[SCM] Samba Shared Repository - branch master updated
Andreas Schneider
asn at samba.org
Mon Jun 13 12:12:03 UTC 2016
The branch, master has been updated
via 46916b2 lib: Add a little closefrom() test
via 55529d0 libreplace: Add a closefrom() implementation
via 467ea85 lib: Fix a signed/unsigned mixup
via d2379ca s3-winbind: Fix schannel connections against trusted domain DCs
from c598426 ctdb: use properly configured ctdb in debug-hung-script.sh
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 46916b24e9c8b56a14152488e270a05064cf4586
Author: Volker Lendecke <vl at samba.org>
Date: Fri Jun 10 11:40:33 2016 +0200
lib: Add a little closefrom() test
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
Autobuild-User(master): Andreas Schneider <asn at cryptomilk.org>
Autobuild-Date(master): Mon Jun 13 14:11:11 CEST 2016 on sn-devel-144
commit 55529d0f857ce11a1a0096850b1001d59dd6cb1d
Author: Volker Lendecke <vl at samba.org>
Date: Thu Jun 9 21:27:09 2016 +0200
libreplace: Add a closefrom() implementation
There is closefrom in some BSDs, but Linux ships this only as part
of libbsd. Add a new implementation of it in libreplace. The one in
libbsd of jessie and upstream differ and it has for example optimizations
for FreeBSD, but it gets some of the array calculations slightly wrong
from my point of view. If you want those, use libbsd. This replacement
is optimized on Linux only looking at /proc/self/fd/, everything else
would do the OPEN_MAX brute force fallback.
Signed-off-by: Volker Lendecke <vl at samba.org>
commit 467ea855cce70deeab95939d9385e1073e2261b6
Author: Volker Lendecke <vl at samba.org>
Date: Mon May 30 11:18:48 2016 +0200
lib: Fix a signed/unsigned mixup
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit d2379caa77fe02264323d69fee1bcad33f1bfeee
Author: Günther Deschner <gd at samba.org>
Date: Fri Jun 10 16:51:18 2016 +0200
s3-winbind: Fix schannel connections against trusted domain DCs
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11830
Pair-Programmed-With: Andreas Schneider <asn at samba.org>
Signed-off-by: Guenther Deschner <gd at samba.org>
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Alexander Bokovoy <ab at samba.org>
-----------------------------------------------------------------------
Summary of changes:
lib/async_req/async_sock.c | 2 +-
lib/replace/closefrom.c | 138 +++++++++++++++++++++++++++++++++++++++++
lib/replace/replace.h | 6 ++
lib/replace/test/testsuite.c | 33 ++++++++++
lib/replace/wscript | 6 ++
source3/winbindd/winbindd_cm.c | 16 ++++-
6 files changed, 199 insertions(+), 2 deletions(-)
create mode 100644 lib/replace/closefrom.c
Changeset truncated at 500 lines:
diff --git a/lib/async_req/async_sock.c b/lib/async_req/async_sock.c
index 9ccec9e..c14acf3 100644
--- a/lib/async_req/async_sock.c
+++ b/lib/async_req/async_sock.c
@@ -308,7 +308,7 @@ static void writev_handler(struct tevent_context *ev, struct tevent_fd *fde,
private_data, struct tevent_req);
struct writev_state *state =
tevent_req_data(req, struct writev_state);
- size_t written;
+ ssize_t written;
bool ok;
if ((state->flags & TEVENT_FD_READ) && (flags & TEVENT_FD_READ)) {
diff --git a/lib/replace/closefrom.c b/lib/replace/closefrom.c
new file mode 100644
index 0000000..a61a80f
--- /dev/null
+++ b/lib/replace/closefrom.c
@@ -0,0 +1,138 @@
+/*
+ * Unix SMB/CIFS implementation.
