PageRenderTime 26ms CodeModel.GetById 18ms RepoModel.GetById 0ms app.codeStats 0ms

/src/responder/nss/nsssrv.c

https://github.com/pavka/sssd
C | 426 lines | 326 code | 65 blank | 35 comment | 74 complexity | 116c5668d8135ea3faf18ceca7f10eae MD5 | raw file
    

  1. /*
    2. 

  2.    SSSD
    3. 

    4. 

  4.    NSS Responder
    5. 

    6. 

  6.    Copyright (C) Simo Sorce <ssorce@redhat.com>	2008
    7. 

    8. 

  8.    This program is free software; you can redistribute it and/or modify
    9. 

  9.    it under the terms of the GNU General Public License as published by
    10. 

  10.    the Free Software Foundation; either version 3 of the License, or
    11. 

  11.    (at your option) any later version.
    12. 

    13. 

  13.    This program is distributed in the hope that it will be useful,
    14. 

  14.    but WITHOUT ANY WARRANTY; without even the implied warranty of
    15. 

  15.    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    16. 

  16.    GNU General Public License for more details.
    17. 

    18. 

  18.    You should have received a copy of the GNU General Public License
    19. 

  19.    along with this program.  If not, see <http://www.gnu.org/licenses/>.
    20. 

  20. */
    21. 

  21. 

  22. #include <stdio.h>
    23. 

  23. #include <unistd.h>
    24. 

  24. #include <fcntl.h>
    25. 

  25. #include <sys/types.h>
    26. 

  26. #include <sys/stat.h>
    27. 

  27. #include <sys/socket.h>
    28. 

  28. #include <sys/un.h>
    29. 

  29. #include <string.h>
    30. 

  30. #include <sys/time.h>
    31. 

  31. #include <errno.h>
    32. 

  32. 

  33. #include "popt.h"
    34. 

  34. #include "util/util.h"
    35. 

  35. #include "responder/nss/nsssrv.h"
    36. 

  36. #include "responder/nss/nsssrv_mmap_cache.h"
    37. 

  37. #include "responder/common/negcache.h"
    38. 

  38. #include "db/sysdb.h"
    39. 

  39. #include "confdb/confdb.h"
    40. 

  40. #include "dbus/dbus.h"
    41. 

  41. #include "sbus/sssd_dbus.h"
    42. 

  42. #include "responder/common/responder_packet.h"
    43. 

  43. #include "responder/common/responder.h"
    44. 

  44. #include "providers/data_provider.h"
    45. 

  45. #include "monitor/monitor_interfaces.h"
    46. 

  46. #include "sbus/sbus_client.h"
    47. 

  47. 

  48. #define DEFAULT_PWFIELD "*"
    49. 

  49. #define DEFAULT_NSS_FD_LIMIT 8192
    50. 

  50. 

  51. #define SHELL_REALLOC_INCREMENT 5
    52. 

  52. #define SHELL_REALLOC_MAX       50
    53. 

  53. 

  54. struct sbus_method monitor_nss_methods[] = {
    55. 

  55.     { MON_CLI_METHOD_PING, monitor_common_pong },
    56. 

  56.     { MON_CLI_METHOD_RES_INIT, monitor_common_res_init },
    57. 

  57.     { MON_CLI_METHOD_ROTATE, responder_logrotate },
    58. 

  58.     { NULL, NULL }
    59. 

  59. };
    60. 

  60. 

  61. struct sbus_interface monitor_nss_interface = {
    62. 

  62.     MONITOR_INTERFACE,
    63. 

  63.     MONITOR_PATH,
    64. 

  64.     SBUS_DEFAULT_VTABLE,
    65. 

  65.     monitor_nss_methods,
    66. 

  66.     NULL
    67. 

  67. };
    68. 

  68. 

  69. static errno_t nss_get_etc_shells(TALLOC_CTX *mem_ctx, char ***_shells)
    70. 

