ad_gpo_child.c revision 19d3aba12c70528708be9440aca66038a291f29e
/*
SSSD
AD GPO Backend Module -- perform SMB and CSE processing in a child process
Authors:
Yassir Elley <yelley@redhat.com>
Copyright (C) 2013 Red Hat
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
#include <unistd.h>
#include <popt.h>
#include <libsmbclient.h>
#include <ini_configobj.h>
#include <security/pam_modules.h>
#include "util/child_common.h"
#include "providers/dp_backend.h"
#include "sss_cli.h"
#define RIGHTS_SECTION "Privilege Rights"
#define ALLOW_LOGON_LOCALLY "SeInteractiveLogonRight"
#define DENY_LOGON_LOCALLY "SeDenyInteractiveLogonRight"
#define SMB_BUFFER_SIZE 65536
struct input_buffer {
const char *smb_uri;
};
static errno_t
struct input_buffer *ibuf)
{
size_t p = 0;
/* smb_uri size and length */
if (len == 0) {
return EINVAL;
} else {
p += len;
}
return EOK;
}
static errno_t
pack_buffer(struct response *r,
int result,
int allowed_size,
char **allowed_sids,
int denied_size,
char **denied_sids)
{
int len = 0;
size_t p = 0;
int i;
int sid_len = 0;
/* A buffer with the following structure must be created:
* uint32_t status of the request (required)
* uint32_t allowed_size (required)
* sid_message* (allowed_size instances)
* uint32_t denied_size (required)
* sid_message* (denied_size instances)
*
* A sid_message consists of:
* uint32_t sid_len
* uint8_t[sid_len] sid string
*/
for (i = 0; i < allowed_size; i++) {
}
for (i = 0; i < denied_size; i++) {
}
return ENOMEM;
}
"result [%d] allowed_size [%d] denied_size [%d]\n",
/* result */
/* allowed_size */
/* allowed_sids */
for (i = 0; i < allowed_size; i++) {
}
/* denied_size */
/* denied_sids */
for (i = 0; i < denied_size; i++) {
}
return EOK;
}
static errno_t
int result,
int allowed_size,
char **allowed_sids,
int denied_size,
char **denied_sids,
{
int ret;
if (r == NULL) {
return ENOMEM;
}
r->size = 0;
return ret;
}
*rsp = r;
return EOK;
}
/*
* This function uses the input ini_config object to parse the logon right value
* associated with the input name. This value is a list of sids, and is used
* to populate the output parameters. The input name can be either
* ALLOW_LOGON_LOCALLY or DENY_LOGON_LOCALLY.
*/
static errno_t
struct ini_cfgobj *ini_config,
const char *name,
int *_size,
char ***_sids)
{
int ret = 0;
int num_ini_sids = 0;
int i;
goto done;
}
if (ret != 0) {
goto done;
}
goto done;
}
if (ret != 0) {
goto done;
}
goto done;
}
for (i = 0; i < num_ini_sids; i++) {
/* remove the asterisk prefix found on sids in the .inf policy file */
if (ini_sid[0] == '*') {
ini_sid++;
}
goto done;
}
}
*_size = num_ini_sids;
done:
return ret;
}
/*
* This function parses the cse-specific (GP_EXT_GUID_SECURITY) input data_buf,
* and uses the results to populate the output parameters with the list of
* allowed_sids and denied_sids
*/
static errno_t
int data_len,
char ***allowed_sids,
int *allowed_size,
char ***denied_sids,
int *denied_size)
{
int ret;
char **allow_sids = NULL;
int allow_size = 0;
int deny_size = 0;
goto done;
}
if (ret != 0) {
goto done;
}
if (ret != 0) {
goto done;
}
if (ret != 0) {
goto done;
}
key,
&allow_sids);
if (ret != 0) {
"parse_logon_right_with_libini failed for %s [%d][%s]\n",
goto done;
}
&deny_sids);
if (ret != 0) {
"parse_logon_right_with_libini failed for %s [%d][%s]\n",
goto done;
}
*denied_size = deny_size;
done:
}
return ret;
}
static void
sssd_krb_get_auth_data_fn(const char * pServer,
const char * pShare,
char * pWorkgroup,
int maxLenWorkgroup,
char * pUsername,
int maxLenUsername,
char * pPassword,
int maxLenPassword)
{
/* since we are using kerberos for authentication, we simply return */
return;
}
/*
* This cse-specific function (GP_EXT_GUID_SECURITY) opens an SMB connection,
* retrieves the data referenced by the input smb_uri, and then closes the SMB
* connection. The data is then parsed and the results are used to populate the
* output parameters with the list of allowed_sids and denied_sids
*/
static errno_t
const char *smb_uri,
char ***_allowed_sids,
int *_allowed_size,
char ***_denied_sids,
int *_denied_size)
{
int ret = 0;
int bytesread = 0;
char **allowed_sids;
char **denied_sids;
int allowed_size = 0;
int denied_size = 0;
return ENOMEM;
}
context = smbc_new_context();
goto done;
}
/* Initialize the context using the previously specified options */
goto done;
}
/* Tell the compatibility layer to use this context */
if (remotehandle < 0) {
goto done;
}
if(bytesread < 0) {
goto done;
}
buf,
&denied_size);
"ad_gpo_parse_security_cse_buffer failed [%d][%s]\n",
goto done;
}
/* TBD: allowed/denied_sids/size should be stored in cache */
done:
smbc_free_context(context, 0);
return ret;
}
int
{
int opt;
int debug_fd = -1;
int result;
char **allowed_sids;
int allowed_size;
char **denied_sids;
int denied_size;
int j;
struct poptOption long_options[] = {
_("Debug level"), NULL},
_("Add debug timestamps"), NULL},
_("Show timestamps with microseconds"), NULL},
_("An open file descriptor for the debug logs"), NULL},
};
/* Set debug level to invalid value so we can decide if -d 0 was used. */
switch(opt) {
default:
_exit(-1);
}
}
if (debug_prg_name == NULL) {
goto fail;
}
if (debug_fd != -1) {
}
}
goto fail;
}
goto fail;
}
goto fail;
}
errno = 0;
if (len == -1) {
goto fail;
}
goto fail;
}
&denied_size);
"process_security_settings_cse failed.[%d][%s].\n",
goto fail;
}
for (j= 0; j < allowed_size; j++) {
allowed_sids[j]);
}
for (j= 0; j < denied_size; j++) {
denied_sids[j]);
}
ret = prepare_response(main_ctx, result, allowed_size, allowed_sids, denied_size, denied_sids, &resp);
goto fail;
}
errno = 0;
if (written == -1) {
goto fail;
}
goto fail;
}
return EXIT_SUCCESS;
fail:
return EXIT_FAILURE;
}