+ * Samba utility functions
+ * Copyright (C) Volker Lendecke 2016
+ *
+ * ** NOTE! The following LGPL license applies to the replace
+ * ** library. This does NOT imply that all of Samba is released
+ * ** under the LGPL
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 3 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Library General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "replace.h"
+#include <dirent.h>
+#include <unistd.h>
+#include <limits.h>
+
+static int closefrom_sysconf(int lower)
+{
+ long max_files, fd;
+
+ max_files = sysconf(_SC_OPEN_MAX);
+ if (max_files == -1) {
+ max_files = 65536;
+ }
+
+ for (fd=lower; fd<max_files; fd++) {
+ close(fd);
+ }
+
+ return 0;
+}
+
+static int closefrom_procfs(int lower)
+{
+ DIR *dirp;
+ int dir_fd;
+ struct dirent *dp;
+ int *fds = NULL;
+ size_t num_fds = 0;
+ size_t fd_array_size = 0;
+ size_t i;
+ int ret = ENOMEM;
+
+ dirp = opendir("/proc/self/fd");
+ if (dirp == 0) {
+ return errno;
+ }
+
+ dir_fd = dirfd(dirp);
+ if (dir_fd == -1) {
+ ret = errno;
+ goto fail;
+ }
+
+ while ((dp = readdir(dirp)) != NULL) {
+ char *endptr;
+ unsigned long long fd;
+
+ errno = 0;
+
+ fd = strtoull(dp->d_name, &endptr, 10);
+ if ((fd == 0) && (errno == EINVAL)) {
+ continue;
+ }
+ if ((fd == ULLONG_MAX) && (errno == ERANGE)) {
+ continue;
+ }
+ if (*endptr != '\0') {
+ continue;
+ }
+ if (fd == dir_fd) {
+ continue;
+ }
+ if (fd > INT_MAX) {
+ continue;
+ }
+ if (fd < lower) {
+ continue;
+ }
+
+ if (num_fds >= (fd_array_size / sizeof(int))) {
+ void *tmp;
+
+ if (fd_array_size == 0) {
+ fd_array_size = 16 * sizeof(int);
+ } else {
+ if (fd_array_size + fd_array_size <
+ fd_array_size) {
+ /* overflow */
+ goto fail;
+ }
+ fd_array_size = fd_array_size + fd_array_size;
+ }
+
+ tmp = realloc(fds, fd_array_size);
+ if (tmp == NULL) {
+ goto fail;
+ }
+ fds = tmp;
+ }
+
+ fds[num_fds++] = fd;
+ }
+
+ for (i=0; i<num_fds; i++) {
+ close(fds[i]);
+ }
+
+ ret = 0;
+fail:
+ closedir(dirp);
+ free(fds);
+ return ret;
+}
+
+int rep_closefrom(int lower)
+{
+ int ret;
+
+ ret = closefrom_procfs(lower);
+ if (ret == 0) {
+ return 0;
+ }
+
+ return closefrom_sysconf(lower);
+}
diff --git a/lib/replace/replace.h b/lib/replace/replace.h
index 7080373..c69a069 100644
--- a/lib/replace/replace.h
+++ b/lib/replace/replace.h
@@ -247,6 +247,12 @@ size_t rep_strlcpy(char *d, const char *s, size_t bufsize);
size_t rep_strlcat(char *d, const char *s, size_t bufsize);
#endif
+#ifndef HAVE_CLOSEFROM
+#define closefrom rep_closefrom
+int rep_closefrom(int lower);
+#endif
+
+
#if (defined(BROKEN_STRNDUP) || !defined(HAVE_STRNDUP))
#undef HAVE_STRNDUP
#define strndup rep_strndup
diff --git a/lib/replace/test/testsuite.c b/lib/replace/test/testsuite.c
index 961b77d..dba545e 100644
--- a/lib/replace/test/testsuite.c
+++ b/lib/replace/test/testsuite.c
@@ -1063,6 +1063,38 @@ static int test_memmem(void)
return true;
}
+static bool test_closefrom(void)
+{
+ int i, fd;
+
+ for (i=0; i<100; i++) {
+ fd = dup(0);
+ if (fd == -1) {
+ perror("dup failed");
+ return false;
+ }
+
+ /* 1000 is just an arbitrarily chosen upper bound */
+
