[SCM] Samba Shared Repository - branch master updated
Jeremy Allison
jra at samba.org
Thu Jun 28 19:58:01 MDT 2012
The branch, master has been updated
via 485787f Move back to using per-thread credentials on Linux. Fixes the glibc native AIO lost wakeup problem.
via 821bd95 Replace all uses of setXX[ug]id() and setgroups with samba_setXX[ug]id() calls.
via 7630fe5 Add missing setresgid() wrapper.
from ded2cb8 docs-xml: document "server max protocol" "SMB2" selects PROTOCOL_SMB2_10
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 485787f0dfa64bbada7c971ec44f04a1095b4229
Author: Jeremy Allison <jra at samba.org>
Date: Thu Jun 28 13:41:19 2012 -0700
Move back to using per-thread credentials on Linux. Fixes the glibc native AIO lost wakeup problem.
See this post:
https://lists.samba.org/archive/samba-technical/2012-June/085101.html
for details.
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Fri Jun 29 03:57:45 CEST 2012 on sn-devel-104
commit 821bd95156e8cc6d843aecb0a27d4a08761b7dac
Author: Jeremy Allison <jra at samba.org>
Date: Thu Jun 28 11:59:51 2012 -0700
Replace all uses of setXX[ug]id() and setgroups with samba_setXX[ug]id() calls.
Will allow thread-specific credentials to be added by modifying
the central definitions. Deliberately left the setXX[ug]id()
call in popt as this is not used in Samba.
commit 7630fe50bd7d0783d1f6b253cbee46cccca3f774
Author: Jeremy Allison <jra at samba.org>
Date: Mon Jun 25 18:08:36 2012 -0700
Add missing setresgid() wrapper.
-----------------------------------------------------------------------
Summary of changes:
lib/replace/libreplace.m4 | 4 +-
lib/replace/wscript | 4 +-
lib/uid_wrapper/uid_wrapper.c | 15 ++-
lib/uid_wrapper/uid_wrapper.h | 43 ++++----
lib/uid_wrapper/wscript_build | 2 +-
lib/util/setid.c | 214 +++++++++++++++++++++++++++++++++++
lib/util/setid.h | 43 +++++++
lib/util/unix_privs.c | 5 +-
lib/util/wscript_build | 7 +-
source3/Makefile.in | 6 +-
source3/configure.in | 19 +++-
source3/include/includes.h | 3 +
source3/lib/system.c | 9 +-
source3/lib/system_smbd.c | 3 +-
source3/lib/util_sec.c | 145 ++++++++++++------------
source3/smbd/sec_ctx.c | 3 +-
source3/web/cgi.c | 5 +-
source3/wscript | 12 ++-
source4/include/includes.h | 3 +
source4/ntvfs/unixuid/vfs_unixuid.c | 11 +-
tests/summary.c | 2 +-
testsuite/smbd/sec_ctx1.c | 4 +-
testsuite/smbd/sec_ctx_nonroot.c | 4 +-
23 files changed, 439 insertions(+), 127 deletions(-)
create mode 100644 lib/util/setid.c
create mode 100644 lib/util/setid.h
Changeset truncated at 500 lines:
diff --git a/lib/replace/libreplace.m4 b/lib/replace/libreplace.m4
index ad0f904..d298b92 100644
--- a/lib/replace/libreplace.m4
+++ b/lib/replace/libreplace.m4
@@ -124,8 +124,10 @@ AC_CHECK_HEADERS(sys/mount.h mntent.h)
AC_CHECK_HEADERS(stropts.h)
AC_CHECK_HEADERS(unix.h)
AC_CHECK_HEADERS(malloc.h)
+AC_CHECK_HEADERS(syscall.h)
+AC_CHECK_HEADERS(sys/syscall.h)
-AC_CHECK_FUNCS(seteuid setreuid setresuid setegid setregid setresgid)
