mirror of
https://github.com/samba-team/samba.git
synced 2024-12-23 17:34:34 +03:00
17a8fa6d24
We don't want to leak them into exec'ed processes. Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Tue Jan 26 01:13:53 UTC 2021 on sn-devel-184
403 lines
9.4 KiB
C
403 lines
9.4 KiB
C
/*
|
|
* Unix SMB/CIFS implementation.
|
|
*
|
|
* RPC Socket Helper
|
|
*
|
|
* Copyright (c) 2011 Andreas Schneider <asn@samba.org>
|
|
*
|
|
* This program is free software; you can redistribute it and/or modify
|
|
* it under the terms of the GNU General Public License as published by
|
|
* the Free Software Foundation; either version 3 of the License, or
|
|
* (at your option) any later version.
|
|
*
|
|
* This program is distributed in the hope that it will be useful,
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
* GNU General Public License for more details.
|
|
*
|
|
* You should have received a copy of the GNU General Public License
|
|
* along with this program; if not, see <http://www.gnu.org/licenses/>.
|
|
*/
|
|
|
|
#include "includes.h"
|
|
#include "ntdomain.h"
|
|
|
|
#include "../lib/tsocket/tsocket.h"
|
|
#include "librpc/rpc/dcerpc_ep.h"
|
|
#include "librpc/rpc/dcesrv_core.h"
|
|
#include "rpc_server/rpc_sock_helper.h"
|
|
#include "lib/server_prefork.h"
|
|
#include "librpc/ndr/ndr_table.h"
|
|
|
|
#undef DBGC_CLASS
|
|
#define DBGC_CLASS DBGC_RPC_SRV
|
|
|
|
static NTSTATUS dcesrv_create_ncacn_np_socket(
|
|
struct dcerpc_binding *b, int *out_fd)
|
|
{
|
|
char *np_dir = NULL;
|
|
int fd = -1;
|
|
NTSTATUS status;
|
|
const char *endpoint;
|
|
char *endpoint_normalized = NULL;
|
|
char *p = NULL;
|
|
|
|
endpoint = dcerpc_binding_get_string_option(b, "endpoint");
|
|
if (endpoint == NULL) {
|
|
DBG_ERR("Endpoint mandatory for named pipes\n");
|
|
return NT_STATUS_INVALID_PARAMETER;
|
|
}
|
|
|
|
/* The endpoint string from IDL can be mixed uppercase and case is
|
|
* normalized by smbd on connection */
|
|
endpoint_normalized = strlower_talloc(talloc_tos(), endpoint);
|
|
if (endpoint_normalized == NULL) {
|
|
return NT_STATUS_NO_MEMORY;
|
|
}
|
|
|
|
/* The endpoint string from IDL can be prefixed by \pipe\ */
|
|
p = endpoint_normalized;
|
|
if (strncmp(p, "\\pipe\\", 6) == 0) {
|
|
p += 6;
|
|
}
|
|
|
|
/*
|
|
* As lp_ncalrpc_dir() should have 0755, but
|
|
* lp_ncalrpc_dir()/np should have 0700, we need to
|
|
* create lp_ncalrpc_dir() first.
