1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright 2007 Sun Microsystems, Inc. All rights reserved. 23 * Use is subject to license terms. 24 */ 25 26 #pragma ident "%Z%%M% %I% %E% SMI" 27 28 /* 29 * Database related utility routines 30 */ 31 32 #include <stdio.h> 33 #include <stdlib.h> 34 #include <string.h> 35 #include <errno.h> 36 #include <sys/types.h> 37 #include <sys/stat.h> 38 #include <rpc/rpc.h> 39 #include <sys/sid.h> 40 #include <time.h> 41 #include <pwd.h> 42 #include <grp.h> 43 #include <pthread.h> 44 #include <assert.h> 45 46 #include "idmapd.h" 47 #include "adutils.h" 48 #include "string.h" 49 #include "idmap_priv.h" 50 51 52 static idmap_retcode sql_compile_n_step_once(sqlite *, char *, 53 sqlite_vm **, int *, int, const char ***); 54 static idmap_retcode lookup_wksids_name2sid(const char *, char **, 55 idmap_rid_t *, int *); 56 57 #define EMPTY_NAME(name) (*name == 0 || strcmp(name, "\"\"") == 0) 58 59 #define DO_NOT_ALLOC_NEW_ID_MAPPING(req)\ 60 (req->flag & IDMAP_REQ_FLG_NO_NEW_ID_ALLOC) 61 62 #define AVOID_NAMESERVICE(req)\ 63 (req->flag & IDMAP_REQ_FLG_NO_NAMESERVICE) 64 65 #define IS_EPHEMERAL(pid) (pid > INT32_MAX) 66 67 #define LOCALRID_MIN 1000 68 69 70 71 typedef enum init_db_option { 72 FAIL_IF_CORRUPT = 0, 73 REMOVE_IF_CORRUPT = 1 74 } init_db_option_t; 75 76 /* 77 * Thread specfic data to hold the database handles so that the 78 * databaes are not opened and closed for every request. It also 79 * contains the sqlite busy handler structure. 80 */ 81 82 struct idmap_busy { 83 const char *name; 84 const int *delays; 85 int delay_size; 86 int total; 87 int sec; 88 }; 89 90 91 typedef struct idmap_tsd { 92 sqlite *db_db; 93 sqlite *cache_db; 94 struct idmap_busy cache_busy; 95 struct idmap_busy db_busy; 96 } idmap_tsd_t; 97 98 99 100 static const int cache_delay_table[] = 101 { 1, 2, 5, 10, 15, 20, 25, 30, 35, 40, 102 50, 50, 60, 70, 80, 90, 100}; 103 104 static const int db_delay_table[] = 105 { 5, 10, 15, 20, 30, 40, 55, 70, 100}; 106 107 108 static pthread_key_t idmap_tsd_key; 109 110 void 111 idmap_tsd_destroy(void *key) 112 { 113 114 idmap_tsd_t *tsd = (idmap_tsd_t *)key; 115 if (tsd) { 116 if (tsd->db_db) 117 (void) sqlite_close(tsd->db_db); 118 if (tsd->cache_db) 119 (void) sqlite_close(tsd->cache_db); 120 free(tsd); 121 } 122 } 123 124 int 125 idmap_init_tsd_key(void) { 126 127 return (pthread_key_create(&idmap_tsd_key, idmap_tsd_destroy)); 128 } 129 130 131 132 idmap_tsd_t * 133 idmap_get_tsd(void) 134 { 135 idmap_tsd_t *tsd; 136 137 if ((tsd = pthread_getspecific(idmap_tsd_key)) == NULL) { 138 /* No thread specific data so create it */ 139 if ((tsd = malloc(sizeof (*tsd))) != NULL) { 140 /* Initialize thread specific data */ 141 (void) memset(tsd, 0, sizeof (*tsd)); 142 /* save the trhread specific data */ 143 if (pthread_setspecific(idmap_tsd_key, tsd) != 0) { 144 /* Can't store key */ 145 free(tsd); 146 tsd = NULL; 147 } 148 } else { 149 tsd = NULL; 150 } 151 } 152 153 return (tsd); 154 } 155 156 157 158 /* 159 * Initialize 'dbname' using 'sql' 160 */ 161 static int 162 init_db_instance(const char *dbname, const char *sql, init_db_option_t opt, 163 int *new_db_created) 164 { 165 int rc = 0; 166 int tries = 0; 167 sqlite *db = NULL; 168 char *str = NULL; 169 170 if (new_db_created != NULL) 171 *new_db_created = 0; 172 173 db = sqlite_open(dbname, 0600, &str); 174 while (db == NULL) { 175 idmapdlog(LOG_ERR, 176 "Error creating database %s (%s)", 177 dbname, CHECK_NULL(str)); 178 sqlite_freemem(str); 179 if (opt == FAIL_IF_CORRUPT || opt != REMOVE_IF_CORRUPT || 180 tries > 0) 181 return (-1); 182 183 tries++; 184 (void) unlink(dbname); 185 db = sqlite_open(dbname, 0600, &str); 186 } 187 188 sqlite_busy_timeout(db, 3000); 189 rc = sqlite_exec(db, "BEGIN TRANSACTION;", NULL, NULL, &str); 190 if (SQLITE_OK != rc) { 191 idmapdlog(LOG_ERR, "Cannot begin database transaction (%s)", 192 str); 193 sqlite_freemem(str); 194 sqlite_close(db); 195 return (1); 196 } 197 198 switch (sqlite_exec(db, sql, NULL, NULL, &str)) { 199 case SQLITE_ERROR: 200 /* 201 * This is the normal situation: CREATE probably failed because tables 202 * already exist. It may indicate an error in SQL as well, but we cannot 203 * tell. 204 */ 205 sqlite_freemem(str); 206 rc = sqlite_exec(db, "ROLLBACK TRANSACTION", 207 NULL, NULL, &str); 208 break; 209 case SQLITE_OK: 210 rc = sqlite_exec(db, "COMMIT TRANSACTION", 211 NULL, NULL, &str); 212 idmapdlog(LOG_INFO, 213 "Database created at %s", dbname); 214 215 if (new_db_created != NULL) 216 *new_db_created = 1; 217 break; 218 default: 219 idmapdlog(LOG_ERR, 220 "Error initializing database %s (%s)", 221 dbname, str); 222 sqlite_freemem(str); 223 rc = sqlite_exec(db, "ROLLBACK TRANSACTION", 224 NULL, NULL, &str); 225 break; 226 } 227 228 if (SQLITE_OK != rc) { 229 /* this is bad - database may be left in a locked state */ 230 idmapdlog(LOG_ERR, 231 "Error closing transaction (%s)", str); 232 sqlite_freemem(str); 233 } 234 235 (void) sqlite_close(db); 236 return (rc); 237 } 238 239 240 /* 241 * This is the SQLite database busy handler that retries the SQL 242 * operation until it is successful. 243 */ 244 int 245 /* LINTED E_FUNC_ARG_UNUSED */ 246 idmap_sqlite_busy_handler(void *arg, const char *table_name, int count) 247 { 248 struct idmap_busy *busy = arg; 249 int delay; 250 struct timespec rqtp; 251 252 if (count == 1) { 253 busy->total = 0; 254 busy->sec = 2; 255 } 256 if (busy->total > 1000 * busy->sec) { 257 idmapdlog(LOG_ERR, 258 "Thread %d waited %d sec for the %s database", 259 pthread_self(), busy->sec, busy->name); 260 busy->sec++; 261 } 262 263 if (count <= busy->delay_size) { 264 delay = busy->delays[count-1]; 265 } else { 266 delay = busy->delays[busy->delay_size - 1]; 267 } 268 busy->total += delay; 269 rqtp.tv_sec = 0; 270 rqtp.tv_nsec = delay * (NANOSEC / MILLISEC); 271 (void) nanosleep(&rqtp, NULL); 272 return (1); 273 } 274 275 276 /* 277 * Get the database handle 278 */ 279 idmap_retcode 280 get_db_handle(sqlite **db) { 281 char *errmsg; 282 idmap_tsd_t *tsd; 283 284 /* 285 * Retrieve the db handle from thread-specific storage 286 * If none exists, open and store in thread-specific storage. 287 */ 288 if ((tsd = idmap_get_tsd()) == NULL) { 289 idmapdlog(LOG_ERR, 290 "Error getting thread specific data for %s", 291 IDMAP_DBNAME); 292 return (IDMAP_ERR_MEMORY); 293 } 294 295 if (tsd->db_db == NULL) { 296 tsd->db_db = sqlite_open(IDMAP_DBNAME, 0, &errmsg); 297 if (tsd->db_db == NULL) { 298 idmapdlog(LOG_ERR, 299 "Error opening database %s (%s)", 300 IDMAP_DBNAME, CHECK_NULL(errmsg)); 301 sqlite_freemem(errmsg); 302 return (IDMAP_ERR_INTERNAL); 303 } 304 tsd->db_busy.name = IDMAP_DBNAME; 305 tsd->db_busy.delays = db_delay_table; 306 tsd->db_busy.delay_size = sizeof (db_delay_table) / 307 sizeof (int); 308 sqlite_busy_handler(tsd->db_db, idmap_sqlite_busy_handler, 309 &tsd->db_busy); 310 } 311 *db = tsd->db_db; 312 return (IDMAP_SUCCESS); 313 } 314 315 /* 316 * Get the cache handle 317 */ 318 idmap_retcode 319 get_cache_handle(sqlite **cache) { 320 char *errmsg; 321 idmap_tsd_t *tsd; 322 323 /* 324 * Retrieve the db handle from thread-specific storage 325 * If none exists, open and store in thread-specific storage. 326 */ 327 if ((tsd = idmap_get_tsd()) == NULL) { 328 idmapdlog(LOG_ERR, 329 "Error getting thread specific data for %s", 330 IDMAP_DBNAME); 331 return (IDMAP_ERR_MEMORY); 332 } 333 334 if (tsd->cache_db == NULL) { 335 tsd->cache_db = sqlite_open(IDMAP_CACHENAME, 0, &errmsg); 336 if (tsd->cache_db == NULL) { 337 idmapdlog(LOG_ERR, 338 "Error opening database %s (%s)", 339 IDMAP_CACHENAME, CHECK_NULL(errmsg)); 340 sqlite_freemem(errmsg); 341 return (IDMAP_ERR_INTERNAL); 342 } 343 tsd->cache_busy.name = IDMAP_CACHENAME; 344 tsd->cache_busy.delays = cache_delay_table; 345 tsd->cache_busy.delay_size = sizeof (cache_delay_table) / 346 sizeof (int); 347 sqlite_busy_handler(tsd->cache_db, idmap_sqlite_busy_handler, 348 &tsd->cache_busy); 349 } 350 *cache = tsd->cache_db; 351 return (IDMAP_SUCCESS); 352 } 353 354 #define CACHE_SQL\ 355 "CREATE TABLE idmap_cache ("\ 356 " sidprefix TEXT,"\ 357 " rid INTEGER,"\ 358 " windomain TEXT,"\ 359 " winname TEXT,"\ 360 " pid INTEGER,"\ 361 " unixname TEXT,"\ 362 " is_user INTEGER,"\ 363 " w2u INTEGER,"\ 364 " u2w INTEGER,"\ 365 " expiration INTEGER"\ 366 ");"\ 367 "CREATE UNIQUE INDEX idmap_cache_sid_w2u ON idmap_cache"\ 368 " (sidprefix, rid, w2u);"\ 369 "CREATE UNIQUE INDEX idmap_cache_pid_u2w ON idmap_cache"\ 370 " (pid, is_user, u2w);"\ 371 "CREATE TABLE name_cache ("\ 372 " sidprefix TEXT,"\ 373 " rid INTEGER,"\ 374 " name TEXT,"\ 375 " domain TEXT,"\ 376 " type INTEGER,"\ 377 " expiration INTEGER"\ 378 ");"\ 379 "CREATE UNIQUE INDEX name_cache_sid ON name_cache"\ 380 " (sidprefix, rid);" 381 382 #define DB_SQL\ 383 "CREATE TABLE namerules ("\ 384 " is_user INTEGER NOT NULL,"\ 385 " windomain TEXT,"\ 386 " winname TEXT NOT NULL,"\ 387 " is_nt4 INTEGER NOT NULL,"\ 388 " unixname NOT NULL,"\ 389 " w2u_order INTEGER,"\ 390 " u2w_order INTEGER"\ 391 ");"\ 392 "CREATE UNIQUE INDEX namerules_w2u ON namerules"\ 393 " (winname, windomain, is_user, w2u_order);"\ 394 "CREATE UNIQUE INDEX namerules_u2w ON namerules"\ 395 " (unixname, is_user, u2w_order);" 396 397 /* 398 * Initialize cache and db 399 */ 400 int 401 init_dbs() { 402 /* name-based mappings; probably OK to blow away in a pinch(?) */ 403 if (init_db_instance(IDMAP_DBNAME, DB_SQL, FAIL_IF_CORRUPT, NULL) < 0) 404 return (-1); 405 406 /* mappings, name/SID lookup cache + ephemeral IDs; OK to blow away */ 407 if (init_db_instance(IDMAP_CACHENAME, CACHE_SQL, REMOVE_IF_CORRUPT, 408 &_idmapdstate.new_eph_db) < 0) 409 return (-1); 410 411 return (0); 412 } 413 414 /* 415 * Finalize databases 416 */ 417 void 418 fini_dbs() { 419 } 420 421 /* 422 * This table is a listing of status codes that will returned to the 423 * client when a SQL command fails with the corresponding error message. 