  70. {
    71. 

  71.     int i = 0;
    72. 

  72.     char *sh;
    73. 

  73.     char **shells = NULL;
    74. 

  74.     TALLOC_CTX *tmp_ctx;
    75. 

  75.     errno_t ret;
    76. 

  76.     int size;
    77. 

  77. 

  78.     tmp_ctx = talloc_new(NULL);
    79. 

  79.     if (!tmp_ctx) return ENOMEM;
    80. 

  80. 

  81.     shells = talloc_array(tmp_ctx, char *, SHELL_REALLOC_INCREMENT);
    82. 

  82.     if (!shells) {
    83. 

  83.         ret = ENOMEM;
    84. 

  84.         goto done;
    85. 

  85.     }
    86. 

  86.     size = SHELL_REALLOC_INCREMENT;
    87. 

  87. 

  88.     setusershell();
    89. 

  89.     while ((sh = getusershell())) {
    90. 

  90.         shells[i] = talloc_strdup(shells, sh);
    91. 

  91.         if (!shells[i]) {
    92. 

  92.             endusershell();
    93. 

  93.             ret = ENOMEM;
    94. 

  94.             goto done;
    95. 

  95.         }
    96. 

  96.         DEBUG(6, ("Found shell %s in /etc/shells\n", shells[i]));
    97. 

  97.         i++;
    98. 

  98. 

  99.         if (i == size) {
    100. 

  100.             size += SHELL_REALLOC_INCREMENT;
    101. 

  101.             if (size > SHELL_REALLOC_MAX) {
    102. 

  102.                 DEBUG(0, ("Reached maximum number of shells [%d]. "
    103. 

  103.                           "Users may be denied access. "
    104. 

  104.                           "Please check /etc/shells for sanity\n",
    105. 

  105.                           SHELL_REALLOC_MAX));
    106. 

  106.                 break;
    107. 

  107.             }
    108. 

  108.             shells = talloc_realloc(NULL, shells, char *,
    109. 

  109.                                     size);
    110. 

  110.             if (!shells) {
    111. 

  111.                 ret = ENOMEM;
    112. 

  112.                 goto done;
    113. 

  113.             }
    114. 

  114.         }
    115. 

  115.     }
    116. 

  116.     endusershell();
    117. 

  117. 

  118.     if (i + 1 < size) {
    119. 

  119.         shells = talloc_realloc(NULL, shells, char *, i + 1);
    120. 

  120.         if (!shells) {
    121. 

  121.             ret = ENOMEM;
    122. 

  122.             goto done;
    123. 

  123.         }
    124. 

  124.     }
    125. 

  125.     shells[i] = NULL;
    126. 

  126. 

  127.     *_shells = talloc_move(mem_ctx, &shells);
    128. 

  128.     ret = EOK;
    129. 

  129. done:
    130. 

  130.     talloc_zfree(tmp_ctx);
    131. 

  131.     return ret;
    132. 

  132. }
    133. 

  133. 

  134. static int nss_get_config(struct nss_ctx *nctx,
    135. 

  135.                           struct confdb_ctx *cdb)
    136. 

  136. {
    137. 

  137.     int ret;
    138. 

  138. 

  139.     ret = confdb_get_int(cdb, CONFDB_NSS_CONF_ENTRY,
    140. 

  140.                          CONFDB_NSS_ENUM_CACHE_TIMEOUT, 120,
    141. 

  141.                          &nctx->enum_cache_timeout);
    142. 

  142.     if (ret != EOK) goto done;
    143. 

  143. 

  144.     ret = confdb_get_int(cdb, CONFDB_NSS_CONF_ENTRY,
    145. 

  145.                          CONFDB_NSS_ENTRY_NEG_TIMEOUT, 15,
    146. 

  146.                          &nctx->neg_timeout);
    147. 

  147.     if (ret != EOK) goto done;
    148. 

