1 |
|
|
/* $OpenBSD: ldapd.c,v 1.23 2017/03/01 00:50:12 gsoares Exp $ */ |
2 |
|
|
|
3 |
|
|
/* |
4 |
|
|
* Copyright (c) 2009, 2010 Martin Hedenfalk <martin@bzero.se> |
5 |
|
|
* |
6 |
|
|
* Permission to use, copy, modify, and distribute this software for any |
7 |
|
|
* purpose with or without fee is hereby granted, provided that the above |
8 |
|
|
* copyright notice and this permission notice appear in all copies. |
9 |
|
|
* |
10 |
|
|
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES |
11 |
|
|
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF |
12 |
|
|
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR |
13 |
|
|
* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES |
14 |
|
|
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN |
15 |
|
|
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF |
16 |
|
|
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. |
17 |
|
|
*/ |
18 |
|
|
|
19 |
|
|
#include <sys/queue.h> |
20 |
|
|
#include <sys/stat.h> |
21 |
|
|
#include <sys/un.h> |
22 |
|
|
#include <sys/types.h> |
23 |
|
|
#include <sys/wait.h> |
24 |
|
|
|
25 |
|
|
#include <assert.h> |
26 |
|
|
#include <bsd_auth.h> |
27 |
|
|
#include <ctype.h> |
28 |
|
|
#include <err.h> |
29 |
|
|
#include <errno.h> |
30 |
|
|
#include <event.h> |
31 |
|
|
#include <fcntl.h> |
32 |
|
|
#include <login_cap.h> |
33 |
|
|
#include <signal.h> |
34 |
|
|
#include <stdio.h> |
35 |
|
|
#include <stdlib.h> |
36 |
|
|
#include <string.h> |
37 |
|
|
#include <time.h> |
38 |
|
|
#include <unistd.h> |
39 |
|
|
|
40 |
|
|
#include "ldapd.h" |
41 |
|
|
#include "log.h" |
42 |
|
|
|
43 |
|
|
void usage(void); |
44 |
|
|
void ldapd_sig_handler(int fd, short why, void *data); |
45 |
|
|
void ldapd_sigchld_handler(int sig, short why, void *data); |
46 |
|
|
static void ldapd_imsgev(struct imsgev *iev, int code, struct imsg *imsg); |
47 |
|
|
static void ldapd_needfd(struct imsgev *iev); |
48 |
|
|
static void ldapd_auth_request(struct imsgev *iev, struct imsg *imsg); |
49 |
|
|
static void ldapd_open_request(struct imsgev *iev, struct imsg *imsg); |
50 |
|
|
static void ldapd_log_verbose(struct imsg *imsg); |
51 |
|
|
static void ldapd_cleanup(char *); |
52 |
|
|
static pid_t start_child(enum ldapd_process, char *, int, int, int, |
53 |
|
|
char *, char *); |
54 |
|
|
|
55 |
|
|
struct ldapd_stats stats; |
56 |
|
|
pid_t ldape_pid; |
57 |
|
|
const char *datadir = DATADIR; |
58 |
|
|
|
59 |
|
|
void |
60 |
|
|
usage(void) |
61 |
|
|
{ |
62 |
|
|
extern char *__progname; |
63 |
|
|
|
64 |
|
|
fprintf(stderr, "usage: %s [-dnv] [-D macro=value] " |
