IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
If uid_wrapper is loaded but not enabled (UID_WRAPPER environment
variable not set), then we dereference a NULL pointer while forking.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
When fork() is called here there is no need to disable uwrap as a whole.
This change disables only uwrap for the thread which called fork().
uwrap catches calls of pthread_create() and pthread_exit() functions
from libpthread library now.
Pair-Programmed-With: Andreas Schneider <asn@samba.org>
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Robin Hack <hack.robin@gmail.com>
Signed-off-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
uwrap_bind_symbol are now renamed to uwrap_bind_symbol_libc
and simlilar uwrap_bind_symbol_libpthread are introduced.
Signed-off-by: Robin Hack <hack.robin@gmail.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Introduce UWRAP_LOCK_ALL and UWRAP_UNLOCK_ALL which make
locking easier.
Signed-off-by: Robin Hack <hack.robin@gmail.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Also rename struct uwrap_libc_fns fns to uwrap_libc_symbols and
uwrap_load_lib_function to uwrap_bind_symbol (same for _uwrap_load_...
variant.
Signed-off-by: Robin Hack <hack.robin@gmail.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
We need to distinguish if the syscall is called from main process or
from a thread.
Signed-off-by: Robin Hack <hack.robin@gmail.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Don't call libc_getuid/getgid function twice.
Signed-off-by: Robin Hack <hack.robin@gmail.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
The address sanitzer will complain about our hack with variable function
attributes. This disables the checking of it.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
When thread changes uid/gid this change must be reflected to main
process.
Syscalls changes only uid/gid of thread. Call of libc functions changes
also uid/gid of main process.
Signed-off-by: Robin Hack <hack.robin@gmail.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Don't call getenv("UID_WRAPPER") on start of uwrap_init().
Signed-off-by: Robin Hack <hack.robin@gmail.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Check only bool variable inside uwrap structure instead
of calling whole uid_init().
In the best case only one mutex lock is need when check.
NOTES:
* This patch uses __atomic_load gcc builtin function.
* uid_init() were moved outside uid_wrapper_enabled() function.
Signed-off-by: Robin Hack <hack.robin@gmail.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Patch moves uwrap_id_mutex before if (uwrap.initialised) statement
which can be passed by concurrent threads.
Signed-off-by: Robin Hack <hack.robin@gmail.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Patch adds libc_symbol_binding_mutex which guards global table of libc
functions and their lookup.
Signed-off-by: Robin Hack <hack.robin@gmail.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Library constructor is used for pthread_atfork call. Moved here because
pthread_atfork is cumulative and should be called only once.
Signed-off-by: Robin Hack <hack.robin@gmail.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
New macros UWRAP_LOCK/UNLOCK has been created and all calls to
pthread_mutex_lock/unlock has been replaced by these macros.
Signed-off-by: Robin Hack <hack.robin@gmail.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Dropping all supplementary groups is a common practice when changing
UIDs. This patch adds support for dropping all supplementary groups when
setgroups is called with size=0.
Signed-off-by: Jakub Hrozek <jakub.hrozek@gmail.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
Will allow thread-specific credentials to be added by modifying
the central definitions. Deliberately left the setXX[ug]id()
call in popt as this is not used in Samba.
On my older CentOS 4 installation I had the problem with the missing
substitution prototypes ("uwrap_*"). So I added them to "uid_wrapper.h".
Also, I made the head of the "uid_wrapper.c" file more like the one of
"nss_wrapper.c" - it shouldn't change that much, I did it only to be consistent.
This patch should fix the build on older distributions while keep it running on
newer ones.
This fixes two issues pointed out by Andrew. It adds a runtime
uwrap_enabled() call that wraps the skips needed for uid emulation. It
also makes the skip in the directory_create_or_exist() function only
change the uid checking code, not the permissions code
This library intercepts seteuid and related calls, and simulates them
in a manner similar to the nss_wrapper and socket_wrapper
libraries. This allows us to enable the vfs_unixuid NTVFS module in
the build farm, which means we are more likely to catch errors in the
token manipulation.
The simulation is not complete, but it is enough for Samba4 for
now. The major areas of incompleteness are:
- no emulation of setreuid, setresuid or saved uids. These would be
needed for use in Samba3
- no emulation of ruid changing. That would also be needed for Samba3
- no attempt to emulate file ownership changing, so code that (for
example) tests whether st.st_uid matches geteuid() needs special
handling
