From b9213316c77ab340fe02c9784f63a2f7d79cb492 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Thu, 29 May 2008 15:20:58 +1000 Subject: [PATCH] Allow the ntp_signd socket to be set from configure. This will allow distributions to hard-code this path, particularly for selinux, and matches how we handle the winbind socket dir. Andrew Bartlett (This used to be commit c8b441650400ed1b24c89991f5752dad3c87795f) --- source4/Makefile | 1 + source4/build/m4/check_path.m4 | 19 +++++++++++++++++++ source4/dynconfig/config.mk | 3 ++- source4/dynconfig/dynconfig.c | 3 +++ source4/dynconfig/dynconfig.h | 1 + source4/ntp_signd/ntp_signd.c | 22 ++++++++++++++++++---- source4/param/loadparm.c | 7 +++++++ source4/param/param.h | 2 ++ 8 files changed, 53 insertions(+), 5 deletions(-) diff --git a/source4/Makefile b/source4/Makefile index 14d0fe3b201..b7d5206868b 100644 --- a/source4/Makefile +++ b/source4/Makefile @@ -167,6 +167,7 @@ showlayout:: @echo ' torturedir: $(TORTUREDIR)' @echo ' datadir: $(datadir)' @echo ' winbindd_socket_dir: $(winbindd_socket_dir)' + @echo ' ntp_signd_socket_dir: $(ntp_signd_socket_dir)' showflags:: @echo ' srcdir = $(srcdir)' diff --git a/source4/build/m4/check_path.m4 b/source4/build/m4/check_path.m4 index 08a858ebb2c..c0b81f1a8d4 100644 --- a/source4/build/m4/check_path.m4 +++ b/source4/build/m4/check_path.m4 @@ -20,6 +20,7 @@ piddir="${localstatedir}/run" privatedir="\${prefix}/private" modulesdir="\${prefix}/modules" winbindd_socket_dir="${localstatedir}/run/winbind_pipe" +ntp_signd_socket_dir="${localstatedir}/run/ntp_signd" AC_ARG_WITH(fhs, [ --with-fhs Use FHS-compliant paths (default=no)], @@ -31,6 +32,7 @@ AC_ARG_WITH(fhs, modulesdir="${libdir}/samba" datadir="${datadir}/samba" includedir="${includedir}/samba-4.0" + ntp_signd_socket_dir="${localstatedir}/run/samba/ntp_signd" winbindd_socket_dir="${localstatedir}/run/samba/winbind_pipe" ) @@ -66,6 +68,22 @@ AC_ARG_WITH(winbindd-socket-dir, ;; esac]) +################################################# +# set where the NTP signing deamon socket should be put +AC_ARG_WITH(ntp-signd-socket-dir, +[ --with-ntp-signd-socket-dir=DIR Where to put the NTP signing deamon socket ($ac_default_prefix/run/ntp_signd)], +[ case "$withval" in + yes|no) + # + # Just in case anybody calls it without argument + # + AC_MSG_WARN([--with-ntp-signd-socketdir called without argument - will use default]) + ;; + * ) + ntp_signd_socket_dir="$withval" + ;; + esac]) + ################################################# # set lock directory location AC_ARG_WITH(lockdir, @@ -122,6 +140,7 @@ AC_SUBST(privatedir) AC_SUBST(bindir) AC_SUBST(sbindir) AC_SUBST(winbindd_socket_dir) +AC_SUBST(ntp_signd_socket_dir) AC_SUBST(modulesdir) ################################################# diff --git a/source4/dynconfig/config.mk b/source4/dynconfig/config.mk index 5f2887f8b64..a353ba12147 100644 --- a/source4/dynconfig/config.mk +++ b/source4/dynconfig/config.mk @@ -19,5 +19,6 @@ $(dynconfigsrcdir)/dynconfig.o: CFLAGS+=-DCONFIGFILE=\"$(CONFIGFILE)\" -DBINDIR= -DPRIVATE_DIR=\"$(privatedir)\" \ -DMODULESDIR=\"$(modulesdir)\" -DJSDIR=\"$(JSDIR)\" \ -DTORTUREDIR=\"$(TORTUREDIR)\" \ - -DSETUPDIR=\"$(SETUPDIR)\" -DWINBINDD_SOCKET_DIR=\"$(winbindd_socket_dir)\" + -DSETUPDIR=\"$(SETUPDIR)\" -DWINBINDD_SOCKET_DIR=\"$(winbindd_socket_dir)\" \ + -DNTP_SIGND_SOCKET_DIR=\"$(ntp_signd_socket_dir)\" diff --git a/source4/dynconfig/dynconfig.c b/source4/dynconfig/dynconfig.c index 6dbbf872d9d..ef5c40d6983 100644 --- a/source4/dynconfig/dynconfig.c +++ b/source4/dynconfig/dynconfig.c @@ -84,3 +84,6 @@ _PUBLIC_ const char *dyn_JSDIR = JSDIR; /** Where to find the winbindd socket */ _PUBLIC_ const char *dyn_WINBINDD_SOCKET_DIR = WINBINDD_SOCKET_DIR; + +/** Where to find the NTP signing deamon socket */ +_PUBLIC_ const char *dyn_NTP_SIGND_SOCKET_DIR = NTP_SIGND_SOCKET_DIR; diff --git a/source4/dynconfig/dynconfig.h b/source4/dynconfig/dynconfig.h index ac54db63d69..e77c13bab30 100644 --- a/source4/dynconfig/dynconfig.h +++ b/source4/dynconfig/dynconfig.h @@ -38,3 +38,4 @@ extern const char *dyn_SWATDIR; extern const char *dyn_JSDIR; extern const char *dyn_SETUPDIR; extern const char *dyn_WINBINDD_SOCKET_DIR; +extern const char *dyn_NTP_SIGND_SOCKET_DIR; diff --git a/source4/ntp_signd/ntp_signd.c b/source4/ntp_signd/ntp_signd.c index 1933c6a2f66..fdd97e475c1 100644 --- a/source4/ntp_signd/ntp_signd.c +++ b/source4/ntp_signd/ntp_signd.c @@ -35,6 +35,7 @@ #include "lib/ldb/include/ldb.h" #include "lib/ldb/include/ldb_errors.h" #include "lib/crypto/md5.h" +#include "system/passwd.h" /* top level context structure for the ntp_signd server @@ -144,6 +145,8 @@ static NTSTATUS ntp_signd_recv(void *private, DATA_BLOB wrapped_input) return ndr_map_error2ntstatus(ndr_err); } + /* We need to implement 'check signature' and 'request server + * to sign' operations at some point */ if (sign_request.op != SIGN_TO_CLIENT) { talloc_free(tmp_ctx); return signing_failure(ntp_signdconn, sign_request.packet_id); @@ -155,13 +158,13 @@ static NTSTATUS ntp_signd_recv(void *private, DATA_BLOB wrapped_input) return signing_failure(ntp_signdconn, sign_request.packet_id); } + /* The top bit is a 'key selector' */ sid = dom_sid_add_rid(tmp_ctx, domain_sid, sign_request.key_id & 0x7FFFFFFF); if (!sid) { talloc_free(tmp_ctx); return signing_failure(ntp_signdconn, sign_request.packet_id); } - /* Sign packet */ ret = ldb_search_exp_fmt(ntp_signdconn->ntp_signd->samdb, tmp_ctx, &res, samdb_base_dn(ntp_signdconn->ntp_signd->samdb), LDB_SCOPE_SUBTREE, attrs, "(&(objectSid=%s)(objectClass=computer))", @@ -188,6 +191,7 @@ static NTSTATUS ntp_signd_recv(void *private, DATA_BLOB wrapped_input) return signing_failure(ntp_signdconn, sign_request.packet_id); } + /* Generate the reply packet */ signed_reply.version = 1; signed_reply.packet_id = sign_request.packet_id; signed_reply.op = SIGNING_SUCCESS; @@ -201,7 +205,6 @@ static NTSTATUS ntp_signd_recv(void *private, DATA_BLOB wrapped_input) } memcpy(signed_reply.signed_packet.data, sign_request.packet_to_sign.data, sign_request.packet_to_sign.length); - SIVAL(signed_reply.signed_packet.data, sign_request.packet_to_sign.length, sign_request.key_id); /* Sign the NTP response with the unicodePwd */ @@ -210,8 +213,8 @@ static NTSTATUS ntp_signd_recv(void *private, DATA_BLOB wrapped_input) MD5Update(&ctx, sign_request.packet_to_sign.data, sign_request.packet_to_sign.length); MD5Final(signed_reply.signed_packet.data + sign_request.packet_to_sign.length + 4, &ctx); - /* Place it into the packet for the wire */ + /* Place it into the packet for the wire */ ndr_err = ndr_push_struct_blob(&output, tmp_ctx, lp_iconv_convenience(ntp_signdconn->ntp_signd->task->lp_ctx), &signed_reply, @@ -229,6 +232,7 @@ static NTSTATUS ntp_signd_recv(void *private, DATA_BLOB wrapped_input) return NT_STATUS_NO_MEMORY; } + /* The 'wire' transport for this is wrapped with a 4 byte network byte order length */ RSIVAL(wrapped_output.data, 0, output.length); memcpy(wrapped_output.data + 4, output.data, output.length); @@ -317,7 +321,15 @@ static void ntp_signd_task_init(struct task_server *task) const struct model_ops *model_ops; - const char *address = "/tmp/ux_demo"; + const char *address; + + if (!directory_create_or_exist(lp_ntp_signd_socket_directory(task->lp_ctx), geteuid(), 0755)) { + char *error = talloc_asprintf(task, "Cannot create NTP signd pipe directory: %s", + lp_ntp_signd_socket_directory(task->lp_ctx)); + task_server_terminate(task, + error); + return; + } /* within the ntp_signd task we want to be a single process, so ask for the single process model ops and pass these to the @@ -345,6 +357,8 @@ static void ntp_signd_task_init(struct task_server *task) return; } + address = talloc_asprintf(ntp_signd, "%s/socket", lp_ntp_signd_socket_directory(task->lp_ctx)); + status = stream_setup_socket(ntp_signd->task->event_ctx, ntp_signd->task->lp_ctx, model_ops, diff --git a/source4/param/loadparm.c b/source4/param/loadparm.c index ad1752a7e7f..0a7aec19857 100644 --- a/source4/param/loadparm.c +++ b/source4/param/loadparm.c @@ -179,6 +179,7 @@ struct loadparm_global int bUnixExtensions; int bDisableNetbios; int bRpcBigEndian; + char *szNTPSignDSocketDirectory; struct param_opt *param_opt; }; @@ -489,6 +490,8 @@ static struct parm_struct parm_table[] = { {"template homedir", P_STRING, P_GLOBAL, GLOBAL_VAR(szTemplateHomedir), NULL, NULL }, {"idmap trusted only", P_BOOL, P_GLOBAL, GLOBAL_VAR(bIdmapTrustedOnly), NULL, NULL}, + {"ntp signd socket directory", P_STRING, P_GLOBAL, GLOBAL_VAR(szNTPSignDSocketDirectory), NULL, NULL }, + {NULL, P_BOOL, P_NONE, 0, NULL, NULL} }; @@ -730,6 +733,8 @@ _PUBLIC_ FN_LOCAL_INTEGER(lp_force_dir_mode, iDir_force_mode) _PUBLIC_ FN_GLOBAL_INTEGER(lp_server_signing, server_signing) _PUBLIC_ FN_GLOBAL_INTEGER(lp_client_signing, client_signing) +_PUBLIC_ FN_GLOBAL_CONST_STRING(lp_ntp_signd_socket_directory, szNTPSignDSocketDirectory) + /* local prototypes */ static int map_parameter(const char *pszParmName); static struct loadparm_service *getservicebyname(struct loadparm_context *lp_ctx, @@ -2410,6 +2415,8 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx) lp_do_global_parameter(lp_ctx, "prefork children:smb", "4"); + lp_do_global_parameter(lp_ctx, "ntp signd socket directory", dyn_NTP_SIGND_SOCKET_DIR); + for (i = 0; parm_table[i].label; i++) { if (!(lp_ctx->flags[i] & FLAG_CMDLINE)) { lp_ctx->flags[i] |= FLAG_DEFAULT; diff --git a/source4/param/param.h b/source4/param/param.h index 0b276cdff20..06a42575adb 100644 --- a/source4/param/param.h +++ b/source4/param/param.h @@ -186,6 +186,8 @@ int lp_dir_mask(struct loadparm_service *, struct loadparm_service *); int lp_force_dir_mode(struct loadparm_service *, struct loadparm_service *); int lp_server_signing(struct loadparm_context *); int lp_client_signing(struct loadparm_context *); +const char *lp_ntp_signd_socket_directory(struct loadparm_context *); + const char *lp_get_parametric(struct loadparm_context *lp_ctx, struct loadparm_service *service, const char *type, const char *option);