424 */ 425 static msg_table_t sqlmsgtable[] = { 426 {IDMAP_ERR_U2W_NAMERULE_CONFLICT, 427 "columns unixname, is_user, u2w_order are not unique"}, 428 {IDMAP_ERR_W2U_NAMERULE_CONFLICT, 429 "columns winname, windomain, is_user, w2u_order are not unique"}, 430 {-1, NULL} 431 }; 432 433 /* 434 * idmapd's version of string2stat to map SQLite messages to 435 * status codes 436 */ 437 idmap_retcode 438 idmapd_string2stat(const char *msg) { 439 int i; 440 for (i = 0; sqlmsgtable[i].msg; i++) { 441 if (strcasecmp(sqlmsgtable[i].msg, msg) == 0) 442 return (sqlmsgtable[i].retcode); 443 } 444 return (IDMAP_ERR_OTHER); 445 } 446 447 /* 448 * Execute the given SQL statment without using any callbacks 449 */ 450 idmap_retcode 451 sql_exec_no_cb(sqlite *db, char *sql) { 452 char *errmsg = NULL; 453 int r; 454 idmap_retcode retcode; 455 456 r = sqlite_exec(db, sql, NULL, NULL, &errmsg); 457 assert(r != SQLITE_LOCKED && r != SQLITE_BUSY); 458 459 if (r != SQLITE_OK) { 460 idmapdlog(LOG_ERR, "Database error during %s (%s)", 461 sql, CHECK_NULL(errmsg)); 462 retcode = idmapd_string2stat(errmsg); 463 if (errmsg != NULL) 464 sqlite_freemem(errmsg); 465 return (retcode); 466 } 467 468 return (IDMAP_SUCCESS); 469 } 470 471 /* 472 * Generate expression that can be used in WHERE statements. 473 * Examples: 474 * <prefix> <col> <op> <value> <suffix> 475 * "" "unixuser" "=" "foo" "AND" 476 */ 477 idmap_retcode 478 gen_sql_expr_from_utf8str(const char *prefix, const char *col, 479 const char *op, char *value, 480 const char *suffix, char **out) { 481 if (out == NULL) 482 return (IDMAP_ERR_ARG); 483 484 if (value == NULL) 485 return (IDMAP_SUCCESS); 486 487 if (prefix == NULL) 488 prefix = ""; 489 if (suffix == NULL) 490 suffix = ""; 491 492 *out = sqlite_mprintf("%s %s %s %Q %s", 493 prefix, col, op, value, suffix); 494 if (*out == NULL) 495 return (IDMAP_ERR_MEMORY); 496 return (IDMAP_SUCCESS); 497 } 498 499 /* 500 * Generate and execute SQL statement for LIST RPC calls 501 */ 502 idmap_retcode 503 process_list_svc_sql(sqlite *db, char *sql, uint64_t limit, 504 list_svc_cb cb, void *result) { 505 list_cb_data_t cb_data; 506 char *errmsg = NULL; 507 int r; 508 idmap_retcode retcode = IDMAP_ERR_INTERNAL; 509 510 (void) memset(&cb_data, 0, sizeof (cb_data)); 511 cb_data.result = result; 512 cb_data.limit = limit; 513 514 515 r = sqlite_exec(db, sql, cb, &cb_data, &errmsg); 516 assert(r != SQLITE_LOCKED && r != SQLITE_BUSY); 517 switch (r) { 518 case SQLITE_OK: 519 retcode = IDMAP_SUCCESS; 520 break; 521 522 default: 523 retcode = IDMAP_ERR_INTERNAL; 524 idmapdlog(LOG_ERR, 525 "Database error during %s (%s)", 526 sql, CHECK_NULL(errmsg)); 527 break; 528 } 529 if (errmsg != NULL) 530 sqlite_freemem(errmsg); 531 return (retcode); 532 } 533 534 /* 535 * This routine is called by callbacks that process the results of 536 * LIST RPC calls to validate data and to allocate memory for 537 * the result array. 538 */ 539 idmap_retcode 540 validate_list_cb_data(list_cb_data_t *cb_data, int argc, char **argv, 541 int ncol, uchar_t **list, size_t valsize) { 542 size_t nsize; 543 void *tmplist; 544 545 if (cb_data->limit > 0 && cb_data->next == cb_data->limit) 546 return (IDMAP_NEXT); 547 548 if (argc < ncol || argv == NULL) { 549 idmapdlog(LOG_ERR, "Invalid data"); 550 return (IDMAP_ERR_INTERNAL); 551 } 552 553 /* alloc in bulk to reduce number of reallocs */ 554 if (cb_data->next >= cb_data->len) { 555 nsize = (cb_data->len + SIZE_INCR) * valsize; 556 tmplist = realloc(*list, nsize); 557 if (tmplist == NULL) { 558 idmapdlog(LOG_ERR, "Out of memory"); 559 return (IDMAP_ERR_MEMORY); 560 } 561 *list = tmplist; 562 (void) memset(*list + (cb_data->len * valsize), 0, 563 SIZE_INCR * valsize); 564 cb_data->len += SIZE_INCR; 565 } 566 return (IDMAP_SUCCESS); 567 } 568 569 static idmap_retcode 570 get_namerule_order(char *winname, char *windomain, char *unixname, 571 int direction, int *w2u_order, int *u2w_order) { 572 573 *w2u_order = 0; 574 *u2w_order = 0; 575 576 /* 577 * Windows to UNIX lookup order: 578 * 1. winname@domain (or winname) to "" 579 * 2. winname@domain (or winname) to unixname 580 * 3. winname@* to "" 581 * 4. winname@* to unixname 582 * 5. *@domain (or *) to * 583 * 6. *@domain (or *) to "" 584 * 7. *@domain (or *) to unixname 585 * 8. *@* to * 586 * 9. *@* to "" 587 * 10. *@* to unixname 588 * 589 * winname is a special case of winname@domain when domain is the 590 * default domain. Similarly * is a special case of *@domain when 591 * domain is the default domain. 592 * 593 * Note that "" has priority over specific names because "" inhibits 594 * mappings and traditionally deny rules always had higher priority. 595 */ 596 if (direction != IDMAP_DIRECTION_U2W) { 597 /* bi-directional or from windows to unix */ 598 if (winname == NULL) 599 return (IDMAP_ERR_W2U_NAMERULE); 600 else if (unixname == NULL) 601 return (IDMAP_ERR_W2U_NAMERULE); 602 else if (EMPTY_NAME(winname)) 603 return (IDMAP_ERR_W2U_NAMERULE); 604 else if (*winname == '*' && windomain && *windomain == '*') { 605 if (*unixname == '*') 606 *w2u_order = 8; 607 else if (EMPTY_NAME(unixname)) 608 *w2u_order = 9; 609 else /* unixname == name */ 610 *w2u_order = 10; 611 } else if (*winname == '*') { 612 if (*unixname == '*') 613 *w2u_order = 5; 614 else if (EMPTY_NAME(unixname)) 615 *w2u_order = 6; 616 else /* name */ 617 *w2u_order = 7; 618 } else if (windomain != NULL && *windomain == '*') { 619 /* winname == name */ 620 if (*unixname == '*') 621 return (IDMAP_ERR_W2U_NAMERULE); 622 else if (EMPTY_NAME(unixname)) 623 *w2u_order = 3; 624 else /* name */ 625 *w2u_order = 4; 626 } else { 627 /* winname == name && windomain == null or name */ 628 if (*unixname == '*') 629 return (IDMAP_ERR_W2U_NAMERULE); 630 else if (EMPTY_NAME(unixname)) 631 *w2u_order = 1; 632 else /* name */ 633 *w2u_order = 2; 634 } 635 } 636 637 /* 638 * 1. unixname to "" 639 * 2. unixname to winname@domain (or winname) 640 * 3. * to *@domain (or *) 641 * 4. * to "" 642 * 5. * to winname@domain (or winname) 643 */ 644 if (direction != IDMAP_DIRECTION_W2U) { 645 /* bi-directional or from unix to windows */ 646 if (unixname == NULL || EMPTY_NAME(unixname)) 647 return (IDMAP_ERR_U2W_NAMERULE); 648 else if (winname == NULL) 649 return (IDMAP_ERR_U2W_NAMERULE); 650 else if (windomain != NULL && *windomain == '*') 651 return (IDMAP_ERR_U2W_NAMERULE); 652 else if (*unixname == '*') { 653 if (*winname == '*') 654 *u2w_order = 3; 655 else if (EMPTY_NAME(winname)) 656 *u2w_order = 4; 657 else 658 *u2w_order = 5; 659 } else { 660 if (*winname == '*') 661 return (IDMAP_ERR_U2W_NAMERULE); 662 else if (EMPTY_NAME(winname)) 663 *u2w_order = 1; 664 else 665 *u2w_order = 2; 666 } 667 } 668 return (IDMAP_SUCCESS); 669 } 670 671 /* 672 * Generate and execute SQL statement to add name-based mapping rule 673 */ 674 idmap_retcode 675 add_namerule(sqlite *db, idmap_namerule *rule) { 676 char *sql = NULL; 677 idmap_stat retcode; 678 char *dom = NULL; 679 int w2u_order, u2w_order; 680 char w2ubuf[11], u2wbuf[11]; 681 682 retcode = get_namerule_order(rule->winname, rule->windomain, 683 rule->unixname, rule->direction, &w2u_order, &u2w_order); 684 if (retcode != IDMAP_SUCCESS) 685 goto out; 686 687 if (w2u_order) 688 (void) snprintf(w2ubuf, sizeof (w2ubuf), "%d", w2u_order); 689 if (u2w_order) 690 (void) snprintf(u2wbuf, sizeof (u2wbuf), "%d", u2w_order); 691 692 /* 693 * For the triggers on namerules table to work correctly: 694 * 1) Use NULL instead of 0 for w2u_order and u2w_order 695 * 2) Use "" instead of NULL for "no domain" 696 */ 697 698 if (rule->windomain != NULL) 699 dom = rule->windomain; 700 else if (lookup_wksids_name2sid(rule->winname, NULL, NULL, NULL) 701 == IDMAP_SUCCESS) { 702 /* well-known SIDs don't need domain */ 703 dom = ""; 704 } 705 706 RDLOCK_CONFIG(); 707 if (dom == NULL) { 708 if (_idmapdstate.cfg->pgcfg.mapping_domain) 709 dom = _idmapdstate.cfg->pgcfg.mapping_domain; 710 else 711 dom = ""; 712 } 713 sql = sqlite_mprintf("INSERT into namerules " 714 "(is_user, windomain, winname, is_nt4, " 715 "unixname, w2u_order, u2w_order) " 716 "VALUES(%d, %Q, %Q, %d, %Q, %q, %q);", 717 rule->is_user?1:0, 718 dom, 719 rule->winname, rule->is_nt4?1:0, 720 rule->unixname, 721 w2u_order?w2ubuf:NULL, 722 u2w_order?u2wbuf:NULL); 723 UNLOCK_CONFIG(); 724 725 if (sql == NULL) { 726 retcode = IDMAP_ERR_INTERNAL; 727 idmapdlog(LOG_ERR, "Out of memory"); 728 goto out; 729 } 730 731 retcode = sql_exec_no_cb(db, sql); 732 733 if (retcode == IDMAP_ERR_OTHER) 734 retcode = IDMAP_ERR_CFG; 735 736 out: 737 if (sql != NULL) 738 sqlite_freemem(sql); 739 return (retcode); 740 } 741 742 /* 743 * Flush name-based mapping rules 744 */ 745 idmap_retcode 746 flush_namerules(sqlite *db, bool_t is_user) { 747 char *sql = NULL; 748 idmap_stat retcode; 749 750 sql = sqlite_mprintf("DELETE FROM namerules WHERE " 751 "is_user = %d;", is_user?1:0); 752 753 if (sql == NULL) { 754 idmapdlog(LOG_ERR, "Out of memory"); 755 return (IDMAP_ERR_MEMORY); 756 } 757 758 retcode = sql_exec_no_cb(db, sql); 759 760 sqlite_freemem(sql); 761 return (retcode); 762 } 763 764 /* 765 * Generate and execute SQL statement to remove a name-based mapping rule 766 */ 767 idmap_retcode 768 rm_namerule(sqlite *db, idmap_namerule *rule) { 769 char *sql = NULL; 770 idmap_stat retcode; 771 char *s_windomain = NULL, *s_winname = NULL; 772 char *s_unixname = NULL; 773 char buf[80]; 774 775 if (rule->direction < 0 && EMPTY_STRING(rule->windomain) && 776 EMPTY_STRING(rule->winname) && EMPTY_STRING(rule->unixname)) 777 return (IDMAP_SUCCESS); 778 779 if (rule->direction < 0) { 780 buf[0] = 0; 781 } else if (rule->direction == IDMAP_DIRECTION_BI) { 782 (void) snprintf(buf, sizeof (buf), "AND w2u_order > 0" 783 " AND u2w_order > 0"); 784 } else if (rule->direction == IDMAP_DIRECTION_W2U) { 785 (void) snprintf(buf, sizeof (buf), "AND w2u_order > 0" 786 " AND (u2w_order = 0 OR u2w_order ISNULL)"); 787 } else if (rule->direction == IDMAP_DIRECTION_U2W) { 788 (void) snprintf(buf, sizeof (buf), "AND u2w_order > 0" 789 " AND (w2u_order = 0 OR w2u_order ISNULL)"); 790 } 791 792 retcode = IDMAP_ERR_INTERNAL; 793 if (!EMPTY_STRING(rule->windomain)) { 794 if (gen_sql_expr_from_utf8str("AND", "windomain", "=", 795 rule->windomain, "", &s_windomain) != IDMAP_SUCCESS) 