|
|
*/
|
|
if (!directory_create_or_exist(lp_ncalrpc_dir(), 0755)) {
|
|
status = map_nt_error_from_unix_common(errno);
|
|
DBG_ERR("Failed to create pipe directory %s - %s\n",
|
|
lp_ncalrpc_dir(), strerror(errno));
|
|
goto out;
|
|
}
|
|
|
|
np_dir = talloc_asprintf(talloc_tos(), "%s/np", lp_ncalrpc_dir());
|
|
if (!np_dir) {
|
|
status = NT_STATUS_NO_MEMORY;
|
|
DBG_ERR("Out of memory\n");
|
|
goto out;
|
|
}
|
|
|
|
if (!directory_create_or_exist_strict(np_dir, geteuid(), 0700)) {
|
|
status = map_nt_error_from_unix_common(errno);
|
|
DBG_ERR("Failed to create pipe directory %s - %s\n",
|
|
np_dir, strerror(errno));
|
|
goto out;
|
|
}
|
|
|
|
fd = create_pipe_sock(np_dir, p, 0700);
|
|
if (fd == -1) {
|
|
status = map_nt_error_from_unix_common(errno);
|
|
DBG_ERR("Failed to create ncacn_np socket! '%s/%s': %s\n",
|
|
np_dir, p, strerror(errno));
|
|
goto out;
|
|
}
|
|
|
|
DBG_DEBUG("Opened pipe socket fd %d for %s\n", fd, p);
|
|
|
|
*out_fd = fd;
|
|
|
|
status = NT_STATUS_OK;
|
|
|
|
out:
|
|
TALLOC_FREE(endpoint_normalized);
|
|
TALLOC_FREE(np_dir);
|
|
return status;
|
|
}
|
|
|
|
/********************************************************************
|
|
* Start listening on the tcp/ip socket
|
|
********************************************************************/
|
|
|
|
static NTSTATUS dcesrv_create_ncacn_ip_tcp_socket(
|
|
const struct sockaddr_storage *ifss, uint16_t *port, int *out_fd)
|
|
{
|
|
int fd = -1;
|
|
|
|
if (*port == 0) {
|
|
uint16_t i;
|
|
|
|
for (i = lp_rpc_low_port(); i <= lp_rpc_high_port(); i++) {
|
|
fd = open_socket_in(SOCK_STREAM,
|
|
i,
|
|
0,
|
|
ifss,
|
|
false);
|
|
if (fd >= 0) {
|
|
*port = i;
|
|
break;
|
|
}
|
|
}
|
|
} else {
|
|
fd = open_socket_in(SOCK_STREAM,
|
|
*port,
|
|
0,
|
|
ifss,
|
|
true);
|
|
}
|
|
if (fd == -1) {
|
|
DBG_ERR("Failed to create socket on port %u!\n", *port);
|
|
return NT_STATUS_UNSUCCESSFUL;
|
|
}
|
|
|
|
/* ready to listen */
|
|
set_socket_options(fd, "SO_KEEPALIVE");
|
|
set_socket_options(fd, lp_socket_options());
|
|
|
|
DBG_DEBUG("Opened ncacn_ip_tcp socket fd %d for port %u\n", fd, *port);
|
|
|
|
*out_fd = fd;
|
|
|
|
return NT_STATUS_OK;
|
|
}
|
|
|
|
static NTSTATUS dcesrv_create_ncacn_ip_tcp_sockets(
|
|
struct dcerpc_binding *b,
|
|
TALLOC_CTX *mem_ctx,
|
|
size_t *pnum_fds,
|
|
int **pfds)
|
|
{
|
|
uint16_t port = 0;
|
|
char port_str[6];
|
|
const char *endpoint = NULL;
|
|
size_t i = 0, num_fds;
|
|
int *fds = NULL;
|
|
struct samba_sockaddr *addrs = NULL;
|
|
NTSTATUS status = NT_STATUS_INVALID_PARAMETER;
|
|
bool ok;
|
|
|
|
endpoint = dcerpc_binding_get_string_option(b, "endpoint");
|
|
if (endpoint != NULL) {
|
|
port = atoi(endpoint);
|
|
}
|
|
|
|
if (lp_interfaces() && lp_bind_interfaces_only()) {
|
|
num_fds = iface_count();
|
|
} else {
|
|
num_fds = 1;
|
|
#ifdef HAVE_IPV6
|
|
num_fds += 1;
|
|
#endif
|
|
}
|
|
|
|
addrs = talloc_array(mem_ctx, struct samba_sockaddr, num_fds);
|
|
if (addrs == NULL) {