  148. 

  149.     ret = confdb_get_bool(cdb, CONFDB_NSS_CONF_ENTRY,
    150. 

  150.                          CONFDB_NSS_FILTER_USERS_IN_GROUPS, true,
    151. 

  151.                          &nctx->filter_users_in_groups);
    152. 

  152.     if (ret != EOK) goto done;
    153. 

  153. 

  154.     ret = confdb_get_int(cdb, CONFDB_NSS_CONF_ENTRY,
    155. 

  155.                          CONFDB_NSS_ENTRY_CACHE_NOWAIT_PERCENTAGE, 50,
    156. 

  156.                          &nctx->cache_refresh_percent);
    157. 

  157.     if (ret != EOK) goto done;
    158. 

  158.     if (nctx->cache_refresh_percent < 0 ||
    159. 

  159.         nctx->cache_refresh_percent > 99) {
    160. 

  160.         DEBUG(0,("Configuration error: entry_cache_nowait_percentage is "
    161. 

  161.                  "invalid. Disabling feature.\n"));
    162. 

  162.         nctx->cache_refresh_percent = 0;
    163. 

  163.     }
    164. 

  164. 

  165.     ret = sss_ncache_prepopulate(nctx->ncache, cdb, nctx->rctx);
    166. 

  166.     if (ret != EOK) {
    167. 

  167.         goto done;
    168. 

  168.     }
    169. 

  169. 

  170.     ret = confdb_get_string(cdb, nctx, CONFDB_NSS_CONF_ENTRY,
    171. 

  171.                             CONFDB_NSS_PWFIELD, DEFAULT_PWFIELD,
    172. 

  172.                             &nctx->pwfield);
    173. 

  173.     if (ret != EOK) goto done;
    174. 

  174. 

  175.     ret = confdb_get_string(cdb, nctx, CONFDB_NSS_CONF_ENTRY,
    176. 

  176.                             CONFDB_NSS_OVERRIDE_HOMEDIR, NULL,
    177. 

  177.                             &nctx->override_homedir);
    178. 

  178.     if (ret != EOK) goto done;
    179. 

  179. 

  180.     ret = confdb_get_string(cdb, nctx, CONFDB_NSS_CONF_ENTRY,
    181. 

  181.                             CONFDB_NSS_FALLBACK_HOMEDIR, NULL,
    182. 

  182.                             &nctx->fallback_homedir);
    183. 

  183.     if (ret != EOK) goto done;
    184. 

  184. 

  185.     ret = confdb_get_string(cdb, nctx, CONFDB_NSS_CONF_ENTRY,
    186. 

  186.                             CONFDB_NSS_OVERRIDE_SHELL, NULL,
    187. 

  187.                             &nctx->override_shell);
    188. 

  188.     if (ret != EOK && ret != ENOENT) goto done;
    189. 

  189. 

  190.     ret = confdb_get_string_as_list(cdb, nctx, CONFDB_NSS_CONF_ENTRY,
    191. 

  191.                                     CONFDB_NSS_ALLOWED_SHELL,
    192. 

  192.                                     &nctx->allowed_shells);
    193. 

  193.     if (ret != EOK && ret != ENOENT) goto done;
    194. 

  194. 

  195.     ret = confdb_get_string_as_list(cdb, nctx, CONFDB_NSS_CONF_ENTRY,
    196. 

  196.                                     CONFDB_NSS_VETOED_SHELL,
    197. 

  197.                                     &nctx->vetoed_shells);
    198. 

  198.     if (ret != EOK && ret != ENOENT) goto done;
    199. 

  199. 

  200.     ret = nss_get_etc_shells(nctx, &nctx->etc_shells);
    201. 

  201.     if (ret != EOK) goto done;
    202. 

  202. 

  203.     ret = confdb_get_string(cdb, nctx, CONFDB_NSS_CONF_ENTRY,
    204. 