796 goto out; 797 } 798 799 if (!EMPTY_STRING(rule->winname)) { 800 if (gen_sql_expr_from_utf8str("AND", "winname", "=", 801 rule->winname, "", &s_winname) != IDMAP_SUCCESS) 802 goto out; 803 } 804 805 if (!EMPTY_STRING(rule->unixname)) { 806 if (gen_sql_expr_from_utf8str("AND", "unixname", "=", 807 rule->unixname, "", &s_unixname) != IDMAP_SUCCESS) 808 goto out; 809 } 810 811 sql = sqlite_mprintf("DELETE FROM namerules WHERE " 812 "is_user = %d %s %s %s %s;", 813 rule->is_user?1:0, 814 s_windomain?s_windomain:"", 815 s_winname?s_winname:"", 816 s_unixname?s_unixname:"", 817 buf); 818 819 if (sql == NULL) { 820 retcode = IDMAP_ERR_INTERNAL; 821 idmapdlog(LOG_ERR, "Out of memory"); 822 goto out; 823 } 824 825 retcode = sql_exec_no_cb(db, sql); 826 827 out: 828 if (s_windomain != NULL) 829 sqlite_freemem(s_windomain); 830 if (s_winname != NULL) 831 sqlite_freemem(s_winname); 832 if (s_unixname != NULL) 833 sqlite_freemem(s_unixname); 834 if (sql != NULL) 835 sqlite_freemem(sql); 836 return (retcode); 837 } 838 839 /* 840 * Compile the given SQL query and step just once. 841 * 842 * Input: 843 * db - db handle 844 * sql - SQL statement 845 * 846 * Output: 847 * vm - virtual SQL machine 848 * ncol - number of columns in the result 849 * values - column values 850 * 851 * Return values: 852 * IDMAP_SUCCESS 853 * IDMAP_ERR_NOTFOUND 854 * IDMAP_ERR_INTERNAL 855 */ 856 857 static idmap_retcode 858 sql_compile_n_step_once(sqlite *db, char *sql, sqlite_vm **vm, int *ncol, 859 int reqcol, const char ***values) { 860 char *errmsg = NULL; 861 int r; 862 863 if ((r = sqlite_compile(db, sql, NULL, vm, &errmsg)) != SQLITE_OK) { 864 idmapdlog(LOG_ERR, 865 "Database error during %s (%s)", 866 sql, CHECK_NULL(errmsg)); 867 sqlite_freemem(errmsg); 868 return (IDMAP_ERR_INTERNAL); 869 } 870 871 r = sqlite_step(*vm, ncol, values, NULL); 872 assert(r != SQLITE_LOCKED && r != SQLITE_BUSY); 873 874 if (r == SQLITE_ROW) { 875 if (ncol != NULL && *ncol < reqcol) { 876 (void) sqlite_finalize(*vm, NULL); 877 *vm = NULL; 878 return (IDMAP_ERR_INTERNAL); 879 } 880 /* Caller will call finalize after using the results */ 881 return (IDMAP_SUCCESS); 882 } else if (r == SQLITE_DONE) { 883 (void) sqlite_finalize(*vm, NULL); 884 *vm = NULL; 885 return (IDMAP_ERR_NOTFOUND); 886 } 887 888 (void) sqlite_finalize(*vm, &errmsg); 889 *vm = NULL; 890 idmapdlog(LOG_ERR, "Database error during %s (%s)", 891 sql, CHECK_NULL(errmsg)); 892 sqlite_freemem(errmsg); 893 return (IDMAP_ERR_INTERNAL); 894 } 895 896 /* 897 * Table for well-known SIDs. 898 * 899 * Background: 900 * 901 * These well-known principals are stored (as of Windows Server 2003) under: 902 * cn=WellKnown Security Principals, cn=Configuration, dc=<forestRootDomain> 903 * They belong to objectClass "foreignSecurityPrincipal". They don't have 904 * "samAccountName" nor "userPrincipalName" attributes. Their names are 905 * available in "cn" and "name" attributes. Some of these principals have a 906 * second entry under CN=ForeignSecurityPrincipals,dc=<forestRootDomain> and 907 * these duplicate entries have the stringified SID in the "name" and "cn" 908 * attributes instead of the actual name. 909 * 910 * These principals remain constant across all operating systems. Using 911 * a hard-coded table here improves performance and avoids additional 912 * complexity in the AD lookup code in adutils.c 913 * 914 * Currently we don't support localization of well-known SID names, 915 * unlike Windows. 916 * 917 * Note that other well-known SIDs (i.e. S-1-5-<domain>-<w-k RID> and 918 * S-1-5-32-<w-k RID>) are not stored here because AD does have normal 919 * user/group objects for these objects and can be looked up using the 920 * existing AD lookup code. 921 */ 922 static wksids_table_t wksids[] = { 923 {"S-1-1", 0, "Everyone", 0, SENTINEL_PID, -1}, 924 {"S-1-3", 0, "Creator Owner", 1, IDMAP_WK_CREATOR_OWNER_UID, 0}, 925 {"S-1-3", 1, "Creator Group", 0, IDMAP_WK_CREATOR_GROUP_GID, 0}, 926 {"S-1-3", 2, "Creator Owner Server", 1, SENTINEL_PID, -1}, 927 {"S-1-3", 3, "Creator Group Server", 0, SENTINEL_PID, -1}, 928 {"S-1-5", 1, "Dialup", 0, SENTINEL_PID, -1}, 929 {"S-1-5", 2, "Network", 0, SENTINEL_PID, -1}, 930 {"S-1-5", 3, "Batch", 0, SENTINEL_PID, -1}, 931 {"S-1-5", 4, "Interactive", 0, SENTINEL_PID, -1}, 932 {"S-1-5", 6, "Service", 0, SENTINEL_PID, -1}, 933 {"S-1-5", 7, "Anonymous Logon", 0, GID_NOBODY, 0}, 934 {"S-1-5", 8, "Proxy", 0, SENTINEL_PID, -1}, 935 {"S-1-5", 9, "Enterprise Domain Controllers", 0, SENTINEL_PID, -1}, 936 {"S-1-5", 10, "Self", 0, SENTINEL_PID, -1}, 937 {"S-1-5", 11, "Authenticated Users", 0, SENTINEL_PID, -1}, 938 {"S-1-5", 12, "Restricted Code", 0, SENTINEL_PID, -1}, 939 {"S-1-5", 13, "Terminal Server User", 0, SENTINEL_PID, -1}, 940 {"S-1-5", 14, "Remote Interactive Logon", 0, SENTINEL_PID, -1}, 941 {"S-1-5", 15, "This Organization", 0, SENTINEL_PID, -1}, 942 {"S-1-5", 18, "Local System", 0, IDMAP_WK_LOCAL_SYSTEM_GID, 0}, 943 {"S-1-5", 19, "Local Service", 0, SENTINEL_PID, -1}, 944 {"S-1-5", 20, "Network Service", 0, SENTINEL_PID, -1}, 945 {"S-1-5", 1000, "Other Organization", 0, SENTINEL_PID, -1}, 946 {"S-1-5-64", 21, "Digest Authentication", 0, SENTINEL_PID, -1}, 947 {"S-1-5-64", 10, "NTLM Authentication", 0, SENTINEL_PID, -1}, 948 {"S-1-5-64", 14, "SChannel Authentication", 0, SENTINEL_PID, -1}, 949 {NULL, UINT32_MAX, NULL, -1, SENTINEL_PID, -1} 950 }; 951 952 static idmap_retcode 953 lookup_wksids_sid2pid(idmap_mapping *req, idmap_id_res *res) { 954 int i; 955 for (i = 0; wksids[i].sidprefix != NULL; i++) { 956 if (wksids[i].rid == req->id1.idmap_id_u.sid.rid && 957 (strcasecmp(wksids[i].sidprefix, 958 req->id1.idmap_id_u.sid.prefix) == 0)) { 959 960 if (wksids[i].pid == SENTINEL_PID) 961 /* Not mapped, break */ 962 break; 963 else if (wksids[i].direction == IDMAP_DIRECTION_U2W) 964 continue; 965 966 switch (req->id2.idtype) { 967 case IDMAP_UID: 968 if (wksids[i].is_user == 0) 969 continue; 970 res->id.idmap_id_u.uid = wksids[i].pid; 971 res->direction = wksids[i].direction; 972 return (IDMAP_SUCCESS); 973 case IDMAP_GID: 974 if (wksids[i].is_user == 1) 975 continue; 976 res->id.idmap_id_u.gid = wksids[i].pid; 977 res->direction = wksids[i].direction; 978 return (IDMAP_SUCCESS); 979 case IDMAP_POSIXID: 980 res->id.idmap_id_u.uid = wksids[i].pid; 981 res->id.idtype = (!wksids[i].is_user)? 982 IDMAP_GID:IDMAP_UID; 983 res->direction = wksids[i].direction; 984 return (IDMAP_SUCCESS); 985 default: 986 return (IDMAP_ERR_NOTSUPPORTED); 987 } 988 } 989 } 990 return (IDMAP_ERR_NOTFOUND); 991 } 992 993 static idmap_retcode 994 lookup_wksids_pid2sid(idmap_mapping *req, idmap_id_res *res, int is_user) { 995 int i; 996 if (req->id2.idtype != IDMAP_SID) 997 return (IDMAP_ERR_NOTSUPPORTED); 998 for (i = 0; wksids[i].sidprefix != NULL; i++) { 999 if (wksids[i].pid == req->id1.idmap_id_u.uid && 1000 wksids[i].is_user == is_user && 1001 wksids[i].direction != IDMAP_DIRECTION_W2U) { 1002 res->id.idmap_id_u.sid.rid = wksids[i].rid; 1003 res->id.idmap_id_u.sid.prefix = 1004 strdup(wksids[i].sidprefix); 1005 if (res->id.idmap_id_u.sid.prefix == NULL) { 1006 idmapdlog(LOG_ERR, "Out of memory"); 1007 return (IDMAP_ERR_MEMORY); 1008 } 1009 res->direction = wksids[i].direction; 1010 return (IDMAP_SUCCESS); 1011 } 1012 } 1013 return (IDMAP_ERR_NOTFOUND); 1014 } 1015 1016 static idmap_retcode 1017 lookup_wksids_sid2name(const char *sidprefix, idmap_rid_t rid, char **name, 1018 int *type) { 1019 int i; 1020 for (i = 0; wksids[i].sidprefix != NULL; i++) { 1021 if ((strcasecmp(wksids[i].sidprefix, sidprefix) == 0) && 1022 wksids[i].rid == rid) { 1023 if ((*name = strdup(wksids[i].winname)) == NULL) { 1024 idmapdlog(LOG_ERR, "Out of memory"); 1025 return (IDMAP_ERR_MEMORY); 1026 } 1027 *type = (wksids[i].is_user)? 1028 _IDMAP_T_USER:_IDMAP_T_GROUP; 1029 return (IDMAP_SUCCESS); 1030 } 1031 } 1032 return (IDMAP_ERR_NOTFOUND); 1033 } 1034 1035 static idmap_retcode 1036 lookup_wksids_name2sid(const char *name, char **sidprefix, idmap_rid_t *rid, 1037 int *type) { 1038 int i; 1039 for (i = 0; wksids[i].sidprefix != NULL; i++) { 1040 if (strcasecmp(wksids[i].winname, name) == 0) { 1041 if (sidprefix != NULL && (*sidprefix = 1042 strdup(wksids[i].sidprefix)) == NULL) { 1043 idmapdlog(LOG_ERR, "Out of memory"); 1044 return (IDMAP_ERR_MEMORY); 1045 } 1046 if (type != NULL) 1047 *type = (wksids[i].is_user)? 1048 _IDMAP_T_USER:_IDMAP_T_GROUP; 1049 if (rid != NULL) 1050 *rid = wksids[i].rid; 1051 return (IDMAP_SUCCESS); 1052 } 1053 } 1054 return (IDMAP_ERR_NOTFOUND); 1055 } 1056 1057 static idmap_retcode 1058 lookup_cache_sid2pid(sqlite *cache, idmap_mapping *req, idmap_id_res *res) { 1059 char *end; 1060 char *sql = NULL; 1061 const char **values; 1062 sqlite_vm *vm = NULL; 1063 int ncol, is_user; 1064 uid_t pid; 1065 time_t curtime, exp; 1066 idmap_retcode retcode; 1067 1068 /* Current time */ 1069 errno = 0; 1070 if ((curtime = time(NULL)) == (time_t)-1) { 1071 idmapdlog(LOG_ERR, 1072 "Failed to get current time (%s)", 1073 strerror(errno)); 1074 retcode = IDMAP_ERR_INTERNAL; 1075 goto out; 1076 } 1077 1078 /* SQL to lookup the cache */ 1079 sql = sqlite_mprintf("SELECT pid, is_user, expiration, unixname, u2w " 1080 "FROM idmap_cache WHERE " 1081 "sidprefix = %Q AND rid = %u AND w2u = 1 AND " 1082 "(pid >= 2147483648 OR " 1083 "(expiration = 0 OR expiration ISNULL OR " 1084 "expiration > %d));", 1085 req->id1.idmap_id_u.sid.prefix, 1086 req->id1.idmap_id_u.sid.rid, 1087 curtime); 1088 if (sql == NULL) { 1089 idmapdlog(LOG_ERR, "Out of memory"); 1090 retcode = IDMAP_ERR_MEMORY; 1091 goto out; 1092 } 1093 retcode = sql_compile_n_step_once(cache, sql, &vm, &ncol, 5, &values); 1094 sqlite_freemem(sql); 1095 1096 if (retcode == IDMAP_ERR_NOTFOUND) { 1097 goto out; 1098 } else if (retcode == IDMAP_SUCCESS) { 1099 /* sanity checks */ 1100 if (values[0] == NULL || values[1] == NULL) { 1101 retcode = IDMAP_ERR_CACHE; 1102 goto out; 1103 } 1104 1105 pid = strtoul(values[0], &end, 10); 1106 is_user = strncmp(values[1], "0", 2)?1:0; 1107 1108 /* 1109 * We may have an expired ephemeral mapping. Consider 1110 * the expired entry as valid if we are not going to 1111 * perform name-based mapping. But do not renew the 1112 * expiration. 