|
|
status = NT_STATUS_NO_MEMORY;
|
|
goto fail;
|
|
}
|
|
fds = talloc_array(mem_ctx, int, num_fds);
|
|
if (fds == NULL) {
|
|
status = NT_STATUS_NO_MEMORY;
|
|
goto fail;
|
|
}
|
|
|
|
/*
|
|
* Fill "addrs"
|
|
*/
|
|
|
|
if (lp_interfaces() && lp_bind_interfaces_only()) {
|
|
for (i=0; i<num_fds; i++) {
|
|
const struct sockaddr_storage *ifss =
|
|
iface_n_sockaddr_storage(i);
|
|
|
|
ok = sockaddr_storage_to_samba_sockaddr(
|
|
&addrs[i], ifss);
|
|
if (!ok) {
|
|
i = 0; /* nothing to close */
|
|
goto fail;
|
|
}
|
|
}
|
|
} else {
|
|
struct sockaddr_storage ss = { .ss_family = 0 };
|
|
|
|
#ifdef HAVE_IPV6
|
|
ok = interpret_string_addr(
|
|
&ss, "::", AI_NUMERICHOST|AI_PASSIVE);
|
|
if (!ok) {
|
|
goto fail;
|
|
}
|
|
ok = sockaddr_storage_to_samba_sockaddr(&addrs[0], &ss);
|
|
if (!ok) {
|
|
goto fail;
|
|
}
|
|
#endif
|
|
ok = interpret_string_addr(
|
|
&ss, "0.0.0.0", AI_NUMERICHOST|AI_PASSIVE);
|
|
if (!ok) {
|
|
goto fail;
|
|
}
|
|
|
|
/* num_fds set above depending on HAVE_IPV6 */
|
|
ok = sockaddr_storage_to_samba_sockaddr(
|
|
&addrs[num_fds-1], &ss);
|
|
if (!ok) {
|
|
goto fail;
|
|
}
|
|
}
|
|
|
|
for (i=0; i<num_fds; i++) {
|
|
status = dcesrv_create_ncacn_ip_tcp_socket(
|
|
&addrs[i].u.ss, &port, &fds[i]);
|
|
if (!NT_STATUS_IS_OK(status)) {
|
|
goto fail;
|
|
}
|
|
samba_sockaddr_set_port(&addrs[i], port);
|
|
}
|
|
|
|
/* Set the port in the endpoint */
|
|
snprintf(port_str, sizeof(port_str), "%u", port);
|
|
|
|
status = dcerpc_binding_set_string_option(b, "endpoint", port_str);
|
|
if (!NT_STATUS_IS_OK(status)) {
|
|
DBG_ERR("Failed to set binding endpoint '%s': %s\n",
|
|
port_str, nt_errstr(status));
|
|
goto fail;
|
|
}
|
|
|
|
TALLOC_FREE(addrs);
|
|
|
|
*pfds = fds;
|
|
*pnum_fds = num_fds;
|
|
|
|
return NT_STATUS_OK;
|
|
|
|
fail:
|
|
while (i > 0) {
|
|
close(fds[i-1]);
|
|
i -= 1;
|
|
}
|
|
TALLOC_FREE(fds);
|
|
TALLOC_FREE(addrs);
|
|
return status;
|
|
}
|
|
|
|
/********************************************************************
|
|
* Start listening on the ncalrpc socket
|
|
********************************************************************/
|
|
|
|
static NTSTATUS dcesrv_create_ncalrpc_socket(
|
|
struct dcerpc_binding *b, int *out_fd)
|
|
{
|
|
int fd = -1;
|
|
const char *endpoint = NULL;
|
|
NTSTATUS status;
|
|
|
|
endpoint = dcerpc_binding_get_string_option(b, "endpoint");
|
|
if (endpoint == NULL) {
|
|
/*
|
|
* No identifier specified: use DEFAULT or SMBD.
|
|
*
|
|
* When role is AD DC we run two rpc server instances, the one
|
|
* started by 'samba' and the one embedded in 'smbd'.
|
|
* Avoid listening in DEFAULT socket for NCALRPC as both
|
|
* servers will race to accept connections. In this case smbd
|
|
* will listen in SMBD socket and rpcint binding handle
|
|
* implementation will pick the right socket to use.
|
|
*
|
|
* TODO: DO NOT hardcode this value anywhere else. Rather,
|
|
* specify no endpoint and let the epmapper worry about it.
