1 /* $OpenBSD: ypldap.c,v 1.31 2024/11/21 13:38:15 claudio Exp $ */
2
3 /*
4 * Copyright (c) 2008 Pierre-Yves Ritschard <pyr@openbsd.org>
5 *
6 * Permission to use, copy, modify, and distribute this software for any
7 * purpose with or without fee is hereby granted, provided that the above
8 * copyright notice and this permission notice appear in all copies.
9 *
10 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
11 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
12 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
13 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
14 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17 */
18
19 #include <sys/types.h>
20 #include <sys/queue.h>
21 #include <sys/socket.h>
22 #include <sys/signal.h>
23 #include <sys/tree.h>
24 #include <sys/wait.h>
25
26 #include <netinet/in.h>
27 #include <arpa/inet.h>
28
29 #include <err.h>
30 #include <errno.h>
31 #include <event.h>
32 #include <unistd.h>
33 #include <pwd.h>
34 #include <stdio.h>
35 #include <stdlib.h>
36 #include <string.h>
37 #include <limits.h>
38
39 #include "ypldap.h"
40 #include "log.h"
41
42 __dead void usage(void);
43 int check_child(pid_t, const char *);
44 void main_sig_handler(int, short, void *);
45 void main_shutdown(void);
46 void main_dispatch_client(int, short, void *);
47 void main_configure_client(struct env *);
48 void main_init_timer(int, short, void *);
49 void main_start_update(struct env *);
50 void main_trash_update(struct env *);
51 void main_end_update(struct env *);
52 int main_create_user_groups(struct env *);
53 void purge_config(struct env *);
54
55 int pipe_main2client[2];
56
57 pid_t client_pid = 0;
58 char *conffile = YPLDAP_CONF_FILE;
59 int opts = 0;
60
61 enum privsep_procid ypldap_process;
62
63 void
usage(void)64 usage(void)
65 {
66 extern const char *__progname;
67
68 fprintf(stderr, "usage: %s [-dnv] [-D macro=value] [-f file]\n",
69 __progname);
70 exit(1);
71 }
72
73 int
check_child(pid_t pid,const char * pname)74 check_child(pid_t pid, const char *pname)
75 {
76 int status;
77
78 if (waitpid(pid, &status, WNOHANG) > 0) {
79 if (WIFEXITED(status)) {
80 log_warnx("check_child: lost child %s exited", pname);
81 return (1);
82 }
83 if (WIFSIGNALED(status)) {
84 log_warnx("check_child: lost child %s terminated; "
85 "signal %d", pname, WTERMSIG(status));
86 return (1);
87 }
88 }
89 return (0);
90 }
91
92 /* ARGUSED */
93 void
main_sig_handler(int sig,short event,void * p)94 main_sig_handler(int sig, short event, void *p)
95 {
96 int die = 0;
97
98 switch (sig) {
99 case SIGTERM:
100 case SIGINT:
101 die = 1;
102 /* FALLTHROUGH */
103 case SIGCHLD:
104 if (check_child(client_pid, "ldap client")) {
105 client_pid = 0;
106 die = 1;
107 }
108 if (die)
109 main_shutdown();
110 break;
111 case SIGHUP:
112 /* reconfigure */
113 break;
114 default:
115 fatalx("unexpected signal");
116 }
117 }
118
119 void
main_shutdown(void)120 main_shutdown(void)
121 {
122 _exit(0);
123 }
124
125 void
main_start_update(struct env * env)126 main_start_update(struct env *env)
127 {
128 env->update_trashed = 0;
129
130 log_debug("starting directory update");
131 env->sc_user_line_len = 0;
132 env->sc_group_line_len = 0;
133 if ((env->sc_user_names_t = calloc(1,
134 sizeof(*env->sc_user_names_t))) == NULL ||
135 (env->sc_group_names_t = calloc(1,
136 sizeof(*env->sc_group_names_t))) == NULL)
137 fatal(NULL);
138 RB_INIT(env->sc_user_names_t);
139 RB_INIT(env->sc_group_names_t);
140 }
141
142 /*
143 * XXX: Currently this function should only be called when updating is
144 * finished. A notification should be send to ldapclient that it should stop
145 * sending new pwd/grp entries before it can be called from different places.