1113 * If we will be doing name-based mapping then store the 1114 * ephemeral pid in the result so that we can use it 1115 * if we end up doing dynamic mapping again. 1116 */ 1117 if (!DO_NOT_ALLOC_NEW_ID_MAPPING(req) && 1118 !AVOID_NAMESERVICE(req)) { 1119 if (IS_EPHEMERAL(pid) && values[2] != NULL) { 1120 exp = strtoll(values[2], &end, 10); 1121 if (exp && exp <= curtime) { 1122 /* Store the ephemeral pid */ 1123 res->id.idmap_id_u.uid = pid; 1124 res->id.idtype = is_user? 1125 IDMAP_UID:IDMAP_GID; 1126 res->direction = IDMAP_DIRECTION_BI; 1127 req->direction |= is_user? 1128 _IDMAP_F_EXP_EPH_UID: 1129 _IDMAP_F_EXP_EPH_GID; 1130 retcode = IDMAP_ERR_NOTFOUND; 1131 goto out; 1132 } 1133 } 1134 } 1135 1136 switch (req->id2.idtype) { 1137 case IDMAP_UID: 1138 if (!is_user) 1139 retcode = IDMAP_ERR_NOTUSER; 1140 else 1141 res->id.idmap_id_u.uid = pid; 1142 break; 1143 case IDMAP_GID: 1144 if (is_user) 1145 retcode = IDMAP_ERR_NOTGROUP; 1146 else 1147 res->id.idmap_id_u.gid = pid; 1148 break; 1149 case IDMAP_POSIXID: 1150 res->id.idmap_id_u.uid = pid; 1151 res->id.idtype = (is_user)?IDMAP_UID:IDMAP_GID; 1152 break; 1153 default: 1154 retcode = IDMAP_ERR_NOTSUPPORTED; 1155 break; 1156 } 1157 } 1158 1159 out: 1160 if (retcode == IDMAP_SUCCESS) { 1161 if (values[4] != NULL) 1162 res->direction = 1163 (strtol(values[4], &end, 10) == 0)? 1164 IDMAP_DIRECTION_W2U:IDMAP_DIRECTION_BI; 1165 else 1166 res->direction = IDMAP_DIRECTION_W2U; 1167 1168 if (values[3] != NULL) { 1169 req->id2name = strdup(values[3]); 1170 if (req->id2name == NULL) { 1171 idmapdlog(LOG_ERR, "Out of memory"); 1172 retcode = IDMAP_ERR_MEMORY; 1173 } 1174 } 1175 } 1176 if (vm != NULL) 1177 (void) sqlite_finalize(vm, NULL); 1178 return (retcode); 1179 } 1180 1181 static idmap_retcode 1182 lookup_cache_sid2name(sqlite *cache, const char *sidprefix, idmap_rid_t rid, 1183 char **name, char **domain, int *type) { 1184 char *end; 1185 char *sql = NULL; 1186 const char **values; 1187 sqlite_vm *vm = NULL; 1188 int ncol; 1189 time_t curtime; 1190 idmap_retcode retcode = IDMAP_SUCCESS; 1191 1192 /* Get current time */ 1193 errno = 0; 1194 if ((curtime = time(NULL)) == (time_t)-1) { 1195 idmapdlog(LOG_ERR, 1196 "Failed to get current time (%s)", 1197 strerror(errno)); 1198 retcode = IDMAP_ERR_INTERNAL; 1199 goto out; 1200 } 1201 1202 /* SQL to lookup the cache */ 1203 sql = sqlite_mprintf("SELECT name, domain, type FROM name_cache WHERE " 1204 "sidprefix = %Q AND rid = %u AND " 1205 "(expiration = 0 OR expiration ISNULL OR " 1206 "expiration > %d);", 1207 sidprefix, rid, curtime); 1208 if (sql == NULL) { 1209 idmapdlog(LOG_ERR, "Out of memory"); 1210 retcode = IDMAP_ERR_MEMORY; 1211 goto out; 1212 } 1213 retcode = sql_compile_n_step_once(cache, sql, &vm, &ncol, 3, &values); 1214 sqlite_freemem(sql); 1215 1216 if (retcode == IDMAP_SUCCESS) { 1217 if (type != NULL) { 1218 if (values[2] == NULL) { 1219 retcode = IDMAP_ERR_CACHE; 1220 goto out; 1221 } 1222 *type = strtol(values[2], &end, 10); 1223 } 1224 1225 if (name != NULL && values[0] != NULL) { 1226 if ((*name = strdup(values[0])) == NULL) { 1227 idmapdlog(LOG_ERR, "Out of memory"); 1228 retcode = IDMAP_ERR_MEMORY; 1229 goto out; 1230 } 1231 } 1232 1233 if (domain != NULL && values[1] != NULL) { 1234 if ((*domain = strdup(values[1])) == NULL) { 1235 if (name != NULL && *name) { 1236 free(*name); 1237 *name = NULL; 1238 } 1239 idmapdlog(LOG_ERR, "Out of memory"); 1240 retcode = IDMAP_ERR_MEMORY; 1241 goto out; 1242 } 1243 } 1244 } 1245 1246 out: 1247 if (vm != NULL) 1248 (void) sqlite_finalize(vm, NULL); 1249 return (retcode); 1250 } 1251 1252 static idmap_retcode 1253 verify_type(idmap_id_type idtype, int type, idmap_id_res *res) { 1254 switch (idtype) { 1255 case IDMAP_UID: 1256 if (type != _IDMAP_T_USER) 1257 return (IDMAP_ERR_NOTUSER); 1258 res->id.idtype = IDMAP_UID; 1259 break; 1260 case IDMAP_GID: 1261 if (type != _IDMAP_T_GROUP) 1262 return (IDMAP_ERR_NOTGROUP); 1263 res->id.idtype = IDMAP_GID; 1264 break; 1265 case IDMAP_POSIXID: 1266 if (type == _IDMAP_T_USER) 1267 res->id.idtype = IDMAP_UID; 1268 else if (type == _IDMAP_T_GROUP) 1269 res->id.idtype = IDMAP_GID; 1270 else 1271 return (IDMAP_ERR_SID); 1272 break; 1273 default: 1274 return (IDMAP_ERR_NOTSUPPORTED); 1275 } 1276 return (IDMAP_SUCCESS); 1277 } 1278 1279 /* 1280 * Lookup sid to name locally 1281 */ 1282 static idmap_retcode 1283 lookup_local_sid2name(sqlite *cache, idmap_mapping *req, idmap_id_res *res) { 1284 int type = -1; 1285 idmap_retcode retcode; 1286 char *sidprefix; 1287 idmap_rid_t rid; 1288 char *name = NULL, *domain = NULL; 1289 1290 sidprefix = req->id1.idmap_id_u.sid.prefix; 1291 rid = req->id1.idmap_id_u.sid.rid; 1292 1293 /* Lookup sids to name in well-known sids table */ 1294 retcode = lookup_wksids_sid2name(sidprefix, rid, &name, &type); 1295 if (retcode != IDMAP_ERR_NOTFOUND) 1296 goto out; 1297 1298 /* Lookup sid to name in cache */ 1299 retcode = lookup_cache_sid2name(cache, sidprefix, rid, &name, 1300 &domain, &type); 1301 if (retcode != IDMAP_SUCCESS) 1302 goto out; 1303 1304 out: 1305 if (retcode == IDMAP_SUCCESS) { 1306 /* Verify that the sid type matches the request */ 1307 retcode = verify_type(req->id2.idtype, type, res); 1308 1309 /* update state in 'req' */ 1310 if (name != NULL) 1311 req->id1name = name; 1312 if (domain != NULL) 1313 req->id1domain = domain; 1314 } else { 1315 if (name != NULL) 1316 free(name); 1317 if (domain != NULL) 1318 free(domain); 1319 } 1320 return (retcode); 1321 } 1322 1323 idmap_retcode 1324 lookup_win_batch_sid2name(lookup_state_t *state, idmap_mapping_batch *batch, 1325 idmap_ids_res *result) { 1326 idmap_retcode retcode; 1327 int ret, i; 1328 int retries = 0; 1329 idmap_mapping *req; 1330 idmap_id_res *res; 1331 1332 if (state->ad_nqueries == 0) 1333 return (IDMAP_SUCCESS); 1334 1335 retry: 1336 ret = idmap_lookup_batch_start(_idmapdstate.ad, state->ad_nqueries, 1337 &state->ad_lookup); 1338 if (ret != 0) { 1339 idmapdlog(LOG_ERR, 1340 "Failed to create sid2name batch for AD lookup"); 1341 return (IDMAP_ERR_INTERNAL); 1342 } 1343 1344 for (i = 0; i < batch->idmap_mapping_batch_len; i++) { 1345 req = &batch->idmap_mapping_batch_val[i]; 1346 res = &result->ids.ids_val[i]; 1347 1348 if (req->id1.idtype == IDMAP_SID && 1349 req->direction & _IDMAP_F_S2N_AD) { 1350 if (retries == 0) 1351 res->retcode = IDMAP_ERR_RETRIABLE_NET_ERR; 1352 else if (res->retcode != IDMAP_ERR_RETRIABLE_NET_ERR) 1353 continue; 1354 retcode = idmap_sid2name_batch_add1( 1355 state->ad_lookup, 1356 req->id1.idmap_id_u.sid.prefix, 1357 &req->id1.idmap_id_u.sid.rid, 1358 &req->id1name, 1359 &req->id1domain, 1360 (int *)&res->id.idtype, 1361 &res->retcode); 1362 1363 if (retcode == IDMAP_ERR_RETRIABLE_NET_ERR) 1364 break; 1365 if (retcode != IDMAP_SUCCESS) 1366 goto out; 1367 } 1368 } 1369 1370 if (retcode == IDMAP_ERR_RETRIABLE_NET_ERR) 1371 idmap_lookup_release_batch(&state->ad_lookup); 1372 else 1373 retcode = idmap_lookup_batch_end(&state->ad_lookup, NULL); 1374 1375 if (retcode == IDMAP_ERR_RETRIABLE_NET_ERR && retries++ < 2) 1376 goto retry; 1377 1378 return (retcode); 1379 1380 out: 1381 idmapdlog(LOG_NOTICE, "Windows SID to user/group name lookup failed"); 1382 idmap_lookup_release_batch(&state->ad_lookup); 1383 return (retcode); 1384 } 1385 1386 idmap_retcode 1387 sid2pid_first_pass(lookup_state_t *state, sqlite *cache, idmap_mapping *req, 1388 idmap_id_res *res) { 1389 idmap_retcode retcode; 1390 1391 /* 1392 * The req->direction field is used to maintain state of the 1393 * sid2pid request. 1394 */ 1395 req->direction = _IDMAP_F_DONE; 1396 1397 if (EMPTY_STRING(req->id1.idmap_id_u.sid.prefix)) { 1398 retcode = IDMAP_ERR_SID; 1399 goto out; 1400 } 1401 res->id.idtype = req->id2.idtype; 1402 res->id.idmap_id_u.uid = UID_NOBODY; 1403 1404 /* Lookup well-known sid to pid mapping */ 1405 retcode = lookup_wksids_sid2pid(req, res); 1406 if (retcode != IDMAP_ERR_NOTFOUND) 1407 goto out; 1408 1409 /* Lookup sid to pid in cache */ 1410 retcode = lookup_cache_sid2pid(cache, req, res); 1411 if (retcode != IDMAP_ERR_NOTFOUND) 1412 goto out; 1413 1414 if (DO_NOT_ALLOC_NEW_ID_MAPPING(req) || AVOID_NAMESERVICE(req)) { 1415 res->id.idmap_id_u.uid = SENTINEL_PID; 1416 goto out; 1417 } 1418 1419 /* 1420 * Failed to find non-expired entry in cache. Tell the caller 1421 * that we are not done yet. 1422 */ 1423 state->sid2pid_done = FALSE; 1424 1425 /* 1426 * Our next step is name-based mapping. To lookup name-based 1427 * mapping rules, we need the windows name and domain-name 1428 * associated with the SID. 1429 */ 1430 1431 /* 1432 * Check if we already have the name (i.e name2pid lookups) 1433 */ 1434 if (!EMPTY_STRING(req->id1name) && 1435 !EMPTY_STRING(req->id1domain)) { 1436 retcode = IDMAP_SUCCESS; 1437 req->direction |= _IDMAP_F_S2N_CACHE; 1438 goto out; 1439 } 1440 1441 /* Lookup sid to winname@domain locally first */ 1442 retcode = lookup_local_sid2name(cache, req, res); 1443 if (retcode == IDMAP_SUCCESS) { 1444 req->direction |= _IDMAP_F_S2N_CACHE; 1445 } else if (retcode == IDMAP_ERR_NOTFOUND) { 1446 /* Batch sid to name AD lookup request */ 1447 retcode = IDMAP_SUCCESS; 1448 req->direction |= _IDMAP_F_S2N_AD; 1449 state->ad_nqueries++; 1450 goto out; 1451 } 1452 1453 1454 out: 1455 res->retcode = idmap_stat4prot(retcode); 1456 return (retcode); 1457 } 1458 1459 /* 1460 * Generate SID using the following convention 1461 * <machine-sid-prefix>-<1000 + uid> 1462 * <machine-sid-prefix>-<2^31 + gid> 1463 */ 1464 static idmap_retcode 1465 generate_localsid(idmap_mapping *req, idmap_id_res *res, int is_user) { 1466 1467 if (_idmapdstate.cfg->pgcfg.machine_sid != NULL) { 1468 /* Skip 1000 UIDs */ 1469 if (is_user && req->id1.idmap_id_u.uid > 1470 (INT32_MAX - LOCALRID_MIN)) 1471 return (IDMAP_ERR_NOMAPPING); 1472 1473 RDLOCK_CONFIG(); 1474 res->id.idmap_id_u.sid.prefix = 1475 strdup(_idmapdstate.cfg->pgcfg.machine_sid); 1476 if (res->id.idmap_id_u.sid.prefix == NULL) { 1477 UNLOCK_CONFIG(); 1478 idmapdlog(LOG_ERR, "Out of memory"); 1479 return (IDMAP_ERR_MEMORY); 1480 } 1481 UNLOCK_CONFIG(); 1482 res->id.idmap_id_u.sid.rid = 1483 (is_user)?req->id1.idmap_id_u.uid + LOCALRID_MIN: 1484 req->id1.idmap_id_u.gid + INT32_MAX + 1; 1485 res->direction = IDMAP_DIRECTION_BI; 1486 1487 /* 1488 * Don't update name_cache because local sids don't have 1489 * valid windows names. 