  204.                             CONFDB_NSS_SHELL_FALLBACK,
    205. 

  205.                             CONFDB_DEFAULT_SHELL_FALLBACK,
    206. 

  206.                             &nctx->shell_fallback);
    207. 

  207.     if (ret != EOK) goto done;
    208. 

  208. 

  209.     ret = confdb_get_string(cdb, nctx, CONFDB_NSS_CONF_ENTRY,
    210. 

  210.                             CONFDB_NSS_DEFAULT_SHELL,
    211. 

  211.                             NULL,
    212. 

  212.                             &nctx->default_shell);
    213. 

  213.     if (ret != EOK) goto done;
    214. 

  214. 

  215.     ret = 0;
    216. 

  216. done:
    217. 

  217.     return ret;
    218. 

  218. }
    219. 

  219. 

  220. static struct sbus_method nss_dp_methods[] = {
    221. 

  221.     { NULL, NULL }
    222. 

  222. };
    223. 

  223. 

  224. struct sbus_interface nss_dp_interface = {
    225. 

  225.     DP_INTERFACE,
    226. 

  226.     DP_PATH,
    227. 

  227.     SBUS_DEFAULT_VTABLE,
    228. 

  228.     nss_dp_methods,
    229. 

  229.     NULL
    230. 

  230. };
    231. 

  231. 

  232. 

  233. static void nss_dp_reconnect_init(struct sbus_connection *conn,
    234. 

  234.                                   int status, void *pvt)
    235. 

  235. {
    236. 

  236.     struct be_conn *be_conn = talloc_get_type(pvt, struct be_conn);
    237. 

  237.     int ret;
    238. 

  238. 

  239.     /* Did we reconnect successfully? */
    240. 

  240.     if (status == SBUS_RECONNECT_SUCCESS) {
    241. 

  241.         DEBUG(1, ("Reconnected to the Data Provider.\n"));
    242. 

  242. 

  243.         /* Identify ourselves to the data provider */
    244. 

  244.         ret = dp_common_send_id(be_conn->conn,
    245. 

  245.                                 DATA_PROVIDER_VERSION,
    246. 

  246.                                 "NSS");
    247. 

  247.         /* all fine */
    248. 

  248.         if (ret == EOK) {
    249. 

  249.             handle_requests_after_reconnect(be_conn->rctx);
    250. 

  250.             return;
    251. 

  251.         }
    252. 

  252.     }
    253. 

  253. 

  254.     /* Failed to reconnect */
    255. 

  255.     DEBUG(0, ("Could not reconnect to %s provider.\n",
    256. 

  256.               be_conn->domain->name));
    257. 

  257. 

  258.     /* FIXME: kill the frontend and let the monitor restart it ? */
    259. 

  259.     /* nss_shutdown(rctx); */
    260. 

  260. }
    261. 

  261. 

  262. int nss_process_init(TALLOC_CTX *mem_ctx,
    263. 

  263.                      struct tevent_context *ev,
    264. 

  264.                      struct confdb_ctx *cdb)
    265. 

  265. {
    266. 

  266.     struct sss_cmd_table *nss_cmds;
    267. 

  267.     struct be_conn *iter;
    268. 

  268.     struct nss_ctx *nctx;
    269. 

  269.     int memcache_timeout;
    270. 

  270.     int ret, max_retries;
    271. 

  271.     int hret;
    272. 

  272.     int fd_limit;
    273. 

  273. 

  274.     nctx = talloc_zero(mem_ctx, struct nss_ctx);
    275. 

  275.     if (!nctx) {
    276. 

  276.         DEBUG(0, ("fatal error initializing nss_ctx\n"));
    277. 

  277.         return ENOMEM;
    278. 

  278.     }
    279. 

  279. 

  280.     ret = sss_ncache_init(nctx, &nctx->ncache);
    281. 

  281.     if (ret != EOK) {
    282. 