65 |
|
|
"[-f file] [-r directory] [-s file]\n", __progname); |
66 |
|
|
exit(1); |
67 |
|
|
} |
68 |
|
|
|
69 |
|
|
void |
70 |
|
|
ldapd_sig_handler(int sig, short why, void *data) |
71 |
|
|
{ |
72 |
|
32 |
log_info("ldapd: got signal %d", sig); |
73 |
✓✗ |
16 |
if (sig == SIGINT || sig == SIGTERM) |
74 |
|
16 |
event_loopexit(NULL); |
75 |
|
16 |
} |
76 |
|
|
|
77 |
|
|
void |
78 |
|
|
ldapd_sigchld_handler(int sig, short why, void *data) |
79 |
|
|
{ |
80 |
|
|
pid_t pid; |
81 |
|
|
int status; |
82 |
|
|
|
83 |
|
|
while ((pid = waitpid(WAIT_ANY, &status, WNOHANG)) != 0) { |
84 |
|
|
if (pid == -1) { |
85 |
|
|
if (errno == EINTR) |
86 |
|
|
continue; |
87 |
|
|
if (errno != ECHILD) |
88 |
|
|
log_warn("waitpid"); |
89 |
|
|
break; |
90 |
|
|
} |
91 |
|
|
|
92 |
|
|
if (WIFEXITED(status)) |
93 |
|
|
log_debug("child %d exited with status %d", |
94 |
|
|
pid, WEXITSTATUS(status)); |
95 |
|
|
else if (WIFSIGNALED(status)) |
96 |
|
|
log_debug("child %d exited due to signal %d", |
97 |
|
|
pid, WTERMSIG(status)); |
98 |
|
|
else |
99 |
|
|
log_debug("child %d terminated abnormally", pid); |
100 |
|
|
|
101 |
|
|
if (pid == ldape_pid) { |
102 |
|
|
log_info("ldapd: lost ldap server"); |
103 |
|
|
event_loopexit(NULL); |
104 |
|
|
break; |
105 |
|
|
} |
106 |
|
|
} |
107 |
|
|
} |
108 |
|
|
|
109 |
|
|
int |
110 |
|
|
main(int argc, char *argv[]) |
111 |
|
|
{ |
112 |
|
|
int c; |
113 |
|
|
int debug = 0, verbose = 0, eflag = 0; |
114 |
|
|
int configtest = 0; |
115 |
|
64 |
int pipe_parent2ldap[2]; |
116 |
|
|
char *conffile = CONFFILE; |
117 |
|
|
char *csockpath = LDAPD_SOCKET; |
118 |
|
|
char *saved_argv0; |
119 |
|
|
struct imsgev *iev_ldape; |
120 |
|
32 |
struct event ev_sigint; |
121 |
|
32 |
struct event ev_sigterm; |
122 |
|
32 |
struct event ev_sigchld; |
123 |
|
32 |
struct event ev_sighup; |
124 |
|
32 |
struct stat sb; |
125 |
|
|
|
126 |
|
32 |
log_init(1); /* log to stderr until daemonized */ |
127 |
|
|
|
128 |
|
32 |
saved_argv0 = argv[0]; |
129 |
|
32 |
if (saved_argv0 == NULL) |
130 |
|
|
saved_argv0 = "ldapd"; |
131 |
|
|
|
132 |
✓✓ |
320 |
while ((c = getopt(argc, argv, "dhvD:f:nr:s:E")) != -1) { |
133 |
|
|
|
134 |
✓✗✓✗ ✓✓✗✓ ✗✗ |
128 |
switch (c) { |
135 |
|
|
case 'd': |
136 |
|
|
debug = 1; |
137 |
|
16 |
break; |
138 |
|
|
case 'D': |
139 |
|
|
if (cmdline_symset(optarg) < 0) { |
140 |
|
|
warnx("could not parse macro definition %s", |
141 |
|
|
optarg); |
142 |
|
|
} |
143 |
|
|
break; |
144 |
|
|
case 'f': |
145 |
|
32 |
conffile = optarg; |
146 |
|
32 |
break; |
147 |
|
|
