nsswitch: reduce dependecies to private libraries and link static/builtin if possible

Over the last month I got more and more reports,
that it's not possible to use a custom Samba version
on systems with sssd being installed, which depends on some
specific samba libraries installed in the system.

One major problem is that the custom libnss_winbind.so.2
depends on the libreplace-samba4.so of the custom build
and also injects an RPATH into the running process.
When sssd uses any nss library call it will get this,
when it then tries to load some of its plugins via dlopen(),
e.g.

ldd /usr/lib64/sssd/libsss_ad.so| grep samba

   libsamba-util.so.0 => /lib64/libsamba-util.so.0
   libreplace-samba4.so => /usr/lib64/samba/libreplace-samba4.so
   libsamba-security-samba4.so => /usr/lib64/samba/libsamba-security-samba4.so
   libsamba-errors.so.1 => /lib64/libsamba-errors.so.1
   libsamba-debug-samba4.so => /usr/lib64/samba/libsamba-debug-samba4.so
   libgenrand-samba4.so => /usr/lib64/samba/libgenrand-samba4.so
   libsocket-blocking-samba4.so => /usr/lib64/samba/libsocket-blocking-samba4.so
   libtime-basic-samba4.so => /usr/lib64/samba/libtime-basic-samba4.so
   libsys-rw-samba4.so => /usr/lib64/samba/libsys-rw-samba4.so
   libiov-buf-samba4.so => /usr/lib64/samba/libiov-buf-samba4.so

When that loads dlopen() will fail as a soname libreplace-samba4.so is
already loaded, but the symbol version within the other one don't match, as the
contain the exact version, e.g. replace_dummy@@SAMBA_4.13.3.

This is just an example and similar things can happen in all situations
where we provide libraries, which are potentially injected into every
process of the running system. These should only depend on libc.so and
related basic system libraries in order to avoid the problem.

We have the following libraries, which are in the that category:

- libnss_winbind.so.2
- libnss_wins.so.2
- pam_winbind.so
- winbind_krb5_locator.so
- async_dns_krb5_locator.so

The rules of library loading are really complex and symbol versioning
is not enough to solve it, only the combination of unique soname and
unique symbol version suffix seem to solve the problem, but injecting
an RPATH is still a problem.

In order to solve the problem I experimented with adding SAMBA_SUBSYSTEM()
definitions with 'hide_symbols=True' in order to do some static linking
of selected components, e.g.

   bld.SAMBA_SUBSYSTEM('replace-hidden',
                       source=REPLACE_SOURCE,
                       group='base_libraries',
                       hide_symbols=True,
                       deps='dl attr' + extra_libs)

It's relatively simple to get to the point where the following are
completely static:

- libnss_winbind.so.2
- libnss_wins.so.2
- pam_winbind.so
- winbind_krb5_locator.so

But 'async_dns_krb5_locator.so' links in almost everything!
It seems we install the krb5 plugins into our own $MODULESDIR/krb5/,
so it may not be so critical, as long it's the admin who created
the desired symlinks into the location the kerberos libraries search
for plugins. Note the at least the locator plugins are always loaded
without any configuration, every .so in a special path are loaded with dlopen().
This is done by every application using kerberos, so we load a lot of samba libraries
into them.

Packagers should not put async_dns_krb5_locator.so (nor a symlink) into
the path that's reachable by libkrb5.so.

As a longterm solution we may want to change async_dns_krb5_locator.so
to use a helper process with posix_spawn() instead of doing everything
within the process.

Note I added hiden_symbols=True to the nss modules for Linux and
FreeBSD only, because these are the only platforms I'm able to test
on. We most likely should do the same on other platforms, but some
with access to the platform should provide a tested patch.

In order to avoid manual definitions of SAMBA_SUBSYSTEMS() with
'-hidden', I added the 'provide_builtin_linking=True' option,
as the logic is very similar to what we already have with the
'--builtin-libraries=BUILTIN_LIBRARIES' configure option.