+ if (fd >= 1000) {
+ printf("fd=%d\n", fd);
+ return false;
+ }
+ }
+
+ closefrom(3);
+
+ for (i=3; i<=fd; i++) {
+ off_t off;
+ off = lseek(i, 0, SEEK_CUR);
+ if ((off != (off_t)-1) || (errno != EBADF)) {
+ printf("fd %d not closed\n", i);
+ return false;
+ }
+ }
+
+ return true;
+}
bool torture_local_replace(struct torture_context *ctx)
{
@@ -1113,6 +1145,7 @@ bool torture_local_replace(struct torture_context *ctx)
ret &= test_utime();
ret &= test_utimes();
ret &= test_memmem();
+ ret &= test_closefrom();
return ret;
}
diff --git a/lib/replace/wscript b/lib/replace/wscript
index 5efd86c..145300d 100644
--- a/lib/replace/wscript
+++ b/lib/replace/wscript
@@ -257,6 +257,9 @@ def configure(conf):
if not conf.CHECK_FUNCS_IN('setproctitle', 'setproctitle', headers='setproctitle.h'):
conf.CHECK_FUNCS_IN('setproctitle', 'bsd', headers='sys/types.h bsd/unistd.h')
+ if not conf.CHECK_FUNCS('closefrom'):
+ conf.CHECK_FUNCS_IN('closefrom', 'bsd', headers='bsd/unistd.h')
+
conf.CHECK_CODE('''
struct ucred cred;
socklen_t cred_len;
@@ -683,6 +686,9 @@ def build(bld):
if not bld.CONFIG_SET('HAVE_GETXATTR') or bld.CONFIG_SET('XATTR_ADDITIONAL_OPTIONS'):
REPLACE_SOURCE += ' xattr.c'
+ if not bld.CONFIG_SET('HAVE_CLOSEFROM'):
+ REPLACE_SOURCE += ' closefrom.c'
+
bld.SAMBA_LIBRARY('replace',
source=REPLACE_SOURCE,
group='base_libraries',
diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c
index ff0e081..1de731a 100644
--- a/source3/winbindd/winbindd_cm.c
+++ b/source3/winbindd/winbindd_cm.c
@@ -903,6 +903,7 @@ static NTSTATUS get_trust_credentials(struct winbindd_domain *domain,
struct cli_credentials *creds;
NTSTATUS status;
bool force_machine_account = false;
+ bool ok;
/* If we are a DC and this is not our own domain */
@@ -947,7 +948,13 @@ static NTSTATUS get_trust_credentials(struct winbindd_domain *domain,
CRED_DONT_USE_KERBEROS);
}
- if (creds_domain != domain) {
+ /*
+ * When we contact our own domain and get a list of the trusted domain
+ * we have the information if we are able to contact the DC with
+ * with our machine account password.
+ */
+ ok = winbindd_can_contact_domain(domain);
+ if (!ok) {
/*
* We can only use schannel against a direct trust
*/
@@ -3284,6 +3291,8 @@ static NTSTATUS cm_connect_netlogon_transport(struct winbindd_domain *domain,
sec_chan_type = cli_credentials_get_secure_channel_type(creds);
if (sec_chan_type == SEC_CHAN_NULL) {
+ DBG_WARNING("get_secure_channel_type gave SEC_CHAN_NULL for %s\n",
+ domain->name);
return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
}
@@ -3323,6 +3332,11 @@ static NTSTATUS cm_connect_netlogon_transport(struct winbindd_domain *domain,
conn->netlogon_flags = netlogon_creds->negotiate_flags;
TALLOC_FREE(netlogon_creds);
+ /*
+ * FIXME: Document in which case we are not able to contact
+ * a DC without schannel. Which information do we try to get
+ * from this DC?
+ */
if (!(conn->netlogon_flags & NETLOGON_NEG_AUTHENTICATED_RPC)) {
if (lp_winbind_sealed_pipes() || lp_require_strong_key()) {
result = NT_STATUS_DOWNGRADE_DETECTED;
--
Samba Shared Repository
More information about the samba-cvs
mailing list