  282.         DEBUG(0, ("fatal error initializing negative cache\n"));
    283. 

  283.         return ret;
    284. 

  284.     }
    285. 

  285. 

  286.     nss_cmds = get_nss_cmds();
    287. 

  287. 

  288.     ret = sss_process_init(nctx, ev, cdb,
    289. 

  289.                            nss_cmds,
    290. 

  290.                            SSS_NSS_SOCKET_NAME, NULL,
    291. 

  291.                            CONFDB_NSS_CONF_ENTRY,
    292. 

  292.                            NSS_SBUS_SERVICE_NAME,
    293. 

  293.                            NSS_SBUS_SERVICE_VERSION,
    294. 

  294.                            &monitor_nss_interface,
    295. 

  295.                            "NSS", &nss_dp_interface,
    296. 

  296.                            &nctx->rctx);
    297. 

  297.     if (ret != EOK) {
    298. 

  298.         return ret;
    299. 

  299.     }
    300. 

  300.     nctx->rctx->pvt_ctx = nctx;
    301. 

  301. 

  302.     ret = nss_get_config(nctx, cdb);
    303. 

  303.     if (ret != EOK) {
    304. 

  304.         DEBUG(0, ("fatal error getting nss config\n"));
    305. 

  305.         return ret;
    306. 

  306.     }
    307. 

  307. 

  308.     /* Enable automatic reconnection to the Data Provider */
    309. 

  309.     ret = confdb_get_int(nctx->rctx->cdb,
    310. 

  310.                          CONFDB_NSS_CONF_ENTRY,
    311. 

  311.                          CONFDB_SERVICE_RECON_RETRIES,
    312. 

  312.                          3, &max_retries);
    313. 

  313.     if (ret != EOK) {
    314. 

  314.         DEBUG(0, ("Failed to set up automatic reconnection\n"));
    315. 

  315.         return ret;
    316. 

  316.     }
    317. 

  317. 

  318.     for (iter = nctx->rctx->be_conns; iter; iter = iter->next) {
    319. 

  319.         sbus_reconnect_init(iter->conn, max_retries,
    320. 

  320.                             nss_dp_reconnect_init, iter);
    321. 

  321.     }
    322. 

  322. 

  323.     /* Create the lookup table for netgroup results */
    324. 

  324.     hret = sss_hash_create(nctx, 10, &nctx->netgroups);
    325. 

  325.     if (hret != HASH_SUCCESS) {
    326. 

  326.         DEBUG(0,("Unable to initialize netgroup hash table\n"));
    327. 

  327.         return EIO;
    328. 

  328.     }
    329. 

  329. 

  330.     /* create mmap caches */
    331. 

  331.     ret = confdb_get_int(nctx->rctx->cdb,
    332. 

  332.                          CONFDB_NSS_CONF_ENTRY,
    333. 

  333.                          CONFDB_MEMCACHE_TIMEOUT,
    334. 

  334.                          300, &memcache_timeout);
    335. 

  335.     if (ret != EOK) {
    336. 

  336.         DEBUG(0, ("Failed to set up automatic reconnection\n"));
    337. 

  337.         return ret;
    338. 

  338.     }
    339. 

  339. 

  340.     /* TODO: read cache sizes from configuration */
    341. 

  341.     ret = sss_mmap_cache_init(nctx, "passwd", SSS_MC_PASSWD,
    342. 

  342.                               50000, (time_t)memcache_timeout,
    343. 

  343.                               &nctx->pwd_mc_ctx);
    344. 

  344.     if (ret) {
    345. 

  345.         DEBUG(SSSDBG_CRIT_FAILURE, ("passwd mmap cache is DISABLED\n"));
    346. 

  346.     }
    347. 

  347. 

  348.     ret = sss_mmap_cache_init(nctx, "group", SSS_MC_GROUP,
    349. 

  349.                               50000, (time_t)memcache_timeout,
    350. 