SAMBA_PLUGIN() is used in order to use SAMBA_LIBRARY() in order
to make it more strict that these plugins can't be used as
normal depedency by other subsystems and libraries.

While being there it was easy enough to make libwbclient.so
also standalone without dependecies to other samba libraries.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14780

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

lib/replace/wscript

@@ -909,6 +909,7 @@ def build(bld):
                       # at the moment:
                       # hide_symbols=bld.BUILTIN_LIBRARY('replace'),
                       private_library=True,
+                      provide_builtin_linking=True,
                       deps='dl attr' + extra_libs)
 
     replace_test_cflags = ''

lib/talloc/wscript

@@ -114,6 +114,7 @@ def build(bld):
         bld.SAMBA_LIBRARY('talloc',
                           'talloc.c',
                           deps='replace',
+                          provide_builtin_linking=True,
                           abi_directory='ABI',
                           abi_match='talloc* _talloc*',
                           hide_symbols=True,

lib/util/wscript_build

@@ -11,12 +11,13 @@ bld.SAMBA_LIBRARY('time-basic',
 
 bld.SAMBA_SUBSYSTEM('tini',
                     source='tini.c',
-                    deps='',
+                    provide_builtin_linking=True,
                     local_include=False)
 
 bld.SAMBA_SUBSYSTEM('tiniparser',
                     source='tiniparser.c',
                     deps='tini',
+                    provide_builtin_linking=True,
                     local_include=False)
 
 bld.SAMBA_SUBSYSTEM('strv',
@@ -122,6 +123,7 @@ bld.SAMBA_SUBSYSTEM('samba-util-core',
 
 bld.SAMBA_SUBSYSTEM('smb_strtox',
                     source='smb_strtox.c',
+                    provide_builtin_linking=True,
                     local_include=False)
 
 

nsswitch/libwbclient/wscript

@@ -27,6 +27,15 @@ def build(bld):
 #
 #    Logs.info("\tSelected embedded libwbclient build")
 
+    bld.SAMBA_SUBSYSTEM('wbclient-internal',
+        source='../wb_common.c',
+        deps='replace',
+        cflags='-DWINBINDD_SOCKET_DIR=\"%s\"' % bld.env.WINBINDD_SOCKET_DIR,
+        hide_symbols=True,
+        provide_builtin_linking=True,
+        builtin_cflags='-DWINBINDD_SOCKET_DIR=\"%s\"' % bld.env.WINBINDD_SOCKET_DIR,
+        )
+
     abi_match = 'wbc*'
     bld.SAMBA_LIBRARY('wbclient',
                       source='''
@@ -38,7 +47,9 @@ def build(bld):
                              wbc_sid.c
                              wbc_util.c''',
                       hide_symbols=True,
-                      deps='winbind-client smb_strtox',
+                      deps='wbclient-internal smb_strtox',
+                      require_builtin_deps=True,
+                      provide_builtin_linking=True,
                       pc_files='wbclient.pc',
                       public_headers='wbclient.h',
                       abi_directory='ABI',

nsswitch/wscript_build

@@ -3,14 +3,6 @@ from waflib import Utils
 import sys
 host_os = sys.platform
 
-bld.SAMBA_LIBRARY('winbind-client',
-	source='wb_common.c',
-	deps='replace',
-	cflags='-DWINBINDD_SOCKET_DIR=\"%s\"' % bld.env.WINBINDD_SOCKET_DIR,
-	private_library=True
-	)
-
-
 bld.SAMBA_BINARY('nsstest',
 		 source='nsstest.c',
 		 deps='replace dl',
@@ -26,10 +18,10 @@ if bld.CONFIG_SET('HAVE_PTHREAD'):
 