146 */
147 void
main_trash_update(struct env * env)148 main_trash_update(struct env *env)
149 {
150 struct userent *ue;
151 struct groupent *ge;
152
153 env->update_trashed = 1;
154
155 while ((ue = RB_ROOT(env->sc_user_names_t)) != NULL) {
156 RB_REMOVE(user_name_tree,
157 env->sc_user_names_t, ue);
158 free(ue->ue_line);
159 free(ue->ue_netid_line);
160 free(ue);
161 }
162 free(env->sc_user_names_t);
163 env->sc_user_names_t = NULL;
164 while ((ge = RB_ROOT(env->sc_group_names_t))
165 != NULL) {
166 RB_REMOVE(group_name_tree,
167 env->sc_group_names_t, ge);
168 free(ge->ge_line);
169 free(ge);
170 }
171 free(env->sc_group_names_t);
172 env->sc_group_names_t = NULL;
173 }
174
175 int
main_create_user_groups(struct env * env)176 main_create_user_groups(struct env *env)
177 {
178 struct userent *ue;
179 struct userent ukey;
180 struct groupent *ge;
181 gid_t pw_gid;
182 char *bp, *cp;
183 char *p;
184 const char *errstr = NULL;
185 size_t len;
186
187 RB_FOREACH(ue, user_name_tree, env->sc_user_names_t) {
188 bp = cp = ue->ue_line;
189
190 /* name */
191 bp += strlen(bp) + 1;
192
193 /* password */
194 bp += strcspn(bp, ":") + 1;
195
196 /* uid */
197 bp += strcspn(bp, ":") + 1;
198
199 /* gid */
200 bp[strcspn(bp, ":")] = '\0';
201
202 pw_gid = (gid_t)strtonum(bp, 0, GID_MAX, &errstr);
203 if (errstr) {
204 log_warnx("main: failed to parse gid for uid: %d",
205 ue->ue_uid);
206 return (-1);
207 }
208
209 /* bring gid column back to its proper state */
210 bp[strlen(bp)] = ':';
211
212 if ((ue->ue_netid_line = calloc(1, LINE_WIDTH)) == NULL) {
213 return (-1);
214 }
215
216 if (snprintf(ue->ue_netid_line, LINE_WIDTH-1, "%d:%d", ue->ue_uid, pw_gid) >= LINE_WIDTH) {
217
218 return (-1);
219 }
220
221 ue->ue_gid = pw_gid;
222 }
223
224 RB_FOREACH(ge, group_name_tree, env->sc_group_names_t) {
225 bp = cp = ge->ge_line;
226
227 /* name */
228 bp += strlen(bp) + 1;
229
230 /* password */
231 bp += strcspn(bp, ":") + 1;
232
233 /* gid */
234 bp += strcspn(bp, ":") + 1;
235
236 cp = bp;
237 if (*bp == '\0')
238 continue;
239 bp = cp;
240 for (;;) {
241 if (!(cp = strsep(&bp, ",")))
242 break;
243 ukey.ue_line = cp;
244 if ((ue = RB_FIND(user_name_tree, env->sc_user_names_t,
245 &ukey)) == NULL) {
246 /* User not found */
247 log_warnx("main: unknown user %s in group %s",
248 ukey.ue_line, ge->ge_line);
249 if (bp != NULL)
250 *(bp-1) = ',';
251 continue;
252 }
253 if (bp != NULL)
254 *(bp-1) = ',';
255
256 /* Make sure the new group doesn't equal to the main gid */
257 if (ge->ge_gid == ue->ue_gid)
258 continue;
259
260 len = strlen(ue->ue_netid_line);
261 p = ue->ue_netid_line + len;
262
263 if ((snprintf(p, LINE_WIDTH-len-1, ",%d",
264 ge->ge_gid)) >= (int)(LINE_WIDTH-len)) {
265 return (-1);
266 }
267 }
268 }
269
270 return (0);
271 }
272
273 void
main_end_update(struct env * env)274 main_end_update(struct env *env)
275 {
276 struct userent *ue;
277 struct groupent *ge;
278
279 if (env->update_trashed)
280 return;
281
282 log_debug("updates are over, cleaning up trees now");
283
284 if (main_create_user_groups(env) == -1) {
285 main_trash_update(env);
286 return;
287 }
288
289 if (env->sc_user_names == NULL) {
290 env->sc_user_names = env->sc_user_names_t;
291 env->sc_user_lines = NULL;
292 env->sc_user_names_t = NULL;
293
294 env->sc_group_names = env->sc_group_names_t;
295 env->sc_group_lines = NULL;
296 env->sc_group_names_t = NULL;
297
298 flatten_entries(env);
299 goto make_uids;
300 }
301
302 /*
303 * clean previous tree.