+AC_CHECK_FUNCS(syscall setuid seteuid setreuid setresuid setgid setegid setregid setresgid setgroups)
AC_CHECK_FUNCS(chroot bzero strerror strerror_r memalign posix_memalign getpagesize)
AC_CHECK_FUNCS(vsyslog setlinebuf mktime ftruncate chsize rename)
AC_CHECK_FUNCS(waitpid wait4 strlcpy strlcat initgroups memmove strdup)
diff --git a/lib/replace/wscript b/lib/replace/wscript
index 68138cf..157296b 100644
--- a/lib/replace/wscript
+++ b/lib/replace/wscript
@@ -163,7 +163,7 @@ def configure(conf):
conf.CHECK_FUNCS('shl_load shl_unload shl_findsym')
conf.CHECK_FUNCS('pipe strftime srandom random srand rand usleep setbuffer')
- conf.CHECK_FUNCS('lstat getpgrp utime utimes seteuid setreuid setresuid setegid')
+ conf.CHECK_FUNCS('lstat getpgrp utime utimes setuid seteuid setreuid setresuid setgid setegid')
conf.CHECK_FUNCS('setregid setresgid chroot strerror vsyslog setlinebuf mktime')
conf.CHECK_FUNCS('ftruncate chsize rename waitpid wait4')
conf.CHECK_FUNCS('initgroups pread pwrite strndup strcasestr')
@@ -207,7 +207,7 @@ def configure(conf):
conf.CHECK_FUNCS('if_nametoindex strerror_r')
conf.CHECK_FUNCS('getdirentries getdents syslog')
conf.CHECK_FUNCS('gai_strerror get_current_dir_name')
- conf.CHECK_FUNCS('timegm getifaddrs freeifaddrs mmap setgroups setsid')
+ conf.CHECK_FUNCS('timegm getifaddrs freeifaddrs mmap setgroups syscall setsid')
conf.CHECK_FUNCS('getgrent_r getgrgid_r getgrnam_r getgrouplist getpagesize')
conf.CHECK_FUNCS('getpwent_r getpwnam_r getpwuid_r epoll_create')
diff --git a/lib/uid_wrapper/uid_wrapper.c b/lib/uid_wrapper/uid_wrapper.c
index 898d1af..7a85a95 100644
--- a/lib/uid_wrapper/uid_wrapper.c
+++ b/lib/uid_wrapper/uid_wrapper.c
@@ -22,6 +22,7 @@
#include "replace.h"
#include "system/passwd.h"
#include <talloc.h>
+#include "../lib/util/setid.h"
#else /* _SAMBA_BUILD_ */
@@ -72,7 +73,7 @@ _PUBLIC_ int uwrap_seteuid(uid_t euid)
{
uwrap_init();
if (!uwrap.enabled) {
- return seteuid(euid);
+ return samba_seteuid(euid);
}
/* assume for now that the ruid stays as root */
if (euid == 0) {
@@ -89,7 +90,7 @@ _PUBLIC_ int uwrap_setreuid(uid_t ruid, uid_t euid)
{
uwrap_init();
if (!uwrap.enabled) {
- return setreuid(ruid, euid);
+ return samba_setreuid(ruid, euid);
}
/* assume for now that the ruid stays as root */
if (euid == 0) {
@@ -106,7 +107,7 @@ _PUBLIC_ int uwrap_setresuid(uid_t ruid, uid_t euid, uid_t suid)
{
uwrap_init();
if (!uwrap.enabled) {
- return setresuid(ruid, euid, suid);
+ return samba_setresuid(ruid, euid, suid);
}
/* assume for now that the ruid stays as root */
if (euid == 0) {
@@ -132,7 +133,7 @@ _PUBLIC_ int uwrap_setegid(gid_t egid)
{
uwrap_init();
if (!uwrap.enabled) {
- return setegid(egid);
+ return samba_setegid(egid);
}
/* assume for now that the ruid stays as root */
if (egid == 0) {
@@ -149,7 +150,7 @@ _PUBLIC_ int uwrap_setregid(gid_t rgid, gid_t egid)
{
uwrap_init();
if (!uwrap.enabled) {
- return setregid(rgid, egid);
+ return samba_setregid(rgid, egid);
}
/* assume for now that the ruid stays as root */