1490 * We mark the entry as being found in the namecache so that 1491 * the cache update routine doesn't update namecache. 1492 */ 1493 req->direction = _IDMAP_F_S2N_CACHE; 1494 return (IDMAP_SUCCESS); 1495 } 1496 1497 return (IDMAP_ERR_NOMAPPING); 1498 } 1499 1500 static idmap_retcode 1501 lookup_localsid2pid(idmap_mapping *req, idmap_id_res *res) { 1502 char *sidprefix; 1503 uint32_t rid; 1504 int s; 1505 1506 /* 1507 * If the sidprefix == localsid then UID = last RID - 1000 or 1508 * GID = last RID - 2^31. 1509 */ 1510 sidprefix = req->id1.idmap_id_u.sid.prefix; 1511 rid = req->id1.idmap_id_u.sid.rid; 1512 1513 RDLOCK_CONFIG(); 1514 s = (_idmapdstate.cfg->pgcfg.machine_sid)? 1515 strcasecmp(sidprefix, 1516 _idmapdstate.cfg->pgcfg.machine_sid):1; 1517 UNLOCK_CONFIG(); 1518 1519 if (s == 0) { 1520 switch (req->id2.idtype) { 1521 case IDMAP_UID: 1522 if (rid > INT32_MAX) { 1523 return (IDMAP_ERR_NOTUSER); 1524 } else if (rid < LOCALRID_MIN) { 1525 return (IDMAP_ERR_NOTFOUND); 1526 } 1527 res->id.idmap_id_u.uid = rid - LOCALRID_MIN; 1528 res->id.idtype = IDMAP_UID; 1529 break; 1530 case IDMAP_GID: 1531 if (rid <= INT32_MAX) { 1532 return (IDMAP_ERR_NOTGROUP); 1533 } 1534 res->id.idmap_id_u.gid = rid - INT32_MAX - 1; 1535 res->id.idtype = IDMAP_GID; 1536 break; 1537 case IDMAP_POSIXID: 1538 if (rid > INT32_MAX) { 1539 res->id.idmap_id_u.gid = 1540 rid - INT32_MAX - 1; 1541 res->id.idtype = IDMAP_GID; 1542 } else if (rid < LOCALRID_MIN) { 1543 return (IDMAP_ERR_NOTFOUND); 1544 } else { 1545 res->id.idmap_id_u.uid = rid - LOCALRID_MIN; 1546 res->id.idtype = IDMAP_UID; 1547 } 1548 break; 1549 default: 1550 return (IDMAP_ERR_NOTSUPPORTED); 1551 } 1552 return (IDMAP_SUCCESS); 1553 } 1554 1555 return (IDMAP_ERR_NOTFOUND); 1556 } 1557 1558 static idmap_retcode 1559 ns_lookup_byname(int is_user, const char *name, idmap_id_res *res) { 1560 struct passwd pwd; 1561 struct group grp; 1562 char buf[1024]; 1563 int errnum; 1564 const char *me = "ns_lookup_byname"; 1565 1566 if (is_user) { 1567 if (getpwnam_r(name, &pwd, buf, sizeof (buf)) == NULL) { 1568 errnum = errno; 1569 idmapdlog(LOG_WARNING, 1570 "%s: getpwnam_r(%s) failed (%s).", 1571 me, name, 1572 errnum?strerror(errnum):"not found"); 1573 if (errnum == 0) 1574 return (IDMAP_ERR_NOTFOUND); 1575 else 1576 return (IDMAP_ERR_INTERNAL); 1577 } 1578 res->id.idmap_id_u.uid = pwd.pw_uid; 1579 res->id.idtype = IDMAP_UID; 1580 } else { 1581 if (getgrnam_r(name, &grp, buf, sizeof (buf)) == NULL) { 1582 errnum = errno; 1583 idmapdlog(LOG_WARNING, 1584 "%s: getgrnam_r(%s) failed (%s).", 1585 me, name, 1586 errnum?strerror(errnum):"not found"); 1587 if (errnum == 0) 1588 return (IDMAP_ERR_NOTFOUND); 1589 else 1590 return (IDMAP_ERR_INTERNAL); 1591 } 1592 res->id.idmap_id_u.gid = grp.gr_gid; 1593 res->id.idtype = IDMAP_GID; 1594 } 1595 return (IDMAP_SUCCESS); 1596 } 1597 1598 /* 1599 * Name-based mapping 1600 * 1601 * Case 1: If no rule matches do ephemeral 1602 * 1603 * Case 2: If rule matches and unixname is "" then return no mapping. 1604 * 1605 * Case 3: If rule matches and unixname is specified then lookup name 1606 * service using the unixname. If unixname not found then return no mapping. 1607 * 1608 * Case 4: If rule matches and unixname is * then lookup name service 1609 * using winname as the unixname. If unixname not found then process 1610 * other rules using the lookup order. If no other rule matches then do 1611 * ephemeral. Otherwise, based on the matched rule do Case 2 or 3 or 4. 1612 * This allows us to specify a fallback unixname per _domain_ or no mapping 1613 * instead of the default behaviour of doing ephemeral mapping. 1614 * 1615 * Example 1: 1616 * *@sfbay == * 1617 * If looking up windows users foo@sfbay and foo does not exists in 1618 * the name service then foo@sfbay will be mapped to an ephemeral id. 1619 * 1620 * Example 2: 1621 * *@sfbay == * 1622 * *@sfbay => guest 1623 * If looking up windows users foo@sfbay and foo does not exists in 1624 * the name service then foo@sfbay will be mapped to guest. 1625 * 1626 * Example 3: 1627 * *@sfbay == * 1628 * *@sfbay => "" 1629 * If looking up windows users foo@sfbay and foo does not exists in 1630 * the name service then we will return no mapping for foo@sfbay. 1631 * 1632 */ 1633 static idmap_retcode 1634 name_based_mapping_sid2pid(sqlite *db, idmap_mapping *req, idmap_id_res *res) { 1635 const char *unixname, *winname, *windomain; 1636 char *sql = NULL, *errmsg = NULL; 1637 idmap_retcode retcode; 1638 char *end; 1639 const char **values; 1640 sqlite_vm *vm = NULL; 1641 int ncol, r, i, is_user; 1642 const char *me = "name_based_mapping_sid2pid"; 1643 1644 winname = req->id1name; 1645 windomain = req->id1domain; 1646 is_user = (res->id.idtype == IDMAP_UID)?1:0; 1647 1648 i = 0; 1649 if (windomain == NULL) { 1650 windomain = ""; 1651 } else { 1652 RDLOCK_CONFIG(); 1653 if (_idmapdstate.cfg->pgcfg.mapping_domain != NULL) { 1654 if (strcasecmp(_idmapdstate.cfg->pgcfg.mapping_domain, 1655 windomain) == 0) 1656 i = 1; 1657 } 1658 UNLOCK_CONFIG(); 1659 } 1660 1661 sql = sqlite_mprintf( 1662 "SELECT unixname, u2w_order FROM namerules WHERE " 1663 "w2u_order > 0 AND is_user = %d AND " 1664 "(winname = %Q OR winname = '*') AND " 1665 "(windomain = %Q OR windomain = '*' %s) " 1666 "ORDER BY w2u_order ASC;", 1667 is_user, winname, 1668 windomain, 1669 i?"OR windomain ISNULL OR windomain = ''":""); 1670 if (sql == NULL) { 1671 idmapdlog(LOG_ERR, "Out of memory"); 1672 retcode = IDMAP_ERR_MEMORY; 1673 goto out; 1674 } 1675 1676 if (sqlite_compile(db, sql, NULL, &vm, &errmsg) != SQLITE_OK) { 1677 retcode = IDMAP_ERR_INTERNAL; 1678 idmapdlog(LOG_ERR, 1679 "%s: database error (%s)", 1680 me, CHECK_NULL(errmsg)); 1681 sqlite_freemem(errmsg); 1682 goto out; 1683 } 1684 1685 for (; ; ) { 1686 r = sqlite_step(vm, &ncol, &values, NULL); 1687 assert(r != SQLITE_LOCKED && r != SQLITE_BUSY); 1688 1689 if (r == SQLITE_ROW) { 1690 if (ncol < 2) { 1691 retcode = IDMAP_ERR_INTERNAL; 1692 goto out; 1693 } 1694 if (values[0] == NULL) { 1695 retcode = IDMAP_ERR_INTERNAL; 1696 goto out; 1697 } 1698 1699 if (EMPTY_NAME(values[0])) { 1700 retcode = IDMAP_ERR_NOMAPPING; 1701 goto out; 1702 } 1703 unixname = (values[0][0] == '*')?winname:values[0]; 1704 retcode = ns_lookup_byname(is_user, unixname, res); 1705 if (retcode == IDMAP_ERR_NOTFOUND) { 1706 if (unixname == winname) 1707 /* Case 4 */ 1708 continue; 1709 else 1710 /* Case 3 */ 1711 retcode = IDMAP_ERR_NOMAPPING; 1712 } 1713 goto out; 1714 } else if (r == SQLITE_DONE) { 1715 retcode = IDMAP_ERR_NOTFOUND; 1716 goto out; 1717 } else { 1718 (void) sqlite_finalize(vm, &errmsg); 1719 vm = NULL; 1720 idmapdlog(LOG_ERR, 1721 "%s: database error (%s)", 1722 me, CHECK_NULL(errmsg)); 1723 sqlite_freemem(errmsg); 1724 retcode = IDMAP_ERR_INTERNAL; 1725 goto out; 1726 } 1727 } 1728 1729 out: 1730 if (sql != NULL) 1731 sqlite_freemem(sql); 1732 if (retcode == IDMAP_SUCCESS) { 1733 if (values[1] != NULL) 1734 res->direction = 1735 (strtol(values[1], &end, 10) == 0)? 1736 IDMAP_DIRECTION_W2U:IDMAP_DIRECTION_BI; 1737 else 1738 res->direction = IDMAP_DIRECTION_W2U; 1739 req->id2name = strdup(unixname); 1740 } 1741 if (vm != NULL) 1742 (void) sqlite_finalize(vm, NULL); 1743 return (retcode); 1744 } 1745 1746 static 1747 int 1748 get_next_eph_uid(uid_t *next_uid) 1749 { 1750 uid_t uid; 1751 gid_t gid; 1752 int err; 1753 1754 *next_uid = (uid_t)-1; 1755 uid = _idmapdstate.next_uid++; 1756 if (uid >= _idmapdstate.limit_uid) { 1757 if ((err = allocids(0, 8192, &uid, 0, &gid)) != 0) 1758 return (err); 1759 1760 _idmapdstate.limit_uid = uid + 8192; 1761 _idmapdstate.next_uid = uid; 1762 } 1763 *next_uid = uid; 1764 1765 return (0); 1766 } 1767 1768 static 1769 int 1770 get_next_eph_gid(gid_t *next_gid) 1771 { 1772 uid_t uid; 1773 gid_t gid; 1774 int err; 1775 1776 *next_gid = (uid_t)-1; 1777 gid = _idmapdstate.next_gid++; 1778 if (gid >= _idmapdstate.limit_gid) { 1779 if ((err = allocids(0, 0, &uid, 8192, &gid)) != 0) 1780 return (err); 1781 1782 _idmapdstate.limit_gid = gid + 8192; 1783 _idmapdstate.next_gid = gid; 1784 } 1785 *next_gid = gid; 1786 1787 return (0); 1788 } 1789 1790 static 1791 int 1792 gethash(const char *str, uint32_t num, uint_t htsize) { 1793 uint_t hval, i, len; 1794 1795 if (str == NULL) 1796 return (0); 1797 for (len = strlen(str), hval = 0, i = 0; i < len; i++) { 1798 hval += str[i]; 1799 hval += (hval << 10); 1800 hval ^= (hval >> 6); 1801 } 1802 for (str = (const char *)&num, i = 0; i < sizeof (num); i++) { 1803 hval += str[i]; 1804 hval += (hval << 10); 1805 hval ^= (hval >> 6); 1806 } 1807 hval += (hval << 3); 1808 hval ^= (hval >> 11); 1809 hval += (hval << 15); 1810 return (hval % htsize); 1811 } 1812 1813 static 1814 int 1815 get_from_sid_history(lookup_state_t *state, const char *prefix, uint32_t rid, 1816 uid_t *pid) { 1817 uint_t next, key; 1818 uint_t htsize = state->sid_history_size; 1819 idmap_sid *sid; 1820 1821 next = gethash(prefix, rid, htsize); 1822 while (next != htsize) { 1823 key = state->sid_history[next].key; 1824 if (key == htsize) 1825 return (0); 1826 sid = &state->batch->idmap_mapping_batch_val[key].id1. 