From fd43e0ee09e3f82093e9a15dd6cbd2fbaa113426 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Wed, 5 Aug 2009 10:50:03 +1000 Subject: added a uid_wrapper library This library intercepts seteuid and related calls, and simulates them in a manner similar to the nss_wrapper and socket_wrapper libraries. This allows us to enable the vfs_unixuid NTVFS module in the build farm, which means we are more likely to catch errors in the token manipulation. The simulation is not complete, but it is enough for Samba4 for now. The major areas of incompleteness are: - no emulation of setreuid, setresuid or saved uids. These would be needed for use in Samba3 - no emulation of ruid changing. That would also be needed for Samba3 - no attempt to emulate file ownership changing, so code that (for example) tests whether st.st_uid matches geteuid() needs special handling --- source4/Makefile | 1 + source4/auth/ntlm/config.mk | 2 +- source4/configure.ac | 1 + source4/heimdal_build/config.h | 5 +++++ source4/heimdal_build/internal.mk | 3 ++- source4/include/includes.h | 5 +++++ source4/main.mk | 1 + source4/ntvfs/posix/pvfs_acl.c | 8 ++++++++ source4/ntvfs/unixuid/config.mk | 2 +- 9 files changed, 25 insertions(+), 3 deletions(-) (limited to 'source4') diff --git a/source4/Makefile b/source4/Makefile index d6ae887066..24e58bc37a 100644 --- a/source4/Makefile +++ b/source4/Makefile @@ -75,6 +75,7 @@ libcmdlinesrcdir := lib/cmdline poptsrcdir := ../lib/popt socketwrappersrcdir := ../lib/socket_wrapper nsswrappersrcdir := ../lib/nss_wrapper +uidwrappersrcdir := ../lib/uid_wrapper appwebsrcdir := lib/appweb libstreamsrcdir := lib/stream libutilsrcdir := ../lib/util diff --git a/source4/auth/ntlm/config.mk b/source4/auth/ntlm/config.mk index 561d14ad10..cb9c3b6cc9 100644 --- a/source4/auth/ntlm/config.mk +++ b/source4/auth/ntlm/config.mk @@ -57,7 +57,7 @@ auth_developer_OBJ_FILES = $(addprefix $(authsrcdir)/ntlm/, auth_developer.o) [MODULE::auth_unix] INIT_FUNCTION = auth_unix_init SUBSYSTEM = auth -PRIVATE_DEPENDENCIES = CRYPT PAM PAM_ERRORS NSS_WRAPPER +PRIVATE_DEPENDENCIES = CRYPT PAM PAM_ERRORS NSS_WRAPPER UID_WRAPPER auth_unix_OBJ_FILES = $(addprefix $(authsrcdir)/ntlm/, auth_unix.o) diff --git a/source4/configure.ac b/source4/configure.ac index 7c5f310aa9..3f10419a42 100644 --- a/source4/configure.ac +++ b/source4/configure.ac @@ -125,6 +125,7 @@ m4_include(ntvfs/posix/config.m4) m4_include(ntvfs/unixuid/config.m4) m4_include(../lib/socket_wrapper/config.m4) m4_include(../lib/nss_wrapper/config.m4) +m4_include(../lib/uid_wrapper/config.m4) m4_include(auth/config.m4) m4_include(kdc/config.m4) m4_include(ntvfs/sysdep/config.m4) diff --git a/source4/heimdal_build/config.h b/source4/heimdal_build/config.h index 6a82637b2d..8830942e30 100644 --- a/source4/heimdal_build/config.h +++ b/source4/heimdal_build/config.h @@ -27,4 +27,9 @@ #undef HAVE_KRB5_ENCRYPT_BLOCK +#if defined(UID_WRAPPER) && !defined(UID_WRAPPER_REPLACE) && !defined(UID_WRAPPER_NOT_REPLACE) +#define UID_WRAPPER_REPLACE +#include "../uid_wrapper/uid_wrapper.h" +#endif + #endif diff --git a/source4/heimdal_build/internal.mk b/source4/heimdal_build/internal.mk index c0f3b6be99..52281807b5 100644 --- a/source4/heimdal_build/internal.mk +++ b/source4/heimdal_build/internal.mk @@ -598,7 +598,8 @@ PRIVATE_DEPENDENCIES = \ HEIMDAL_ROKEN_PROGNAME \ HEIMDAL_ROKEN_CLOSEFROM \ RESOLV \ - LIBREPLACE_NETWORK + LIBREPLACE_NETWORK \ + UID_WRAPPER # End SUBSYSTEM HEIMDAL_ROKEN ####################### diff --git a/source4/include/includes.h b/source4/include/includes.h index 4862a62e22..37c6115f0f 100644 --- a/source4/include/includes.h +++ b/source4/include/includes.h @@ -73,4 +73,9 @@ #define TALLOC_ABORT(reason) smb_panic(reason) #endif +#if defined(UID_WRAPPER) && !defined(UID_WRAPPER_REPLACE) && !defined(UID_WRAPPER_NOT_REPLACE) +#define UID_WRAPPER_REPLACE +#include "../uid_wrapper/uid_wrapper.h" +#endif + #endif /* _INCLUDES_H */ diff --git a/source4/main.mk b/source4/main.mk index b4a82017c8..4d7fd584f8 100644 --- a/source4/main.mk +++ b/source4/main.mk @@ -19,6 +19,7 @@ mkinclude lib/events/config.mk mkinclude lib/cmdline/config.mk mkinclude ../lib/socket_wrapper/config.mk mkinclude ../lib/nss_wrapper/config.mk +mkinclude ../lib/uid_wrapper/config.mk mkinclude lib/stream/config.mk mkinclude ../lib/util/config.mk mkinclude ../lib/tdr/config.mk diff --git a/source4/ntvfs/posix/pvfs_acl.c b/source4/ntvfs/posix/pvfs_acl.c index 1adced44aa..f5a00c08a8 100644 --- a/source4/ntvfs/posix/pvfs_acl.c +++ b/source4/ntvfs/posix/pvfs_acl.c @@ -473,6 +473,14 @@ NTSTATUS pvfs_access_check_unix(struct pvfs_state *pvfs, max_bits |= SEC_STD_ALL; } +#ifdef UID_WRAPPER_REPLACE + /* when running with the uid wrapper, files will be created + owned by the ruid, but we may have a different simulated + euid. We need to force the permission bits as though the + files owner matches the euid */ + max_bits |= SEC_STD_ALL; +#endif + if (*access_mask == SEC_FLAG_MAXIMUM_ALLOWED) { *access_mask = max_bits; return NT_STATUS_OK; diff --git a/source4/ntvfs/unixuid/config.mk b/source4/ntvfs/unixuid/config.mk index 6377657cec..105ba2f535 100644 --- a/source4/ntvfs/unixuid/config.mk +++ b/source4/ntvfs/unixuid/config.mk @@ -3,7 +3,7 @@ [MODULE::ntvfs_unixuid] INIT_FUNCTION = ntvfs_unixuid_init SUBSYSTEM = ntvfs -PRIVATE_DEPENDENCIES = SAMDB NSS_WRAPPER +PRIVATE_DEPENDENCIES = SAMDB NSS_WRAPPER UID_WRAPPER # End MODULE ntvfs_unixuid ################################################ -- cgit