if (egid == 0) {
@@ -166,7 +167,7 @@ _PUBLIC_ int uwrap_setresgid(gid_t rgid, gid_t egid, gid_t sgid)
{
uwrap_init();
if (!uwrap.enabled) {
- return setresgid(rgid, egid, sgid);
+ return samba_setresgid(rgid, egid, sgid);
}
/* assume for now that the ruid stays as root */
if (egid == 0) {
@@ -191,7 +192,7 @@ _PUBLIC_ int uwrap_setgroups(size_t size, const gid_t *list)
{
uwrap_init();
if (!uwrap.enabled) {
- return setgroups(size, list);
+ return samba_setgroups(size, list);
}
talloc_free(uwrap.groups);
diff --git a/lib/uid_wrapper/uid_wrapper.h b/lib/uid_wrapper/uid_wrapper.h
index 680e544..21d0795 100644
--- a/lib/uid_wrapper/uid_wrapper.h
+++ b/lib/uid_wrapper/uid_wrapper.h
@@ -27,6 +27,7 @@ int uwrap_setresuid(uid_t reuid, uid_t euid, uid_t suid);
uid_t uwrap_geteuid(void);
int uwrap_setegid(gid_t egid);
int uwrap_setregid(gid_t rgid, gid_t egid);
+int uwrap_setresgid(gid_t regid, gid_t egid, gid_t sgid);
uid_t uwrap_getegid(void);
int uwrap_setgroups(size_t size, const gid_t *list);
int uwrap_getgroups(int size, gid_t *list);
@@ -35,35 +36,35 @@ gid_t uwrap_getgid(void);
#ifdef UID_WRAPPER_REPLACE
-#ifdef seteuid
-#undef seteuid
+#ifdef samba_seteuid
+#undef samba_seteuid
#endif
-#define seteuid uwrap_seteuid
+#define samba_seteuid uwrap_seteuid
-#ifdef setreuid
-#undef setreuid
+#ifdef samba_setreuid
+#undef samba_setreuid
#endif
-#define setreuid uwrap_setreuid
+#define samba_setreuid uwrap_setreuid
-#ifdef setresuid
-#undef setresuid
+#ifdef samba_setresuid
+#undef samba_setresuid
#endif
-#define setresuid uwrap_setresuid
+#define samba_setresuid uwrap_setresuid
-#ifdef setegid
-#undef setegid
+#ifdef samba_setegid
+#undef samba_setegid
#endif
-#define setegid uwrap_setegid
+#define samba_setegid uwrap_setegid
-#ifdef setregid
-#undef setregid
+#ifdef samba_setregid
+#undef samba_setregid
#endif
-#define setregid uwrap_setregid
+#define samba_setregid uwrap_setregid
-#ifdef setresgid
-#undef setresgid
+#ifdef samba_setresgid
+#undef samba_setresgid
#endif
-#define setresgid uwrap_setresgid
+#define samba_setresgid uwrap_setresgid
#ifdef geteuid
#undef geteuid
@@ -75,10 +76,10 @@ gid_t uwrap_getgid(void);
#endif
#define getegid uwrap_getegid
-#ifdef setgroups
-#undef setgroups
+#ifdef samba_setgroups
+#undef samba_setgroups
#endif
-#define setgroups uwrap_setgroups
+#define samba_setgroups uwrap_setgroups
#ifdef getgroups
#undef getgroups
diff --git a/lib/uid_wrapper/wscript_build b/lib/uid_wrapper/wscript_build
index 54e5b80..76d4b17 100644
--- a/lib/uid_wrapper/wscript_build
+++ b/lib/uid_wrapper/wscript_build
@@ -3,7 +3,7 @@
bld.SAMBA_LIBRARY('uid_wrapper',
source='uid_wrapper.c',
- deps='talloc',
+ deps='talloc util_setid',
private_library=True,
enabled=bld.CONFIG_SET("UID_WRAPPER"),
)
diff --git a/lib/util/setid.c b/lib/util/setid.c
new file mode 100644
index 0000000..66c0639
--- /dev/null
+++ b/lib/util/setid.c
@@ -0,0 +1,214 @@
+/*
+ Unix SMB/CIFS implementation.
+ setXXid() functions for Samba.