case 'h': |
148 |
|
|
usage(); |
149 |
|
|
/* NOTREACHED */ |
150 |
|
|
case 'n': |
151 |
|
|
configtest = 1; |
152 |
|
16 |
break; |
153 |
|
|
case 'r': |
154 |
|
32 |
datadir = optarg; |
155 |
|
32 |
break; |
156 |
|
|
case 's': |
157 |
|
|
csockpath = optarg; |
158 |
|
|
break; |
159 |
|
|
case 'v': |
160 |
|
32 |
verbose++; |
161 |
|
32 |
break; |
162 |
|
|
case 'E': |
163 |
|
|
eflag = 1; |
164 |
|
|
break; |
165 |
|
|
default: |
166 |
|
|
usage(); |
167 |
|
|
/* NOTREACHED */ |
168 |
|
|
} |
169 |
|
|
} |
170 |
|
|
|
171 |
|
32 |
argc -= optind; |
172 |
✗✓ |
32 |
if (argc > 0) |
173 |
|
|
usage(); |
174 |
|
|
|
175 |
|
|
/* check for root privileges */ |
176 |
✗✓ |
32 |
if (geteuid()) |
177 |
|
|
errx(1, "need root privileges"); |
178 |
|
|
|
179 |
|
|
/* check for ldapd user */ |
180 |
✗✓ |
32 |
if (getpwnam(LDAPD_USER) == NULL) |
181 |
|
|
errx(1, "unknown user %s", LDAPD_USER); |
182 |
|
|
|
183 |
|
32 |
log_verbose(verbose); |
184 |
|
32 |
stats.started_at = time(0); |
185 |
|
32 |
tls_init(); |
186 |
|
|
|
187 |
✗✓ |
32 |
if (parse_config(conffile) != 0) |
188 |
|
|
exit(2); |
189 |
|
|
|
190 |
✓✓ |
32 |
if (configtest) { |
191 |
|
|
fprintf(stderr, "configuration ok\n"); |
192 |
|
|
exit(0); |
193 |
|
|
} |
194 |
|
|
|
195 |
✗✓ |
16 |
if (eflag) |
196 |
|
|
ldape(debug, verbose, csockpath); |
197 |
|
|
|
198 |
✗✓ |
16 |
if (stat(datadir, &sb) == -1) |
199 |
|
|
err(1, "%s", datadir); |
200 |
✗✓ |
16 |
if (!S_ISDIR(sb.st_mode)) |
201 |
|
|
errx(1, "%s is not a directory", datadir); |
202 |
|
|
|
203 |
✗✓ |
16 |
if (!debug) { |
204 |
|
|
if (daemon(1, 0) == -1) |
205 |
|
|
err(1, "failed to daemonize"); |
206 |
|
|
} |
207 |
|
|
|
208 |
|
16 |
log_init(debug); |
209 |
|
16 |
log_info("startup"); |
210 |
|
|
|
211 |
✗✓ |
32 |
if (socketpair(AF_UNIX, SOCK_STREAM | SOCK_CLOEXEC | SOCK_NONBLOCK, |
212 |
|
32 |
PF_UNSPEC, pipe_parent2ldap) != 0) |
213 |
|
|
fatal("socketpair"); |
214 |
|
|
|
215 |
|
16 |
ldape_pid = start_child(PROC_LDAP_SERVER, saved_argv0, |
216 |
|
16 |
pipe_parent2ldap[1], debug, verbose, csockpath, conffile); |
217 |
|
|
|
218 |
|
16 |
setproctitle("auth"); |
219 |
|
16 |
event_init(); |
220 |
|
|
|
221 |
|
16 |
signal_set(&ev_sigint, SIGINT, ldapd_sig_handler, NULL); |
222 |
|
16 |
signal_set(&ev_sigterm, SIGTERM, ldapd_sig_handler, NULL); |
223 |
|
16 |
signal_set(&ev_sigchld, SIGCHLD, ldapd_sigchld_handler, NULL); |
224 |
|
16 |
signal_set(&ev_sighup, SIGHUP, ldapd_sig_handler, NULL); |
225 |
|
16 |
signal_add(&ev_sigint, NULL); |
226 |
|
16 |
signal_add(&ev_sigterm, NULL); |
227 |
|
16 |