304 */
305 while ((ue = RB_ROOT(env->sc_user_names)) != NULL) {
306 RB_REMOVE(user_name_tree, env->sc_user_names,
307 ue);
308 free(ue->ue_netid_line);
309 free(ue);
310 }
311 free(env->sc_user_names);
312 free(env->sc_user_lines);
313
314 env->sc_user_names = env->sc_user_names_t;
315 env->sc_user_lines = NULL;
316 env->sc_user_names_t = NULL;
317
318 while ((ge = RB_ROOT(env->sc_group_names)) != NULL) {
319 RB_REMOVE(group_name_tree,
320 env->sc_group_names, ge);
321 free(ge);
322 }
323 free(env->sc_group_names);
324 free(env->sc_group_lines);
325
326 env->sc_group_names = env->sc_group_names_t;
327 env->sc_group_lines = NULL;
328 env->sc_group_names_t = NULL;
329
330
331 flatten_entries(env);
332
333 /*
334 * trees are flat now. build up uid, gid and netid trees.
335 */
336
337 make_uids:
338 RB_INIT(&env->sc_user_uids);
339 RB_INIT(&env->sc_group_gids);
340 RB_FOREACH(ue, user_name_tree, env->sc_user_names)
341 RB_INSERT(user_uid_tree,
342 &env->sc_user_uids, ue);
343 RB_FOREACH(ge, group_name_tree, env->sc_group_names)
344 RB_INSERT(group_gid_tree,
345 &env->sc_group_gids, ge);
346
347 }
348
349 void
main_dispatch_client(int fd,short events,void * p)350 main_dispatch_client(int fd, short events, void *p)
351 {
352 int n;
353 int shut = 0;
354 struct env *env = p;
355 struct imsgev *iev = env->sc_iev;
356 struct imsgbuf *ibuf = &iev->ibuf;
357 struct idm_req ir;
358 struct imsg imsg;
359
360 if ((events & (EV_READ | EV_WRITE)) == 0)
361 fatalx("unknown event");
362
363 if (events & EV_READ) {
364 if ((n = imsgbuf_read(ibuf)) == -1)
365 fatal("imsgbuf_read error");
366 if (n == 0)
367 shut = 1;
368 }
369 if (events & EV_WRITE) {
370 if (imsgbuf_write(ibuf) == -1) {
371 if (errno == EPIPE) /* connection closed */
372 shut = 1;
373 else
374 fatal("imsgbuf_write");
375 }
376 }
377
378 for (;;) {
379 if ((n = imsg_get(ibuf, &imsg)) == -1)
380 fatal("main_dispatch_client: imsg_get error");
381 if (n == 0)
382 break;
383
384 switch (imsg.hdr.type) {
385 case IMSG_START_UPDATE:
386 main_start_update(env);
387 break;
388 case IMSG_PW_ENTRY: {
389 struct userent *ue;
390 size_t len;
391
392 if (env->update_trashed)
393 break;
394
395 (void)memcpy(&ir, imsg.data, n - IMSG_HEADER_SIZE);
396 if ((ue = calloc(1, sizeof(*ue))) == NULL ||
397 (ue->ue_line = strdup(ir.ir_line)) == NULL) {
398 /*
399 * should cancel tree update instead.
400 */
401 fatal("out of memory");
402 }
403 ue->ue_uid = ir.ir_key.ik_uid;
404 len = strlen(ue->ue_line) + 1;
405 ue->ue_line[strcspn(ue->ue_line, ":")] = '\0';
406 if (RB_INSERT(user_name_tree, env->sc_user_names_t,
407 ue) != NULL) { /* dup */
408 free(ue->ue_line);
409 free(ue);
410 } else
411 env->sc_user_line_len += len;
412 break;
413 }
414 case IMSG_GRP_ENTRY: {
415 struct groupent *ge;
416 size_t len;
417
418 if (env->update_trashed)
419 break;
420
421 (void)memcpy(&ir, imsg.data, n - IMSG_HEADER_SIZE);
422 if ((ge = calloc(1, sizeof(*ge))) == NULL ||
423 (ge->ge_line = strdup(ir.ir_line)) == NULL) {
424 /*
425 * should cancel tree update instead.