+ Copyright (C) Jeremy Allison 2012
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#ifndef AUTOCONF_TEST
+#include "replace.h"
+#include "system/passwd.h"
+#include "include/includes.h"
+
+#ifdef UID_WRAPPER_REPLACE
+
+#ifdef samba_seteuid
+#undef samba_seteuid
+#endif
+
+#ifdef samba_setreuid
+#undef samba_setreuid
+#endif
+
+#ifdef samba_setresuid
+#undef samba_setresuid
+#endif
+
+#ifdef samba_setegid
+#undef samba_setegid
+#endif
+
+#ifdef samba_setregid
+#undef samba_setregid
+#endif
+
+#ifdef samba_setresgid
+#undef samba_setresgid
+#endif
+
+#ifdef samba_setgroups
+#undef samba_setgroups
+#endif
+
+/* uid_wrapper will have redefined these. */
+int samba_setresuid(uid_t ruid, uid_t euid, uid_t suid);
+int samba_setresgid(gid_t rgid, gid_t egid, gid_t sgid);
+int samba_setreuid(uid_t ruid, uid_t euid);
+int samba_setregid(gid_t rgid, gid_t egid);
+int samba_seteuid(uid_t euid);
+int samba_setegid(gid_t egid);
+int samba_setuid(uid_t uid);
+int samba_setgid(gid_t gid);
+int samba_setuidx(int flags, uid_t uid);
+int samba_setgidx(int flags, gid_t gid);
+int samba_setgroups(size_t setlen, const gid_t *gidset);
+
+#endif
+#endif
+
+#include "../lib/util/setid.h"
+
+#if defined(USE_LINUX_THREAD_CREDENTIALS)
+#if defined(HAVE_SYSCALL_H)
+#include <syscall.h>
+#endif
+
+#if defined(HAVE_SYS_SYSCALL_H)
+#include <sys/syscall.h>
+#endif
+#endif
+
+/* All the setXX[ug]id functions and setgroups Samba uses. */
+int samba_setresuid(uid_t ruid, uid_t euid, uid_t suid)
+{
+#if defined(USE_LINUX_THREAD_CREDENTIALS)
+ return syscall(SYS_setresuid, ruid, euid, suid);
+#elif defined(HAVE_SETRESUID)
+ return setresuid(ruid, euid, suid);
+#else
+ errno = ENOSYS;
+ return -1;
+#endif
+}
+
+int samba_setresgid(gid_t rgid, gid_t egid, gid_t sgid)
+{
+#if defined(USE_LINUX_THREAD_CREDENTIALS)
+ return syscall(SYS_setresgid, rgid, egid, sgid);
+#elif defined(HAVE_SETRESGID)
+ return setresgid(rgid, egid, sgid);
+#else
+ errno = ENOSYS;
+ return -1;
+#endif
+}
+
+int samba_setreuid(uid_t ruid, uid_t euid)
+{
+#if defined(USE_LINUX_THREAD_CREDENTIALS)
+ return syscall(SYS_setreuid, ruid, euid);
+#elif defined(HAVE_SETREUID)
+ return setreuid(ruid, euid);
+#else
+ errno = ENOSYS;
+ return -1;
+#endif
+}
+
+int samba_setregid(gid_t rgid, gid_t egid)
+{
+#if defined(USE_LINUX_THREAD_CREDENTIALS)
+ return syscall(SYS_setregid, rgid, egid);
+#elif defined(HAVE_SETREGID)
+ return setregid(rgid, egid);
+#else
+ errno = ENOSYS;
+ return -1;
+#endif
+}
+
+int samba_seteuid(uid_t euid)
+{
+#if defined(USE_LINUX_THREAD_CREDENTIALS)
+ /* seteuid is not a separate system call. */
+ return syscall(SYS_setresuid, -1, euid, -1);
+#elif defined(HAVE_SETEUID)
+ return seteuid(euid);
+#else
+ errno = ENOSYS;
+ return -1;
+#endif
+}
+
+int samba_setegid(gid_t egid)
+{
+#if defined(USE_LINUX_THREAD_CREDENTIALS)
+ /* setegid is not a separate system call. */
+ return syscall(SYS_setresgid, -1, egid, -1);
+#elif defined(HAVE_SETEGID)
+ return setegid(egid);
+#else