1827 idmap_id_u.sid; 1828 if (sid->rid == rid && strcmp(sid->prefix, prefix) == 0) { 1829 *pid = state->result->ids.ids_val[key].id. 1830 idmap_id_u.uid; 1831 return (1); 1832 } 1833 next = state->sid_history[next].next; 1834 } 1835 return (0); 1836 } 1837 1838 static 1839 void 1840 add_to_sid_history(lookup_state_t *state, const char *prefix, uint32_t rid) { 1841 uint_t hash, next; 1842 uint_t htsize = state->sid_history_size; 1843 1844 hash = next = gethash(prefix, rid, htsize); 1845 while (state->sid_history[next].key != htsize) { 1846 next++; 1847 next %= htsize; 1848 } 1849 state->sid_history[next].key = state->curpos; 1850 if (hash == next) 1851 return; 1852 state->sid_history[next].next = state->sid_history[hash].next; 1853 state->sid_history[hash].next = next; 1854 } 1855 1856 /* ARGSUSED */ 1857 static 1858 idmap_retcode 1859 dynamic_ephemeral_mapping(lookup_state_t *state, sqlite *cache, 1860 idmap_mapping *req, idmap_id_res *res) { 1861 1862 uid_t next_pid; 1863 1864 res->direction = IDMAP_DIRECTION_BI; 1865 1866 if (IS_EPHEMERAL(res->id.idmap_id_u.uid)) 1867 return (IDMAP_SUCCESS); 1868 1869 if (state->sid_history != NULL && 1870 get_from_sid_history(state, req->id1.idmap_id_u.sid.prefix, 1871 req->id1.idmap_id_u.sid.rid, &next_pid)) { 1872 res->id.idmap_id_u.uid = next_pid; 1873 return (IDMAP_SUCCESS); 1874 } 1875 1876 if (res->id.idtype == IDMAP_UID) { 1877 if (get_next_eph_uid(&next_pid) != 0) 1878 return (IDMAP_ERR_INTERNAL); 1879 res->id.idmap_id_u.uid = next_pid; 1880 } else { 1881 if (get_next_eph_gid(&next_pid) != 0) 1882 return (IDMAP_ERR_INTERNAL); 1883 res->id.idmap_id_u.gid = next_pid; 1884 } 1885 1886 if (state->sid_history != NULL) 1887 add_to_sid_history(state, req->id1.idmap_id_u.sid.prefix, 1888 req->id1.idmap_id_u.sid.rid); 1889 1890 return (IDMAP_SUCCESS); 1891 } 1892 1893 idmap_retcode 1894 sid2pid_second_pass(lookup_state_t *state, sqlite *cache, sqlite *db, 1895 idmap_mapping *req, idmap_id_res *res) { 1896 idmap_retcode retcode; 1897 1898 /* 1899 * The req->direction field is used to maintain state of the 1900 * sid2pid request. 1901 */ 1902 1903 /* Check if second pass is needed */ 1904 if (req->direction == _IDMAP_F_DONE) 1905 return (res->retcode); 1906 1907 /* Get status from previous pass */ 1908 retcode = (res->retcode == IDMAP_NEXT)?IDMAP_SUCCESS:res->retcode; 1909 1910 if (retcode != IDMAP_SUCCESS) { 1911 /* Reset return type */ 1912 res->id.idtype = req->id2.idtype; 1913 res->id.idmap_id_u.uid = UID_NOBODY; 1914 1915 /* Check if this is a localsid */ 1916 if (retcode == IDMAP_ERR_NOTFOUND && 1917 _idmapdstate.cfg->pgcfg.machine_sid) { 1918 retcode = lookup_localsid2pid(req, res); 1919 if (retcode == IDMAP_SUCCESS) { 1920 state->sid2pid_done = FALSE; 1921 req->direction = _IDMAP_F_S2N_CACHE; 1922 } 1923 } 1924 goto out; 1925 } 1926 1927 /* 1928 * Verify that the sid type matches the request if the 1929 * SID was validated by an AD lookup. 1930 */ 1931 if (req->direction & _IDMAP_F_S2N_AD) { 1932 retcode = verify_type(req->id2.idtype, 1933 (int)res->id.idtype, res); 1934 if (retcode != IDMAP_SUCCESS) { 1935 res->id.idtype = req->id2.idtype; 1936 res->id.idmap_id_u.uid = UID_NOBODY; 1937 goto out; 1938 } 1939 } 1940 1941 /* Name-based mapping */ 1942 retcode = name_based_mapping_sid2pid(db, req, res); 1943 if (retcode == IDMAP_ERR_NOTFOUND) 1944 /* If not found, do ephemeral mapping */ 1945 goto ephemeral; 1946 else if (retcode != IDMAP_SUCCESS) 1947 goto out; 1948 1949 state->sid2pid_done = FALSE; 1950 goto out; 1951 1952 1953 ephemeral: 1954 retcode = dynamic_ephemeral_mapping(state, cache, req, res); 1955 if (retcode == IDMAP_SUCCESS) 1956 state->sid2pid_done = FALSE; 1957 1958 out: 1959 res->retcode = idmap_stat4prot(retcode); 1960 return (retcode); 1961 } 1962 1963 idmap_retcode 1964 update_cache_pid2sid(lookup_state_t *state, sqlite *cache, 1965 idmap_mapping *req, idmap_id_res *res) { 1966 char *sql = NULL; 1967 idmap_retcode retcode; 1968 1969 /* Check if we need to cache anything */ 1970 if (req->direction == _IDMAP_F_DONE) 1971 return (IDMAP_SUCCESS); 1972 1973 /* We don't cache negative entries */ 1974 if (res->retcode != IDMAP_SUCCESS) 1975 return (IDMAP_SUCCESS); 1976 1977 /* 1978 * Using NULL for u2w instead of 0 so that our trigger allows 1979 * the same pid to be the destination in multiple entries 1980 */ 1981 sql = sqlite_mprintf("INSERT OR REPLACE into idmap_cache " 1982 "(sidprefix, rid, windomain, winname, pid, unixname, " 1983 "is_user, expiration, w2u, u2w) " 1984 "VALUES(%Q, %u, %Q, %Q, %u, %Q, %d, " 1985 "strftime('%%s','now') + 600, %q, 1); ", 1986 res->id.idmap_id_u.sid.prefix, 1987 res->id.idmap_id_u.sid.rid, 1988 req->id2domain, 1989 req->id2name, 1990 req->id1.idmap_id_u.uid, 1991 req->id1name, 1992 (req->id1.idtype == IDMAP_UID)?1:0, 1993 (res->direction == 0)?"1":NULL); 1994 1995 if (sql == NULL) { 1996 retcode = IDMAP_ERR_INTERNAL; 1997 idmapdlog(LOG_ERR, "Out of memory"); 1998 goto out; 1999 } 2000 2001 retcode = sql_exec_no_cb(cache, sql); 2002 if (retcode != IDMAP_SUCCESS) 2003 goto out; 2004 2005 state->pid2sid_done = FALSE; 2006 sqlite_freemem(sql); 2007 sql = NULL; 2008 2009 /* If sid2name was found in the cache, no need to update namecache */ 2010 if (req->direction & _IDMAP_F_S2N_CACHE) 2011 goto out; 2012 2013 if (req->id2name == NULL) 2014 goto out; 2015 2016 sql = sqlite_mprintf("INSERT OR REPLACE into name_cache " 2017 "(sidprefix, rid, name, domain, type, expiration) " 2018 "VALUES(%Q, %u, %Q, %Q, %d, strftime('%%s','now') + 3600); ", 2019 res->id.idmap_id_u.sid.prefix, 2020 res->id.idmap_id_u.sid.rid, 2021 req->id2name, 2022 req->id2domain, 2023 (req->id1.idtype == IDMAP_UID)?_IDMAP_T_USER:_IDMAP_T_GROUP); 2024 2025 if (sql == NULL) { 2026 retcode = IDMAP_ERR_INTERNAL; 2027 idmapdlog(LOG_ERR, "Out of memory"); 2028 goto out; 2029 } 2030 2031 retcode = sql_exec_no_cb(cache, sql); 2032 2033 out: 2034 if (sql != NULL) 2035 sqlite_freemem(sql); 2036 return (retcode); 2037 } 2038 2039 idmap_retcode 2040 update_cache_sid2pid(lookup_state_t *state, sqlite *cache, 2041 idmap_mapping *req, idmap_id_res *res) { 2042 char *sql = NULL; 2043 idmap_retcode retcode; 2044 int is_eph_user; 2045 2046 /* Check if we need to cache anything */ 2047 if (req->direction == _IDMAP_F_DONE) 2048 return (IDMAP_SUCCESS); 2049 2050 /* We don't cache negative entries */ 2051 if (res->retcode != IDMAP_SUCCESS) 2052 return (IDMAP_SUCCESS); 2053 2054 if (req->direction & _IDMAP_F_EXP_EPH_UID) 2055 is_eph_user = 1; 2056 else if (req->direction & _IDMAP_F_EXP_EPH_GID) 2057 is_eph_user = 0; 2058 else 2059 is_eph_user = -1; 2060 2061 if (is_eph_user >= 0 && !IS_EPHEMERAL(res->id.idmap_id_u.uid)) { 2062 sql = sqlite_mprintf("UPDATE idmap_cache " 2063 "SET w2u = 0 WHERE " 2064 "sidprefix = %Q AND rid = %u AND w2u = 1 AND " 2065 "pid >= 2147483648 AND is_user = %d;", 2066 req->id1.idmap_id_u.sid.prefix, 2067 req->id1.idmap_id_u.sid.rid, 2068 is_eph_user); 2069 if (sql == NULL) { 2070 retcode = IDMAP_ERR_INTERNAL; 2071 idmapdlog(LOG_ERR, "Out of memory"); 2072 goto out; 2073 } 2074 2075 retcode = sql_exec_no_cb(cache, sql); 2076 if (retcode != IDMAP_SUCCESS) 2077 goto out; 2078 2079 sqlite_freemem(sql); 2080 sql = NULL; 2081 } 2082 2083 sql = sqlite_mprintf("INSERT OR REPLACE into idmap_cache " 2084 "(sidprefix, rid, windomain, winname, pid, unixname, " 2085 "is_user, expiration, w2u, u2w) " 2086 "VALUES(%Q, %u, %Q, %Q, %u, %Q, %d, " 2087 "strftime('%%s','now') + 600, 1, %q); ", 2088 req->id1.idmap_id_u.sid.prefix, 2089 req->id1.idmap_id_u.sid.rid, 2090 req->id1domain, 2091 req->id1name, 2092 res->id.idmap_id_u.uid, 2093 req->id2name, 2094 (res->id.idtype == IDMAP_UID)?1:0, 2095 (res->direction == 0)?"1":NULL); 2096 2097 if (sql == NULL) { 2098 retcode = IDMAP_ERR_INTERNAL; 2099 idmapdlog(LOG_ERR, "Out of memory"); 2100 goto out; 2101 } 2102 2103 retcode = sql_exec_no_cb(cache, sql); 2104 if (retcode != IDMAP_SUCCESS) 2105 goto out; 2106 2107 state->sid2pid_done = FALSE; 2108 sqlite_freemem(sql); 2109 sql = NULL; 2110 2111 /* If name2sid was found in the cache, no need to update namecache */ 2112 if (req->direction & _IDMAP_F_S2N_CACHE) 2113 goto out; 2114 2115 if (EMPTY_STRING(req->id1name)) 2116 goto out; 2117 2118 sql = sqlite_mprintf("INSERT OR REPLACE into name_cache " 2119 "(sidprefix, rid, name, domain, type, expiration) " 2120 "VALUES(%Q, %u, %Q, %Q, %d, strftime('%%s','now') + 3600); ", 2121 req->id1.idmap_id_u.sid.prefix, 2122 req->id1.idmap_id_u.sid.rid, 2123 req->id1name, 2124 req->id1domain, 2125 (res->id.idtype == IDMAP_UID)?_IDMAP_T_USER:_IDMAP_T_GROUP); 2126 2127 if (sql == NULL) { 2128 retcode = IDMAP_ERR_INTERNAL; 2129 idmapdlog(LOG_ERR, "Out of memory"); 2130 goto out; 2131 } 2132 2133 retcode = sql_exec_no_cb(cache, sql); 2134 2135 out: 2136 if (sql != NULL) 2137 sqlite_freemem(sql); 2138 return (retcode); 2139 } 2140 2141 static idmap_retcode 2142 lookup_cache_pid2sid(sqlite *cache, idmap_mapping *req, idmap_id_res *res, 2143 int is_user, int getname) { 2144 char *end; 2145 char *sql = NULL; 2146 const char **values; 2147 sqlite_vm *vm = NULL; 2148 int ncol; 2149 idmap_retcode retcode = IDMAP_SUCCESS; 2150 time_t curtime; 2151 2152 /* Current time */ 2153 errno = 0; 2154 if ((curtime = time(NULL)) == (time_t)-1) { 2155 idmapdlog(LOG_ERR, 2156 "Failed to get current time (%s)", 2157 strerror(errno)); 2158 retcode = IDMAP_ERR_INTERNAL; 2159 goto out; 2160 } 2161 2162 /* SQL to lookup the cache */ 2163 sql = sqlite_mprintf("SELECT sidprefix, rid, winname, windomain, w2u " 2164 "FROM idmap_cache WHERE " 2165 "pid = %u AND u2w = 1 AND is_user = %d AND " 2166 "(pid >= 2147483648 OR " 2167 "(expiration = 0 OR expiration ISNULL OR " 2168 "expiration > %d));", 2169 req->id1.idmap_id_u.uid, is_user, curtime); 2170 if (sql == NULL) { 2171 idmapdlog(LOG_ERR, "Out of memory"); 2172 retcode = IDMAP_ERR_MEMORY; 2173 goto out; 2174 } 2175 retcode = sql_compile_n_step_once(cache, sql, &vm, &ncol, 5, &values); 2176 sqlite_freemem(sql); 2177 2178 if (retcode == IDMAP_ERR_NOTFOUND) 2179 goto out; 2180 else if (retcode == IDMAP_SUCCESS) { 2181 /* sanity checks */ 2182 if (values[0] == NULL || values[1] == NULL) { 2183 retcode = IDMAP_ERR_CACHE; 2184 goto out; 2185 } 2186 2187 switch (req->id2.idtype) { 2188 case IDMAP_SID: 2189 res->id.idmap_id_u.sid.rid = 2190 strtoul(values[1], &end, 10); 2191 res->id.idmap_id_u.sid.prefix = strdup(values[0]); 2192 if (res->id.idmap_id_u.sid.prefix == NULL) { 2193 idmapdlog(LOG_ERR, "Out of memory"); 2194 retcode = IDMAP_ERR_MEMORY; 2195 goto out; 2196 } 2197 2198 if (values[4] != NULL) 2199 res->direction = 2200 (strtol(values[4], &end, 10) == 0)? 