 # The nss_wrapper code relies strictly on the linux implementation and
 # name, so compile but do not install a copy under this name.
-bld.SAMBA_LIBRARY('nss_wrapper_winbind',
+bld.SAMBA_PLUGIN('nss_wrapper_winbind',
 		  cflags='-D_PUBLIC_ON_LINUX_=_PUBLIC_',
 		  source='winbind_nss_linux.c',
-		  deps='winbind-client',
+		  deps='wbclient',
 		  realname='libnss_wrapper_winbind.so.2',
 		  install=False,
 		  vnum='2')
@@ -38,35 +30,33 @@ bld.SAMBA_LIBRARY('nss_wrapper_winbind',
 # the search for .rfind('gnu') covers gnu* and *-gnu is that too broad?
 
 if (Utils.unversioned_sys_platform() == 'linux' or (host_os.rfind('gnu') > -1)):
-    bld.SAMBA_LIBRARY('nss_winbind',
+    bld.SAMBA_PLUGIN('nss_winbind',
               keep_underscore=True,
               cflags='-D_PUBLIC_ON_LINUX_=_PUBLIC_',
               source='winbind_nss_linux.c',
-              deps='winbind-client',
-              public_headers=[],
-              public_headers_install=False,
-              pc_files=[],
+              deps='wbclient',
+              realname='libnss_winbind.so.2',
+              soname='libnss_winbind.so.2',
               vnum='2')
 
-    bld.SAMBA3_LIBRARY('nss_wins',
-                       keep_underscore=True,
-                       cflags='-D_PUBLIC_ON_LINUX_=_PUBLIC_',
-                       source='wins.c',
-                       deps='wbclient replace',
-                       public_headers=[],
-                       public_headers_install=False,
-                       pc_files=[],
-                       vnum='2')
+    bld.SAMBA3_PLUGIN('nss_wins',
+                      keep_underscore=True,
+                      cflags='-D_PUBLIC_ON_LINUX_=_PUBLIC_',
+                      source='wins.c',
+                      deps='wbclient replace',
+                      realname='libnss_wins.so.2',
+                      soname='libnss_wins.so.2',
+                      vnum='2')
 elif (host_os.rfind('freebsd') > -1):
 	# FreeBSD winbind client is implemented as a wrapper around
 	# the Linux version.
-	bld.SAMBA_LIBRARY('nss_winbind',
+	bld.SAMBA_PLUGIN('nss_winbind',
 			  source='winbind_nss_linux.c winbind_nss_freebsd.c',
-			  deps='winbind-client',
+			  deps='wbclient',
 			  realname='nss_winbind.so.1',
 			  vnum='1')
 
-	bld.SAMBA3_LIBRARY('nss_wins',
+	bld.SAMBA3_PLUGIN('nss_wins',
 			  source='wins.c wins_freebsd.c',
 			  deps='''wbclient''',
 			  realname='nss_wins.so.1',
@@ -78,66 +68,102 @@ elif (host_os.rfind('netbsd') > -1):
 	# indicate libc's use of the correct nsdispatch API.
 
 	if bld.CONFIG_SET("HAVE_GETPWENT_R"):
-		bld.SAMBA_LIBRARY('nss_winbind',
+		bld.SAMBA_PLUGIN('nss_winbind',
 				  source='winbind_nss_linux.c winbind_nss_netbsd.c',
-				  deps='winbind-client', 
+				  deps='wbclient',
 				  realname='libnss_winbind.so')
 elif Utils.unversioned_sys_platform() == 'sunos':
-	bld.SAMBA_LIBRARY('nss_winbind',
+	bld.SAMBA_PLUGIN('nss_winbind',
 			  source='winbind_nss_solaris.c winbind_nss_linux.c',
-			  deps='winbind-client',
+			  deps='wbclient',
 			  realname='nss_winbind.so.1',
 			  vnum='1')
 elif (host_os.rfind('hpux') > -1):
-	bld.SAMBA_LIBRARY('nss_winbind',
+	bld.SAMBA_PLUGIN('nss_winbind',
 			  source='winbind_nss_linux.c',
-			  deps='winbind-client', 
+			  deps='wbclient',
 			  realname='libnss_winbind.so')
 elif (host_os.rfind('aix') > -1):
-	bld.SAMBA_LIBRARY('nss_winbind',
+	bld.SAMBA_PLUGIN('nss_winbind',
 			  source='winbind_nss_aix.c',
-			  deps='winbind-client', 
+			  deps='wbclient',
 			  realname='WINBIND')
 