+ errno = ENOSYS;
+ return -1;
+#endif
+}
+
+int samba_setuid(uid_t uid)
+{
+#if defined(USE_LINUX_THREAD_CREDENTIALS)
+ return syscall(SYS_setuid, uid);
+#elif defined(HAVE_SETUID)
+ return setuid(uid);
+#else
+ errno = ENOSYS;
+ return -1;
+#endif
+}
+
+int samba_setgid(gid_t gid)
+{
+#if defined(USE_LINUX_THREAD_CREDENTIALS)
+ return syscall(SYS_setgid, gid);
+#elif defined(HAVE_SETGID)
+ return setgid(gid);
+#else
+ errno = ENOSYS;
+ return -1;
+#endif
+}
+
+int samba_setuidx(int flags, uid_t uid)
+{
+#if defined(HAVE_SETUIDX)
+ return setuidx(flags, uid);
+#else
+ /* USE_LINUX_THREAD_CREDENTIALS doesn't have this. */
+ errno = ENOSYS;
+ return -1;
+#endif
+}
+
+int samba_setgidx(int flags, gid_t gid)
+{
+#if defined(HAVE_SETGIDX)
+ return setgidx(flags, gid);
+#else
+ /* USE_LINUX_THREAD_CREDENTIALS doesn't have this. */
+ errno = ENOSYS;
+ return -1;
+#endif
+}
+
+int samba_setgroups(size_t setlen, const gid_t *gidset)
+{
+#if defined(USE_LINUX_THREAD_CREDENTIALS)
+ return syscall(SYS_setgroups, setlen, gidset);
+#elif defined(HAVE_SETGROUPS)
+ return setgroups(setlen, gidset);
+#else
+ errno = ENOSYS;
+ return -1;
+#endif
+}
diff --git a/lib/util/setid.h b/lib/util/setid.h
new file mode 100644
index 0000000..59ae44c
--- /dev/null
+++ b/lib/util/setid.h
@@ -0,0 +1,43 @@
+/*
+ Unix SMB/CIFS implementation.
+ setXXid() functions for Samba.
+ Copyright (C) Jeremy Allison 2012
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#ifndef _SETID_H
+#define _SETID_H
+
+/*
+ * NB. We don't wrap initgroups although on some systems
+ * this can call setgroups. On systems with thread-specific
+ * credentials (Linux so far) we know they have getgrouplist()
+ * which doesn't make a system call.
+ */
+
+/* All the setXX[ug]id functions and setgroups Samba uses. */
+int samba_setresuid(uid_t ruid, uid_t euid, uid_t suid);
+int samba_setresgid(gid_t rgid, gid_t egid, gid_t sgid);
+int samba_setreuid(uid_t ruid, uid_t euid);
+int samba_setregid(gid_t rgid, gid_t egid);
+int samba_seteuid(uid_t euid);
+int samba_setegid(gid_t egid);
+int samba_setuid(uid_t uid);
+int samba_setgid(gid_t gid);
+int samba_setuidx(int flags, uid_t uid);
+int samba_setgidx(int flags, gid_t gid);
+int samba_setgroups(size_t setlen, const gid_t *gidset);
+
+#endif
diff --git a/lib/util/unix_privs.c b/lib/util/unix_privs.c
index baa54fd..3dd244d 100644
--- a/lib/util/unix_privs.c
+++ b/lib/util/unix_privs.c
@@ -22,6 +22,7 @@
#include "includes.h"
#include "system/passwd.h"
#include "../lib/util/unix_privs.h"
+#include "../lib/util/setid.h"
/**
* @file
@@ -52,7 +53,7 @@ struct saved_state {
static int privileges_destructor(struct saved_state *s)
{
if (geteuid() != s->uid &&
- seteuid(s->uid) != 0) {
+ samba_seteuid(s->uid) != 0) {
smb_panic("Failed to restore privileges");
}
return 0;
@@ -71,7 +72,7 @@ void *root_privileges(void)
if (!s) return NULL;
s->uid = geteuid();
if (s->uid != 0) {
--
Samba Shared Repository
More information about the samba-cvs
mailing list