  350.                               &nctx->grp_mc_ctx);
    351. 

  351.     if (ret) {
    352. 

  352.         DEBUG(SSSDBG_CRIT_FAILURE, ("group mmap cache is DISABLED\n"));
    353. 

  353.     }
    354. 

  354. 

  355.     /* Set up file descriptor limits */
    356. 

  356.     ret = confdb_get_int(nctx->rctx->cdb,
    357. 

  357.                          CONFDB_NSS_CONF_ENTRY,
    358. 

  358.                          CONFDB_SERVICE_FD_LIMIT,
    359. 

  359.                          DEFAULT_NSS_FD_LIMIT,
    360. 

  360.                          &fd_limit);
    361. 

  361.     if (ret != EOK) {
    362. 

  362.         DEBUG(SSSDBG_FATAL_FAILURE,
    363. 

  363.               ("Failed to set up file descriptor limit\n"));
    364. 

  364.         return ret;
    365. 

  365.     }
    366. 

  366.     responder_set_fd_limit(fd_limit);
    367. 

  367. 

  368.     DEBUG(SSSDBG_TRACE_FUNC, ("NSS Initialization complete\n"));
    369. 

  369. 

  370.     return EOK;
    371. 

  371. }
    372. 

  372. 

  373. int main(int argc, const char *argv[])
    374. 

  374. {
    375. 

  375.     int opt;
    376. 

  376.     poptContext pc;
    377. 

  377.     struct main_context *main_ctx;
    378. 

  378.     int ret;
    379. 

  379. 

  380.     struct poptOption long_options[] = {
    381. 

  381.         POPT_AUTOHELP
    382. 

  382.         SSSD_MAIN_OPTS
    383. 

  383.         POPT_TABLEEND
    384. 

  384.     };
    385. 

  385. 

  386.     /* Set debug level to invalid value so we can deside if -d 0 was used. */
    387. 

  387.     debug_level = SSSDBG_INVALID;
    388. 

  388. 

  389.     pc = poptGetContext(argv[0], argc, argv, long_options, 0);
    390. 

  390.     while((opt = poptGetNextOpt(pc)) != -1) {
    391. 

  391.         switch(opt) {
    392. 

  392.         default:
    393. 

  393.             fprintf(stderr, "\nInvalid option %s: %s\n\n",
    394. 

  394.                   poptBadOption(pc, 0), poptStrerror(opt));
    395. 

  395.             poptPrintUsage(pc, stderr, 0);
    396. 

  396.             return 1;
    397. 

  397.         }
    398. 

  398.     }
    399. 

  399. 

  400.     poptFreeContext(pc);
    401. 

  401. 

  402.     CONVERT_AND_SET_DEBUG_LEVEL(debug_level);
    403. 

  403. 

  404.    /* set up things like debug, signals, daemonization, etc... */
    405. 

  405.     debug_log_file = "sssd_nss";
    406. 

  406. 

  407.     ret = server_setup("sssd[nss]", 0, CONFDB_NSS_CONF_ENTRY, &main_ctx);
    408. 

  408.     if (ret != EOK) return 2;
    409. 

  409. 

  410.     ret = die_if_parent_died();
    411. 

  411.     if (ret != EOK) {
    412. 

  412.         /* This is not fatal, don't return */
    413. 

  413.         DEBUG(2, ("Could not set up to exit when parent process does\n"));
    414. 

  414.     }
    415. 

  415. 

  416.     ret = nss_process_init(main_ctx,
    417. 

  417.                            main_ctx->event_ctx,
    418. 

  418.                            main_ctx->confdb_ctx);
    419. 

  419.     if (ret != EOK) return 3;
    420. 

  420. 

  421.     /* loop on main */
    422. 

  422.     server_loop(main_ctx);
    423. 

  423. 

  424.     return 0;
    425. 

  425. }
    426. 

  426. 

  427.