2201 IDMAP_DIRECTION_U2W:IDMAP_DIRECTION_BI; 2202 else 2203 res->direction = IDMAP_DIRECTION_U2W; 2204 2205 if (getname == 0 || values[2] == NULL) 2206 break; 2207 req->id2name = strdup(values[2]); 2208 if (req->id2name == NULL) { 2209 idmapdlog(LOG_ERR, "Out of memory"); 2210 retcode = IDMAP_ERR_MEMORY; 2211 goto out; 2212 } 2213 2214 if (values[3] == NULL) 2215 break; 2216 req->id2domain = strdup(values[3]); 2217 if (req->id2domain == NULL) { 2218 idmapdlog(LOG_ERR, "Out of memory"); 2219 retcode = IDMAP_ERR_MEMORY; 2220 goto out; 2221 } 2222 break; 2223 default: 2224 retcode = IDMAP_ERR_NOTSUPPORTED; 2225 break; 2226 } 2227 } 2228 2229 out: 2230 if (vm != NULL) 2231 (void) sqlite_finalize(vm, NULL); 2232 return (retcode); 2233 } 2234 2235 static idmap_retcode 2236 lookup_cache_name2sid(sqlite *cache, const char *name, const char *domain, 2237 char **sidprefix, idmap_rid_t *rid, int *type) { 2238 char *end; 2239 char *sql = NULL; 2240 const char **values; 2241 sqlite_vm *vm = NULL; 2242 int ncol; 2243 time_t curtime; 2244 idmap_retcode retcode = IDMAP_SUCCESS; 2245 2246 /* Get current time */ 2247 errno = 0; 2248 if ((curtime = time(NULL)) == (time_t)-1) { 2249 idmapdlog(LOG_ERR, 2250 "Failed to get current time (%s)", 2251 strerror(errno)); 2252 retcode = IDMAP_ERR_INTERNAL; 2253 goto out; 2254 } 2255 2256 /* SQL to lookup the cache */ 2257 sql = sqlite_mprintf("SELECT sidprefix, rid, type FROM name_cache " 2258 "WHERE name = %Q AND domain = %Q AND " 2259 "(expiration = 0 OR expiration ISNULL OR " 2260 "expiration > %d);", 2261 name, domain, curtime); 2262 if (sql == NULL) { 2263 idmapdlog(LOG_ERR, "Out of memory"); 2264 retcode = IDMAP_ERR_MEMORY; 2265 goto out; 2266 } 2267 retcode = sql_compile_n_step_once(cache, sql, &vm, &ncol, 3, &values); 2268 sqlite_freemem(sql); 2269 2270 if (retcode == IDMAP_SUCCESS) { 2271 if (type != NULL) { 2272 if (values[2] == NULL) { 2273 retcode = IDMAP_ERR_CACHE; 2274 goto out; 2275 } 2276 *type = strtol(values[2], &end, 10); 2277 } 2278 2279 if (values[0] == NULL || values[1] == NULL) { 2280 retcode = IDMAP_ERR_CACHE; 2281 goto out; 2282 } 2283 if ((*sidprefix = strdup(values[0])) == NULL) { 2284 idmapdlog(LOG_ERR, "Out of memory"); 2285 retcode = IDMAP_ERR_MEMORY; 2286 goto out; 2287 } 2288 *rid = strtoul(values[1], &end, 10); 2289 } 2290 2291 out: 2292 if (vm != NULL) 2293 (void) sqlite_finalize(vm, NULL); 2294 return (retcode); 2295 } 2296 2297 static idmap_retcode 2298 lookup_win_name2sid(const char *name, const char *domain, char **sidprefix, 2299 idmap_rid_t *rid, int *type) { 2300 int ret; 2301 int retries = 0; 2302 idmap_query_state_t *qs = NULL; 2303 idmap_retcode rc, retcode; 2304 2305 retcode = IDMAP_ERR_NOTFOUND; 2306 2307 retry: 2308 ret = idmap_lookup_batch_start(_idmapdstate.ad, 1, &qs); 2309 if (ret != 0) { 2310 idmapdlog(LOG_ERR, 2311 "Failed to create name2sid batch for AD lookup"); 2312 return (IDMAP_ERR_INTERNAL); 2313 } 2314 2315 retcode = idmap_name2sid_batch_add1(qs, name, domain, sidprefix, 2316 rid, type, &rc); 2317 if (retcode == IDMAP_ERR_RETRIABLE_NET_ERR) 2318 goto out; 2319 2320 if (retcode != IDMAP_SUCCESS) { 2321 idmapdlog(LOG_ERR, 2322 "Failed to batch name2sid for AD lookup"); 2323 idmap_lookup_release_batch(&qs); 2324 return (IDMAP_ERR_INTERNAL); 2325 } 2326 2327 out: 2328 if (retcode == IDMAP_ERR_RETRIABLE_NET_ERR) 2329 idmap_lookup_release_batch(&qs); 2330 else 2331 retcode = idmap_lookup_batch_end(&qs, NULL); 2332 2333 if (retcode == IDMAP_ERR_RETRIABLE_NET_ERR && retries++ < 2) 2334 goto retry; 2335 2336 if (retcode != IDMAP_SUCCESS) { 2337 idmapdlog(LOG_NOTICE, "Windows user/group name to SID lookup " 2338 "failed"); 2339 return (retcode); 2340 } else 2341 return (rc); 2342 /* NOTREACHED */ 2343 } 2344 2345 static idmap_retcode 2346 lookup_name2sid(sqlite *cache, const char *name, const char *domain, 2347 int *is_user, char **sidprefix, idmap_rid_t *rid, 2348 idmap_mapping *req) { 2349 int type; 2350 idmap_retcode retcode; 2351 2352 /* Lookup name@domain to sid in the well-known sids table */ 2353 retcode = lookup_wksids_name2sid(name, sidprefix, rid, &type); 2354 if (retcode == IDMAP_SUCCESS) { 2355 req->direction |= _IDMAP_F_S2N_CACHE; 2356 goto out; 2357 } else if (retcode != IDMAP_ERR_NOTFOUND) { 2358 return (retcode); 2359 } 2360 2361 /* Lookup name@domain to sid in cache */ 2362 retcode = lookup_cache_name2sid(cache, name, domain, sidprefix, 2363 rid, &type); 2364 if (retcode == IDMAP_ERR_NOTFOUND) { 2365 /* Lookup Windows NT/AD to map name@domain to sid */ 2366 retcode = lookup_win_name2sid(name, domain, sidprefix, rid, 2367 &type); 2368 if (retcode != IDMAP_SUCCESS) 2369 return (retcode); 2370 req->direction |= _IDMAP_F_S2N_AD; 2371 } else if (retcode != IDMAP_SUCCESS) { 2372 return (retcode); 2373 } else { 2374 /* Set flag */ 2375 req->direction |= _IDMAP_F_S2N_CACHE; 2376 } 2377 2378 out: 2379 /* 2380 * Entry found (cache or Windows lookup) 2381 * is_user is both input as well as output parameter 2382 */ 2383 if (*is_user == 1) { 2384 if (type != _IDMAP_T_USER) 2385 return (IDMAP_ERR_NOTUSER); 2386 } else if (*is_user == 0) { 2387 if (type != _IDMAP_T_GROUP) 2388 return (IDMAP_ERR_NOTGROUP); 2389 } else if (*is_user == -1) { 2390 /* Caller wants to know if its user or group */ 2391 if (type == _IDMAP_T_USER) 2392 *is_user = 1; 2393 else if (type == _IDMAP_T_GROUP) 2394 *is_user = 0; 2395 else 2396 return (IDMAP_ERR_SID); 2397 } 2398 2399 return (retcode); 2400 } 2401 2402 static idmap_retcode 2403 name_based_mapping_pid2sid(sqlite *db, sqlite *cache, const char *unixname, 2404 int is_user, idmap_mapping *req, idmap_id_res *res) { 2405 const char *winname, *windomain; 2406 char *mapping_domain = NULL; 2407 char *sql = NULL, *errmsg = NULL; 2408 idmap_retcode retcode; 2409 char *end; 2410 const char **values; 2411 sqlite_vm *vm = NULL; 2412 int ncol, r; 2413 const char *me = "name_based_mapping_pid2sid"; 2414 2415 RDLOCK_CONFIG(); 2416 if (_idmapdstate.cfg->pgcfg.mapping_domain != NULL) { 2417 mapping_domain = 2418 strdup(_idmapdstate.cfg->pgcfg.mapping_domain); 2419 if (mapping_domain == NULL) { 2420 UNLOCK_CONFIG(); 2421 idmapdlog(LOG_ERR, "Out of memory"); 2422 retcode = IDMAP_ERR_MEMORY; 2423 goto out; 2424 } 2425 } 2426 UNLOCK_CONFIG(); 2427 2428 sql = sqlite_mprintf( 2429 "SELECT winname, windomain, w2u_order FROM namerules WHERE " 2430 "u2w_order > 0 AND is_user = %d AND " 2431 "(unixname = %Q OR unixname = '*') " 2432 "ORDER BY u2w_order ASC;", 2433 is_user, unixname); 2434 if (sql == NULL) { 2435 idmapdlog(LOG_ERR, "Out of memory"); 2436 retcode = IDMAP_ERR_MEMORY; 2437 goto out; 2438 } 2439 2440 if (sqlite_compile(db, sql, NULL, &vm, &errmsg) != SQLITE_OK) { 2441 retcode = IDMAP_ERR_INTERNAL; 2442 idmapdlog(LOG_ERR, 2443 "%s: database error (%s)", 2444 me, CHECK_NULL(errmsg)); 2445 sqlite_freemem(errmsg); 2446 goto out; 2447 } 2448 2449 for (;;) { 2450 r = sqlite_step(vm, &ncol, &values, NULL); 2451 assert(r != SQLITE_LOCKED && r != SQLITE_BUSY); 2452 if (r == SQLITE_ROW) { 2453 if (ncol < 3) { 2454 retcode = IDMAP_ERR_INTERNAL; 2455 goto out; 2456 } 2457 if (values[0] == NULL) { 2458 /* values [1] and [2] can be null */ 2459 retcode = IDMAP_ERR_INTERNAL; 2460 goto out; 2461 } 2462 if (EMPTY_NAME(values[0])) { 2463 retcode = IDMAP_ERR_NOMAPPING; 2464 goto out; 2465 } 2466 winname = (values[0][0] == '*')?unixname:values[0]; 2467 if (values[1] != NULL) 2468 windomain = values[1]; 2469 else if (mapping_domain != NULL) 2470 windomain = mapping_domain; 2471 else { 2472 idmapdlog(LOG_ERR, 2473 "%s: no domain", me); 2474 retcode = IDMAP_ERR_DOMAIN_NOTFOUND; 2475 goto out; 2476 } 2477 /* Lookup winname@domain to sid */ 2478 retcode = lookup_name2sid(cache, winname, windomain, 2479 &is_user, &res->id.idmap_id_u.sid.prefix, 2480 &res->id.idmap_id_u.sid.rid, req); 2481 if (retcode == IDMAP_ERR_NOTFOUND) { 2482 if (winname == unixname) 2483 continue; 2484 else 2485 retcode = IDMAP_ERR_NOMAPPING; 2486 } 2487 goto out; 2488 } else if (r == SQLITE_DONE) { 2489 retcode = IDMAP_ERR_NOTFOUND; 2490 goto out; 2491 } else { 2492 (void) sqlite_finalize(vm, &errmsg); 2493 vm = NULL; 2494 idmapdlog(LOG_ERR, 2495 "%s: database error (%s)", 2496 me, CHECK_NULL(errmsg)); 2497 sqlite_freemem(errmsg); 2498 retcode = IDMAP_ERR_INTERNAL; 2499 goto out; 2500 } 2501 } 2502 2503 out: 2504 if (sql != NULL) 2505 sqlite_freemem(sql); 2506 if (retcode == IDMAP_SUCCESS) { 2507 if (values[2] != NULL) 2508 res->direction = 2509 (strtol(values[2], &end, 10) == 0)? 2510 IDMAP_DIRECTION_U2W:IDMAP_DIRECTION_BI; 2511 else 2512 res->direction = IDMAP_DIRECTION_U2W; 2513 2514 req->id2name = strdup(winname); 2515 if (req->id2name != NULL) { 2516 if (windomain == mapping_domain) { 2517 req->id2domain = (char *)windomain; 2518 mapping_domain = NULL; 2519 } else { 2520 req->id2domain = strdup(windomain); 2521 } 2522 } 2523 } 2524 if (vm != NULL) 2525 (void) sqlite_finalize(vm, NULL); 2526 if (mapping_domain != NULL) 2527 free(mapping_domain); 2528 return (retcode); 2529 } 2530 2531 idmap_retcode 2532 pid2sid_first_pass(lookup_state_t *state, sqlite *cache, sqlite *db, 2533 idmap_mapping *req, idmap_id_res *res, int is_user, 2534 int getname) { 2535 char *unixname = NULL; 2536 struct passwd pwd; 2537 struct group grp; 2538 char buf[1024]; 2539 int errnum; 2540 idmap_retcode retcode = IDMAP_SUCCESS; 2541 const char *me = "pid2sid"; 2542 2543 req->direction = _IDMAP_F_DONE; 2544 res->id.idtype = req->id2.idtype; 2545 2546 /* Lookup well-known SIDs */ 2547 retcode = lookup_wksids_pid2sid(req, res, is_user); 2548 if (retcode != IDMAP_ERR_NOTFOUND) 2549 goto out; 2550 2551 /* Lookup pid to sid in cache */ 2552 retcode = lookup_cache_pid2sid(cache, req, res, is_user, getname); 2553 if (retcode != IDMAP_ERR_NOTFOUND) 2554 goto out; 2555 2556 /* Ephemeral ids cannot be allocated during pid2sid */ 2557 if (IS_EPHEMERAL(req->id1.idmap_id_u.uid)) { 2558 retcode = IDMAP_ERR_NOMAPPING; 2559 goto out; 2560 } 2561 2562 if (DO_NOT_ALLOC_NEW_ID_MAPPING(req) || AVOID_NAMESERVICE(req)) { 2563 retcode = IDMAP_ERR_NOMAPPING; 2564 goto out; 2565 } 2566 2567 /* uid/gid to name */ 2568 if (!EMPTY_STRING(req->id1name)) { 2569 unixname = req->id1name; 2570 } else if (is_user) { 2571 errno = 0; 2572 if (getpwuid_r(req->id1.idmap_id_u.uid, &pwd, buf, 2573 sizeof (buf)) == NULL) { 2574 errnum = errno; 2575 idmapdlog(LOG_WARNING, 2576 "%s: getpwuid_r(%u) failed (%s).", 2577 me, req->id1.idmap_id_u.uid, 2578 errnum?strerror(errnum):"not found"); 2579 retcode = (errnum == 0)?IDMAP_ERR_NOTFOUND: 2580 IDMAP_ERR_INTERNAL; 2581 goto fallback_localsid; 2582 } 2583 unixname = pwd.pw_name; 2584 } else { 2585 errno = 0; 2586 if (getgrgid_r(req->id1.idmap_id_u.gid, &grp, buf, 2587 sizeof (buf)) == NULL) { 2588 errnum = errno; 2589 idmapdlog(LOG_WARNING, 2590 "%s: getgrgid_r(%u) failed (%s).", 2591 me, req->id1.idmap_id_u.gid, 2592 errnum?strerror(errnum):"not found"); 2593 retcode = (errnum == 0)?IDMAP_ERR_NOTFOUND: 2594 IDMAP_ERR_INTERNAL; 2595 goto fallback_localsid; 2596 } 2597 unixname = grp.gr_name; 2598 } 2599 2600 /* Name-based mapping */ 2601 retcode = name_based_mapping_pid2sid(db, cache, unixname, is_user, 2602 req, res); 2603 if (retcode == IDMAP_ERR_NOTFOUND) { 2604 retcode = generate_localsid(req, res, is_user); 2605 goto out; 2606 } else if (retcode == IDMAP_SUCCESS) 2607 goto out; 2608 2609 fallback_localsid: 2610 /* 2611 * Here we generate localsid as fallback id on errors. Our 2612 * return status is the error that's been previously assigned. 