signal_add(&ev_sigchld, NULL); |
228 |
|
16 |
signal_add(&ev_sighup, NULL); |
229 |
|
16 |
signal(SIGPIPE, SIG_IGN); |
230 |
|
|
|
231 |
✗✓ |
16 |
if ((iev_ldape = calloc(1, sizeof(struct imsgev))) == NULL) |
232 |
|
|
fatal("calloc"); |
233 |
|
16 |
imsgev_init(iev_ldape, pipe_parent2ldap[0], NULL, ldapd_imsgev, |
234 |
|
|
ldapd_needfd); |
235 |
|
|
|
236 |
✗✓ |
32 |
if (pledge("stdio rpath wpath cpath getpw sendfd proc exec flock rpath cpath wpath", |
237 |
|
16 |
NULL) == -1) |
238 |
|
|
err(1, "pledge"); |
239 |
|
|
|
240 |
|
16 |
event_dispatch(); |
241 |
|
|
|
242 |
|
16 |
ldapd_cleanup(csockpath); |
243 |
|
16 |
log_debug("ldapd: exiting"); |
244 |
|
|
|
245 |
|
16 |
return 0; |
246 |
|
16 |
} |
247 |
|
|
|
248 |
|
|
static void |
249 |
|
|
ldapd_cleanup(char * csockpath) |
250 |
|
|
{ |
251 |
|
|
struct listener *l; |
252 |
|
|
struct sockaddr_un *sun = NULL; |
253 |
|
|
|
254 |
|
|
/* Remove control socket. */ |
255 |
|
32 |
(void)unlink(csockpath); |
256 |
|
|
|
257 |
|
|
/* Remove unix listening sockets. */ |
258 |
✓✓ |
256 |
TAILQ_FOREACH(l, &conf->listeners, entry) { |
259 |
✓✓ |
112 |
if (l->ss.ss_family == AF_UNIX) { |
260 |
|
16 |
sun = (struct sockaddr_un *)&l->ss; |
261 |
|
16 |
log_info("ldapd: removing unix socket %s", sun->sun_path); |
262 |
|
16 |
(void)unlink(sun->sun_path); |
263 |
|
16 |
} |
264 |
|
|
} |
265 |
|
16 |
} |
266 |
|
|
|
267 |
|
|
static void |
268 |
|
|
ldapd_imsgev(struct imsgev *iev, int code, struct imsg *imsg) |
269 |
|
|
{ |
270 |
|
|
switch (code) { |
271 |
|
|
case IMSGEV_IMSG: |
272 |
|
|
log_debug("%s: got imsg %d on fd %d", |
273 |
|
|
__func__, imsg->hdr.type, iev->ibuf.fd); |
274 |
|
|
switch (imsg->hdr.type) { |
275 |
|
|
case IMSG_LDAPD_AUTH: |
276 |
|
|
ldapd_auth_request(iev, imsg); |
277 |
|
|
break; |
278 |
|
|
case IMSG_CTL_LOG_VERBOSE: |
279 |
|
|
ldapd_log_verbose(imsg); |
280 |
|
|
break; |
281 |
|
|
case IMSG_LDAPD_OPEN: |
282 |
|
|
ldapd_open_request(iev, imsg); |
283 |
|
|
break; |
284 |
|
|
default: |
285 |
|
|
log_debug("%s: unexpected imsg %d", |
286 |
|
|
__func__, imsg->hdr.type); |
287 |
|
|
break; |
288 |
|
|
} |
289 |
|
|
break; |
290 |
|
|
case IMSGEV_EREAD: |
291 |
|
|
case IMSGEV_EWRITE: |
292 |
|
|
case IMSGEV_EIMSG: |
293 |
|
|
fatal("imsgev read/write error"); |
294 |
|
|
break; |
295 |
|
|
case IMSGEV_DONE: |
296 |
|
|
event_loopexit(NULL); |
297 |
|
|
break; |
298 |
|
|
} |
299 |
|
|
} |
300 |
|
|
|
301 |
|
|
static void |
302 |
|
|
ldapd_needfd(struct imsgev *iev) |
303 |
|
|
{ |
304 |
|
|
fatal("should never need an fd for parent messages"); |
305 |