 if bld.CONFIG_SET('WITH_PAM_MODULES') and bld.CONFIG_SET('HAVE_PAM_START'):
-	bld.SAMBA_LIBRARY('pamwinbind',
+	bld.SAMBA_PLUGIN('pamwinbind',
 		source='pam_winbind.c',
-		deps='talloc wbclient winbind-client tiniparser pam samba_intl',
+		deps='talloc wbclient tiniparser pam samba_intl',
 		cflags='-DLOCALEDIR=\"%s/locale\"' % bld.env.DATADIR,
 		realname='pam_winbind.so',
 		install_path='${PAMMODULESDIR}'
 		)
 
-if bld.CONFIG_SET('HAVE_KRB5_LOCATE_PLUGIN_H'):
-    bld.SAMBA_LIBRARY('winbind_krb5_locator',
-                      source='krb5_plugin/winbind_krb5_locator.c',
-                      deps='wbclient krb5 com_err',
-                      realname='winbind_krb5_locator.so',
-                      install_path='${MODULESDIR}/krb5')
+if bld.CONFIG_GET("USING_SYSTEM_KRB5"):
+    # If we build locator plugins for a
+    # system library we should use builtin
+    # linking of our own subsystems,
+    # while we may link to the system
+    # krb5 libraries.
+    winbind_krb5_require_builtin_deps = True
+else:
+    # If we build locator plugins for our own heimdal
+    # version we don't want to do builtin linking.
+    # As we're already using private libraries
+    # it's not a problem...
+    winbind_krb5_require_builtin_deps = False
 
 if bld.CONFIG_SET('HAVE_KRB5_LOCATE_PLUGIN_H'):
-    bld.SAMBA_LIBRARY('async_dns_krb5_locator',
-                      source='krb5_plugin/async_dns_krb5_locator.c',
-                      deps='''
-                      talloc
-                      addns
-                      samba_intl
-                      libsmb
-                      smbconf
-                      KRBCLIENT
-                      smbd_base
-                      krb5
-                      com_err
-                      ''',
-                      realname='async_dns_krb5_locator.so',
-                      install_path='${MODULESDIR}/krb5')
+    bld.SAMBA_PLUGIN('winbind_krb5_locator',
+                     source='krb5_plugin/winbind_krb5_locator.c',
+                     deps='wbclient krb5 com_err',
+                     require_builtin_deps=winbind_krb5_require_builtin_deps,
+                     realname='winbind_krb5_locator.so',
+                     install_path='${MODULESDIR}/krb5')
+
+if bld.CONFIG_SET('HAVE_KRB5_LOCATE_PLUGIN_H'):
+    # libkrb5.so scans it's plugin directories for files
+    # and calls dlopen()/dlsym() on them. The actual path
+    # depends on MIT vs. Heimdal.
+    #
+    # The async_dns_krb5_locator don't use winbind,
+    # instead it uses almost all of samba directly,
+    # which means everything will be injected
+    # into all processes using the libkrb5.so.
+    #
+    # See https://bugzilla.samba.org/show_bug.cgi?id=14780
+    # why this is a bad idea.
+    #
+    # We install this plugin (and also the other krb5 plugins)
+    # under Samba's MODULESDIR, it's not available to
+    # libkrb5.so by default.
+    #
+    # Packagers should leave it that way and allow admins
+    # to create symlinks for the plugins they actually want
+    # to be used.
+    bld.SAMBA_PLUGIN('async_dns_krb5_locator',
+                     source='krb5_plugin/async_dns_krb5_locator.c',
+                     deps='''
+                     talloc
+                     addns
+                     samba_intl
+                     libsmb
+                     smbconf
+                     KRBCLIENT
+                     smbd_base
+                     krb5
+                     com_err
+                     ''',
+                     require_builtin_deps=False,
+                     realname='async_dns_krb5_locator.so',
+                     install_path='${MODULESDIR}/krb5')
 