2613 */ 2614 (void) generate_localsid(req, res, is_user); 2615 2616 out: 2617 if (retcode == IDMAP_SUCCESS && EMPTY_STRING(req->id1name) && 2618 unixname != NULL) { 2619 if (req->id1name != NULL) 2620 free(req->id1name); 2621 req->id1name = strdup(unixname); 2622 if (req->id1name == NULL) 2623 retcode = IDMAP_ERR_MEMORY; 2624 } 2625 if (req->direction != _IDMAP_F_DONE) 2626 state->pid2sid_done = FALSE; 2627 res->retcode = idmap_stat4prot(retcode); 2628 return (retcode); 2629 } 2630 2631 static idmap_retcode 2632 lookup_win_sid2name(const char *sidprefix, idmap_rid_t rid, char **name, 2633 char **domain, int *type) { 2634 int ret; 2635 idmap_query_state_t *qs = NULL; 2636 idmap_retcode rc, retcode; 2637 2638 retcode = IDMAP_ERR_NOTFOUND; 2639 2640 ret = idmap_lookup_batch_start(_idmapdstate.ad, 1, &qs); 2641 if (ret != 0) { 2642 idmapdlog(LOG_ERR, 2643 "Failed to create sid2name batch for AD lookup"); 2644 retcode = IDMAP_ERR_INTERNAL; 2645 goto out; 2646 } 2647 2648 ret = idmap_sid2name_batch_add1( 2649 qs, sidprefix, &rid, name, domain, type, &rc); 2650 if (ret != 0) { 2651 idmapdlog(LOG_ERR, 2652 "Failed to batch sid2name for AD lookup"); 2653 retcode = IDMAP_ERR_INTERNAL; 2654 goto out; 2655 } 2656 2657 out: 2658 if (qs != NULL) { 2659 ret = idmap_lookup_batch_end(&qs, NULL); 2660 if (ret != 0) { 2661 idmapdlog(LOG_ERR, 2662 "Failed to execute sid2name AD lookup"); 2663 retcode = IDMAP_ERR_INTERNAL; 2664 } else 2665 retcode = rc; 2666 } 2667 2668 return (retcode); 2669 } 2670 2671 static int 2672 copy_mapping_request(idmap_mapping *mapping, idmap_mapping *request) 2673 { 2674 (void) memset(mapping, 0, sizeof (*mapping)); 2675 2676 mapping->flag = request->flag; 2677 mapping->direction = request->direction; 2678 mapping->id2.idtype = request->id2.idtype; 2679 2680 mapping->id1.idtype = request->id1.idtype; 2681 if (request->id1.idtype == IDMAP_SID) { 2682 mapping->id1.idmap_id_u.sid.rid = 2683 request->id1.idmap_id_u.sid.rid; 2684 if (!EMPTY_STRING(request->id1.idmap_id_u.sid.prefix)) { 2685 mapping->id1.idmap_id_u.sid.prefix = 2686 strdup(request->id1.idmap_id_u.sid.prefix); 2687 if (mapping->id1.idmap_id_u.sid.prefix == NULL) 2688 goto errout; 2689 } 2690 } else { 2691 mapping->id1.idmap_id_u.uid = request->id1.idmap_id_u.uid; 2692 } 2693 2694 mapping->id1domain = strdup(request->id1domain); 2695 if (mapping->id1domain == NULL) 2696 goto errout; 2697 2698 mapping->id1name = strdup(request->id1name); 2699 if (mapping->id1name == NULL) 2700 goto errout; 2701 2702 /* We don't need the rest of the request i.e request->id2 */ 2703 return (0); 2704 2705 errout: 2706 if (mapping->id1.idmap_id_u.sid.prefix != NULL) 2707 free(mapping->id1.idmap_id_u.sid.prefix); 2708 if (mapping->id1domain != NULL) 2709 free(mapping->id1domain); 2710 if (mapping->id1name != NULL) 2711 free(mapping->id1name); 2712 2713 (void) memset(mapping, 0, sizeof (*mapping)); 2714 return (-1); 2715 } 2716 2717 2718 idmap_retcode 2719 get_w2u_mapping(sqlite *cache, sqlite *db, idmap_mapping *request, 2720 idmap_mapping *mapping) { 2721 idmap_id_res idres; 2722 lookup_state_t state; 2723 char *cp; 2724 int is_user; 2725 idmap_retcode retcode; 2726 const char *winname, *windomain; 2727 2728 (void) memset(&idres, 0, sizeof (idres)); 2729 (void) memset(&state, 0, sizeof (state)); 2730 2731 if (request->id2.idtype == IDMAP_UID) 2732 is_user = 1; 2733 else if (request->id2.idtype == IDMAP_GID) 2734 is_user = 0; 2735 else if (request->id2.idtype == IDMAP_POSIXID) 2736 is_user = -1; 2737 else { 2738 retcode = IDMAP_ERR_IDTYPE; 2739 goto out; 2740 } 2741 2742 /* Copy data from request to result */ 2743 if (copy_mapping_request(mapping, request) < 0) { 2744 retcode = IDMAP_ERR_MEMORY; 2745 goto out; 2746 } 2747 2748 winname = mapping->id1name; 2749 windomain = mapping->id1domain; 2750 2751 if (EMPTY_STRING(winname) && !EMPTY_STRING(windomain)) { 2752 retcode = IDMAP_ERR_ARG; 2753 goto out; 2754 } 2755 2756 if (!EMPTY_STRING(winname) && EMPTY_STRING(windomain)) { 2757 retcode = IDMAP_SUCCESS; 2758 if ((cp = strchr(winname, '@')) != NULL) { 2759 /* 2760 * if winname is qualified with a domain, use it. 2761 */ 2762 *cp = '\0'; 2763 mapping->id1domain = strdup(cp + 1); 2764 if (mapping->id1domain == NULL) 2765 retcode = IDMAP_ERR_MEMORY; 2766 } else { 2767 RDLOCK_CONFIG(); 2768 if (_idmapdstate.cfg->pgcfg.mapping_domain != NULL) { 2769 /* 2770 * otherwise use the mapping domain 2771 */ 2772 mapping->id1domain = 2773 strdup(_idmapdstate.cfg-> 2774 pgcfg.mapping_domain); 2775 if (mapping->id1domain == NULL) 2776 retcode = IDMAP_ERR_MEMORY; 2777 } 2778 UNLOCK_CONFIG(); 2779 } 2780 2781 if (retcode != IDMAP_SUCCESS) { 2782 idmapdlog(LOG_ERR, "Out of memory"); 2783 goto out; 2784 } 2785 windomain = mapping->id1domain; 2786 } 2787 2788 if (!EMPTY_STRING(winname) && 2789 EMPTY_STRING(mapping->id1.idmap_id_u.sid.prefix)) { 2790 retcode = lookup_name2sid(cache, winname, windomain, 2791 &is_user, &mapping->id1.idmap_id_u.sid.prefix, 2792 &mapping->id1.idmap_id_u.sid.rid, mapping); 2793 if (retcode != IDMAP_SUCCESS) 2794 goto out; 2795 if (mapping->id2.idtype == IDMAP_POSIXID) 2796 mapping->id2.idtype = is_user?IDMAP_UID:IDMAP_GID; 2797 } 2798 2799 state.sid2pid_done = TRUE; 2800 retcode = sid2pid_first_pass(&state, cache, mapping, &idres); 2801 if (IDMAP_ERROR(retcode) || state.sid2pid_done == TRUE) 2802 goto out; 2803 2804 if (state.ad_nqueries) { 2805 /* sid2name AD lookup */ 2806 retcode = lookup_win_sid2name( 2807 mapping->id1.idmap_id_u.sid.prefix, 2808 mapping->id1.idmap_id_u.sid.rid, 2809 &mapping->id1name, 2810 &mapping->id1domain, 2811 (int *)&idres.id.idtype); 2812 2813 idres.retcode = retcode; 2814 } 2815 2816 state.sid2pid_done = TRUE; 2817 retcode = sid2pid_second_pass(&state, cache, db, mapping, &idres); 2818 if (IDMAP_ERROR(retcode) || state.sid2pid_done == TRUE) 2819 goto out; 2820 2821 /* Update cache */ 2822 (void) update_cache_sid2pid(&state, cache, mapping, &idres); 2823 2824 out: 2825 if (retcode == IDMAP_SUCCESS) { 2826 mapping->direction = idres.direction; 2827 mapping->id2 = idres.id; 2828 (void) memset(&idres, 0, sizeof (idres)); 2829 } else { 2830 mapping->id2.idmap_id_u.uid = UID_NOBODY; 2831 } 2832 xdr_free(xdr_idmap_id_res, (caddr_t)&idres); 2833 return (retcode); 2834 } 2835 2836 idmap_retcode 2837 get_u2w_mapping(sqlite *cache, sqlite *db, idmap_mapping *request, 2838 idmap_mapping *mapping, int is_user) { 2839 idmap_id_res idres; 2840 lookup_state_t state; 2841 struct passwd pwd; 2842 struct group grp; 2843 char buf[1024]; 2844 int errnum; 2845 idmap_retcode retcode; 2846 const char *unixname; 2847 const char *me = "get_u2w_mapping"; 2848 2849 /* 2850 * In order to re-use the pid2sid code, we convert 2851 * our input data into structs that are expected by 2852 * pid2sid_first_pass. 2853 */ 2854 2855 (void) memset(&idres, 0, sizeof (idres)); 2856 (void) memset(&state, 0, sizeof (state)); 2857 2858 /* Copy data from request to result */ 2859 if (copy_mapping_request(mapping, request) < 0) { 2860 retcode = IDMAP_ERR_MEMORY; 2861 goto out; 2862 } 2863 2864 unixname = mapping->id1name; 2865 2866 if (EMPTY_STRING(unixname) && 2867 mapping->id1.idmap_id_u.uid == SENTINEL_PID) { 2868 retcode = IDMAP_ERR_ARG; 2869 goto out; 2870 } 2871 2872 if (!EMPTY_STRING(unixname) && 2873 mapping->id1.idmap_id_u.uid == SENTINEL_PID) { 2874 /* Get uid/gid by name */ 2875 if (is_user) { 2876 errno = 0; 2877 if (getpwnam_r(unixname, &pwd, buf, 2878 sizeof (buf)) == NULL) { 2879 errnum = errno; 2880 idmapdlog(LOG_WARNING, 2881 "%s: getpwnam_r(%s) failed (%s).", 2882 me, unixname, 2883 errnum?strerror(errnum):"not found"); 2884 retcode = (errnum == 0)?IDMAP_ERR_NOTFOUND: 2885 IDMAP_ERR_INTERNAL; 2886 goto out; 2887 } 2888 mapping->id1.idmap_id_u.uid = pwd.pw_uid; 2889 } else { 2890 errno = 0; 2891 if (getgrnam_r(unixname, &grp, buf, 2892 sizeof (buf)) == NULL) { 2893 errnum = errno; 2894 idmapdlog(LOG_WARNING, 2895 "%s: getgrnam_r(%s) failed (%s).", 2896 me, unixname, 2897 errnum?strerror(errnum):"not found"); 2898 retcode = (errnum == 0)?IDMAP_ERR_NOTFOUND: 2899 IDMAP_ERR_INTERNAL; 2900 goto out; 2901 } 2902 mapping->id1.idmap_id_u.gid = grp.gr_gid; 2903 } 2904 } 2905 2906 state.pid2sid_done = TRUE; 2907 retcode = pid2sid_first_pass(&state, cache, db, mapping, &idres, 2908 is_user, 1); 2909 if (IDMAP_ERROR(retcode) || state.pid2sid_done == TRUE) 2910 goto out; 2911 2912 /* Update cache */ 2913 (void) update_cache_pid2sid(&state, cache, mapping, &idres); 2914 2915 out: 2916 mapping->direction = idres.direction; 2917 mapping->id2 = idres.id; 2918 (void) memset(&idres, 0, sizeof (idres)); 2919 xdr_free(xdr_idmap_id_res, (caddr_t)&idres); 2920 return (retcode); 2921 } 2922