|
|
} |
306 |
|
|
|
307 |
|
|
static int |
308 |
|
|
ldapd_auth_classful(char *name, char *password) |
309 |
|
|
{ |
310 |
|
|
login_cap_t *lc = NULL; |
311 |
|
|
char *class = NULL, *style = NULL; |
312 |
|
|
auth_session_t *as; |
313 |
|
|
|
314 |
|
|
if ((class = strchr(name, '#')) == NULL) { |
315 |
|
|
log_debug("regular auth"); |
316 |
|
|
return auth_userokay(name, NULL, "auth-ldap", password); |
317 |
|
|
} |
318 |
|
|
*class++ = '\0'; |
319 |
|
|
|
320 |
|
|
if ((lc = login_getclass(class)) == NULL) { |
321 |
|
|
log_debug("login_getclass(%s) for [%s] failed", class, name); |
322 |
|
|
return 0; |
323 |
|
|
} |
324 |
|
|
if ((style = login_getstyle(lc, style, "auth-ldap")) == NULL) { |
325 |
|
|
log_debug("login_getstyle() for [%s] failed", name); |
326 |
|
|
login_close(lc); |
327 |
|
|
return 0; |
328 |
|
|
} |
329 |
|
|
if (password) { |
330 |
|
|
if ((as = auth_open()) == NULL) { |
331 |
|
|
login_close(lc); |
332 |
|
|
return 0; |
333 |
|
|
} |
334 |
|
|
auth_setitem(as, AUTHV_SERVICE, "response"); |
335 |
|
|
auth_setdata(as, "", 1); |
336 |
|
|
auth_setdata(as, password, strlen(password) + 1); |
337 |
|
|
explicit_bzero(password, strlen(password)); |
338 |
|
|
} else |
339 |
|
|
as = NULL; |
340 |
|
|
|
341 |
|
|
as = auth_verify(as, style, name, lc->lc_class, (char *)NULL); |
342 |
|
|
login_close(lc); |
343 |
|
|
return (as != NULL ? auth_close(as) : 0); |
344 |
|
|
} |
345 |
|
|
|
346 |
|
|
static void |
347 |
|
|
ldapd_auth_request(struct imsgev *iev, struct imsg *imsg) |
348 |
|
|
{ |
349 |
|
|
struct auth_req *areq = imsg->data; |
350 |
|
|
struct auth_res ares; |
351 |
|
|
|
352 |
|
|
if (imsg->hdr.len != sizeof(*areq) + IMSG_HEADER_SIZE) |
353 |
|
|
fatal("invalid size of auth request"); |
354 |
|
|
|
355 |
|
|
/* make sure name and password are null-terminated */ |
356 |
|
|
areq->name[sizeof(areq->name) - 1] = '\0'; |
357 |
|
|
areq->password[sizeof(areq->password) - 1] = '\0'; |
358 |
|
|
|
359 |
|
|
log_debug("authenticating [%s]", areq->name); |
360 |
|
|
ares.ok = ldapd_auth_classful(areq->name, areq->password); |
361 |
|
|
ares.fd = areq->fd; |
362 |
|
|
ares.msgid = areq->msgid; |
363 |
|
|
memset(areq, 0, sizeof(*areq)); |
364 |
|
|
imsgev_compose(iev, IMSG_LDAPD_AUTH_RESULT, 0, 0, -1, &ares, |
365 |
|
|
sizeof(ares)); |
366 |
|
|
} |
367 |
|
|
|
368 |
|
|
static void |
369 |
|
|
ldapd_log_verbose(struct imsg *imsg) |
370 |
|
|
{ |
371 |
|
|
int verbose; |
372 |
|
|
|
373 |
|
|
if (imsg->hdr.len != sizeof(verbose) + IMSG_HEADER_SIZE) |
374 |
|
|
fatal("invalid size of log verbose request"); |