|
|
*/
|
|
if (lp_server_role() == ROLE_ACTIVE_DIRECTORY_DC) {
|
|
endpoint = "SMBD";
|
|
} else {
|
|
endpoint = "DEFAULT";
|
|
}
|
|
status = dcerpc_binding_set_string_option(
|
|
b, "endpoint", endpoint);
|
|
if (!NT_STATUS_IS_OK(status)) {
|
|
DBG_ERR("Failed to set ncalrpc 'endpoint' binding "
|
|
"string option to '%s': %s\n",
|
|
endpoint, nt_errstr(status));
|
|
return status;
|
|
}
|
|
}
|
|
|
|
if (!directory_create_or_exist(lp_ncalrpc_dir(), 0755)) {
|
|
status = map_nt_error_from_unix_common(errno);
|
|
DBG_ERR("Failed to create ncalrpc directory '%s': %s\n",
|
|
lp_ncalrpc_dir(), strerror(errno));
|
|
goto out;
|
|
}
|
|
|
|
fd = create_pipe_sock(lp_ncalrpc_dir(), endpoint, 0755);
|
|
if (fd == -1) {
|
|
status = map_nt_error_from_unix_common(errno);
|
|
DBG_ERR("Failed to create ncalrpc socket '%s/%s': %s\n",
|
|
lp_ncalrpc_dir(), endpoint, strerror(errno));
|
|
goto out;
|
|
}
|
|
|
|
DBG_DEBUG("Opened ncalrpc socket fd '%d' for '%s/%s'\n",
|
|
fd, lp_ncalrpc_dir(), endpoint);
|
|
|
|
*out_fd = fd;
|
|
|
|
return NT_STATUS_OK;
|
|
|
|
out:
|
|
return status;
|
|
}
|
|
|
|
NTSTATUS dcesrv_create_binding_sockets(
|
|
struct dcerpc_binding *b,
|
|
TALLOC_CTX *mem_ctx,
|
|
size_t *pnum_fds,
|
|
int **pfds)
|
|
{
|
|
enum dcerpc_transport_t transport = dcerpc_binding_get_transport(b);
|
|
size_t i, num_fds = 1;
|
|
int *fds = NULL;
|
|
NTSTATUS status;
|
|
|
|
if ((transport == NCALRPC) || (transport == NCACN_NP)) {
|
|
fds = talloc(mem_ctx, int);
|
|
if (fds == NULL) {
|
|
return NT_STATUS_NO_MEMORY;
|
|
}
|
|
}
|
|
|
|
switch(transport) {
|
|
case NCALRPC:
|
|
status = dcesrv_create_ncalrpc_socket(b, fds);
|
|
break;
|
|
case NCACN_NP:
|
|
status = dcesrv_create_ncacn_np_socket(b, fds);
|
|
break;
|
|
case NCACN_IP_TCP:
|
|
status = dcesrv_create_ncacn_ip_tcp_sockets(
|
|
b, talloc_tos(), &num_fds, &fds);
|
|
break;
|
|
default:
|
|
status = NT_STATUS_NOT_SUPPORTED;
|
|
break;
|
|
}
|
|
|
|
if (!NT_STATUS_IS_OK(status)) {
|
|
TALLOC_FREE(fds);
|
|
return status;
|
|
}
|
|
|
|
for (i=0; i<num_fds; i++) {
|
|
bool ok = smb_set_close_on_exec(fds[i]);
|
|
if (!ok) {
|
|
status = map_nt_error_from_unix(errno);
|
|
break;
|
|
}
|
|
}
|
|
if (i < num_fds) {
|
|
for (i=0; i<num_fds; i++) {
|
|
close(fds[i]);
|
|
}
|
|
TALLOC_FREE(fds);
|
|
return status;
|
|
}
|
|
|
|
*pfds = fds;
|
|
*pnum_fds = num_fds;
|
|
return NT_STATUS_OK;
|
|
}
|
|
|
|
/* vim: set ts=8 sw=8 noet cindent syntax=c.doxygen: */
|