3;
a8d1a344e580f29699aed9b88d87fc3c6f5d113bSimo Sorce
a8d1a344e580f29699aed9b88d87fc3c6f5d113bSimo Sorce /* loop on main */
a8d1a344e580f29699aed9b88d87fc3c6f5d113bSimo Sorce server_loop(main_ctx);
a8d1a344e580f29699aed9b88d87fc3c6f5d113bSimo Sorce
a8d1a344e580f29699aed9b88d87fc3c6f5d113bSimo Sorce return 0;
a8d1a344e580f29699aed9b88d87fc3c6f5d113bSimo Sorce}