 if bld.CONFIG_SET('HAVE_KRB5_LOCALAUTH_PLUGIN_H'):
-    bld.SAMBA_LIBRARY('winbind_krb5_localauth',
-                      source='krb5_plugin/winbind_krb5_localauth.c',
-                      deps='wbclient krb5 com_err',
-                      realname='winbind_krb5_localauth.so',
-                      install_path='${MODULESDIR}/krb5')
+    bld.SAMBA_PLUGIN('winbind_krb5_localauth',
+                     source='krb5_plugin/winbind_krb5_localauth.c',
+                     deps='wbclient krb5 com_err',
+                     require_builtin_deps=winbind_krb5_require_builtin_deps,
+                     realname='winbind_krb5_localauth.so',
+                     install_path='${MODULESDIR}/krb5')
 
 bld.SAMBA_SUBSYSTEM('WB_REQTRANS',
 	source='wb_reqtrans.c',

python/samba/tests/test_pam_winbind.sh

@@ -18,7 +18,7 @@ shift 1
 
 PAM_WRAPPER_PATH="$BINDIR/default/third_party/pam_wrapper"
 
-pam_winbind="$BINDIR/shared/pam_winbind.so"
+pam_winbind="$BINDIR/plugins/pam_winbind.so"
 service_dir="$SELFTEST_TMPDIR/pam_services"
 service_file="$service_dir/samba"
 

python/samba/tests/test_pam_winbind_chauthtok.sh

@@ -33,7 +33,7 @@ fi
 
 PAM_WRAPPER_PATH="$BINDIR/default/third_party/pam_wrapper"
 
-pam_winbind="$BINDIR/shared/pam_winbind.so"
+pam_winbind="$BINDIR/plugins/pam_winbind.so"
 service_dir="$SELFTEST_TMPDIR/pam_services"
 service_file="$service_dir/samba"
 

python/samba/tests/test_pam_winbind_warn_pwd_expire.sh

@@ -18,7 +18,7 @@ shift 1
 
 PAM_WRAPPER_PATH="$BINDIR/default/third_party/pam_wrapper"
 
-pam_winbind="$BINDIR/shared/pam_winbind.so"
+pam_winbind="$BINDIR/plugins/pam_winbind.so"
 service_dir="$SELFTEST_TMPDIR/pam_services"
 service_file="$service_dir/samba"
 

selftest/target/Samba.pm

@@ -167,7 +167,7 @@ sub nss_wrapper_winbind_so_path($) {
         my ($object) = @_;
 	my $ret = $ENV{NSS_WRAPPER_WINBIND_SO_PATH};
         if (not defined($ret)) {
-	    $ret = bindir_path($object, "shared/libnss_wrapper_winbind.so.2");
+	    $ret = bindir_path($object, "plugins/libnss_wrapper_winbind.so.2");
 	    $ret = abs_path($ret);
 	}
 	return $ret;

source4/selftest/tests.py

@@ -783,7 +783,7 @@ for env in ["s4member_dflt_domain", "s4member"]:
 nsstest4 = binpath("nsstest")
 for env in ["ad_dc:local", "s4member:local", "nt4_dc:local", "ad_member:local", "nt4_member:local"]:
     if os.path.exists(nsstest4):
-        plantestsuite("samba.nss.test using winbind(%s)" % env, env, [os.path.join(bbdir, "nsstest.sh"), nsstest4, os.path.join(samba4bindir, "shared/libnss_wrapper_winbind.so.2")])
+        plantestsuite("samba.nss.test using winbind(%s)" % env, env, [os.path.join(bbdir, "nsstest.sh"), nsstest4, os.path.join(samba4bindir, "plugins/libnss_wrapper_winbind.so.2")])
     else:
         skiptestsuite("samba.nss.test using winbind(%s)" % env, "nsstest not available")