375 |
|
|
|
376 |
|
|
bcopy(imsg->data, &verbose, sizeof(verbose)); |
377 |
|
|
log_verbose(verbose); |
378 |
|
|
} |
379 |
|
|
|
380 |
|
|
static void |
381 |
|
|
ldapd_open_request(struct imsgev *iev, struct imsg *imsg) |
382 |
|
|
{ |
383 |
|
|
struct open_req *oreq = imsg->data; |
384 |
|
|
int oflags, fd; |
385 |
|
|
|
386 |
|
|
if (imsg->hdr.len != sizeof(*oreq) + IMSG_HEADER_SIZE) |
387 |
|
|
fatal("invalid size of open request"); |
388 |
|
|
|
389 |
|
|
/* make sure path is null-terminated */ |
390 |
|
|
oreq->path[PATH_MAX] = '\0'; |
391 |
|
|
|
392 |
|
|
if (strncmp(oreq->path, datadir, strlen(datadir)) != 0) { |
393 |
|
|
log_warnx("refusing to open file %s", oreq->path); |
394 |
|
|
fatal("ldape sent invalid open request"); |
395 |
|
|
} |
396 |
|
|
|
397 |
|
|
if (oreq->rdonly) |
398 |
|
|
oflags = O_RDONLY; |
399 |
|
|
else |
400 |
|
|
oflags = O_RDWR | O_CREAT | O_APPEND; |
401 |
|
|
|
402 |
|
|
log_debug("opening [%s]", oreq->path); |
403 |
|
|
fd = open(oreq->path, oflags | O_NOFOLLOW, 0600); |
404 |
|
|
if (fd == -1) |
405 |
|
|
log_warn("%s", oreq->path); |
406 |
|
|
|
407 |
|
|
imsgev_compose(iev, IMSG_LDAPD_OPEN_RESULT, 0, 0, fd, oreq, |
408 |
|
|
sizeof(*oreq)); |
409 |
|
|
} |
410 |
|
|
|
411 |
|
|
static pid_t |
412 |
|
|
start_child(enum ldapd_process p, char *argv0, int fd, int debug, |
413 |
|
|
int verbose, char *csockpath, char *conffile) |
414 |
|
|
{ |
415 |
|
32 |
char *argv[9]; |
416 |
|
|
int argc = 0; |
417 |
|
|
pid_t pid; |
418 |
|
|
|
419 |
✗✓✗ |
16 |
switch (pid = fork()) { |
420 |
|
|
case -1: |
421 |
|
|
fatal("cannot fork"); |
422 |
|
|
case 0: |
423 |
|
|
break; |
424 |
|
|
default: |
425 |
|
16 |
close(fd); |
426 |
|
16 |
return (pid); |
427 |
|
|
} |
428 |
|
|
|
429 |
|
|
if (dup2(fd, PROC_PARENT_SOCK_FILENO) == -1) |
430 |
|
|
fatal("cannot setup imsg fd"); |
431 |
|
|
|
432 |
|
|
argv[argc++] = argv0; |
433 |
|
|
switch (p) { |
434 |
|
|
case PROC_MAIN_AUTH: |
435 |
|
|
fatalx("Can not start main process"); |
436 |
|
|
case PROC_LDAP_SERVER: |
437 |
|
|
argv[argc++] = "-E"; |
438 |
|
|
break; |
439 |
|
|
} |
440 |
|
|
if (debug) |
441 |
|
|
argv[argc++] = "-d"; |
442 |
|
|
if (verbose) |
443 |
|
|
argv[argc++] = "-v"; |
444 |
|
|
if (csockpath) { |
445 |
|
|
argv[argc++] = "-s"; |
446 |
|
|
argv[argc++] = csockpath; |
447 |
|
|
} |
448 |
|
|
if (conffile) { |
449 |
|
|
argv[argc++] = "-f"; |
450 |
|
|
argv[argc++] = conffile; |
451 |
|
|
} |
452 |
|
|
|
453 |
|
|
argv[argc++] = NULL; |
454 |
|
|
|
455 |
|
|
execvp(argv0, argv); |
456 |
|
|
fatal("execvp"); |
457 |
|
16 |
} |