426 */
427 fatal("out of memory");
428 }
429 ge->ge_gid = ir.ir_key.ik_gid;
430 len = strlen(ge->ge_line) + 1;
431 ge->ge_line[strcspn(ge->ge_line, ":")] = '\0';
432 if (RB_INSERT(group_name_tree, env->sc_group_names_t,
433 ge) != NULL) { /* dup */
434 free(ge->ge_line);
435 free(ge);
436 } else
437 env->sc_group_line_len += len;
438 break;
439 }
440 case IMSG_TRASH_UPDATE:
441 main_trash_update(env);
442 break;
443 case IMSG_END_UPDATE: {
444 main_end_update(env);
445 break;
446 }
447 default:
448 log_debug("main_dispatch_client: unexpected imsg %d",
449 imsg.hdr.type);
450 break;
451 }
452 imsg_free(&imsg);
453 }
454
455 if (!shut)
456 imsg_event_add(iev);
457 else {
458 log_debug("king bula sez: ran into dead pipe");
459 event_del(&iev->ev);
460 event_loopexit(NULL);
461 }
462 }
463
464 void
main_configure_client(struct env * env)465 main_configure_client(struct env *env)
466 {
467 struct idm *idm;
468 struct imsgev *iev = env->sc_iev;
469
470 imsg_compose_event(iev, IMSG_CONF_START, 0, 0, -1, env, sizeof(*env));
471 TAILQ_FOREACH(idm, &env->sc_idms, idm_entry) {
472 imsg_compose_event(iev, IMSG_CONF_IDM, 0, 0, -1,
473 idm, sizeof(*idm));
474 }
475 imsg_compose_event(iev, IMSG_CONF_END, 0, 0, -1, NULL, 0);
476 }
477
478 void
main_init_timer(int fd,short event,void * p)479 main_init_timer(int fd, short event, void *p)
480 {
481 struct env *env = p;
482
483 main_configure_client(env);
484 }
485
486 void
purge_config(struct env * env)487 purge_config(struct env *env)
488 {
489 struct idm *idm;
490
491 while ((idm = TAILQ_FIRST(&env->sc_idms)) != NULL) {
492 TAILQ_REMOVE(&env->sc_idms, idm, idm_entry);
493 free(idm);
494 }
495 }
496
497 int
main(int argc,char * argv[])498 main(int argc, char *argv[])
499 {
500 int c;
501 int debug;
502 struct passwd *pw;
503 struct env env;
504 struct event ev_sigint;
505 struct event ev_sigterm;
506 struct event ev_sigchld;
507 struct event ev_sighup;
508 struct event ev_timer;
509 struct timeval tv;
510
511 debug = 0;
512 ypldap_process = PROC_MAIN;
513 log_procname = log_procnames[ypldap_process];
514
515 log_init(1);
516
517 while ((c = getopt(argc, argv, "dD:nf:v")) != -1) {
518 switch (c) {
519 case 'd':
520 debug = 2;
521 log_verbose(debug);
522 break;
523 case 'D':
524 if (cmdline_symset(optarg) < 0)
525 log_warnx("could not parse macro definition %s",
526 optarg);
527 break;
528 case 'n':
529 debug = 2;
530 opts |= YPLDAP_OPT_NOACTION;
531 break;
532 case 'f':
533 conffile = optarg;
534 break;
535 case 'v':
536 opts |= YPLDAP_OPT_VERBOSE;
537 break;
538 default:
539 usage();
540 }
541 }
542
543 argc -= optind;
544 argv += optind;
545
546 if (argc)
547 usage();
548
549 RB_INIT(&env.sc_user_uids);
550 RB_INIT(&env.sc_group_gids);
551
552 if (parse_config(&env, conffile, opts))
553 exit(1);
554 if (opts & YPLDAP_OPT_NOACTION) {
555 fprintf(stderr, "configuration OK\n");
556 exit(0);
557 }
558
559 if (geteuid())
560 errx(1, "need root privileges");
561
562 log_init(debug);
563
564 if (!debug) {
565 if (daemon(1, 0) == -1)
566 err(1, "failed to daemonize");
567 }
568
569 log_info("startup%s", (debug > 1)?" [debug mode]":"");
570
571 if (socketpair(AF_UNIX, SOCK_STREAM | SOCK_NONBLOCK, PF_UNSPEC,
572 pipe_main2client) == -1)
573 fatal("socketpair");
574
575 client_pid = ldapclient(pipe_main2client);
576
577 setproctitle("parent");
578 event_init();
579
580 signal_set(&ev_sigint, SIGINT, main_sig_handler, &env);
581 signal_set(&ev_sigterm, SIGTERM, main_sig_handler, &env);
582 signal_set(&ev_sighup, SIGHUP, main_sig_handler, &env);
583 signal_set(&ev_sigchld, SIGCHLD, main_sig_handler, &env);
584 signal_add(&ev_sigint, NULL);
585 signal_add(&ev_sigterm, NULL);
586 signal_add(&ev_sighup, NULL);
587 signal_add(&ev_sigchld, NULL);
588
589 close(pipe_main2client[1]);
590 if ((env.sc_iev = calloc(1, sizeof(*env.sc_iev))) == NULL)
591 fatal(NULL);
592 if (imsgbuf_init(&env.sc_iev->ibuf, pipe_main2client[0]) == -1)
593 fatal(NULL);
594 env.sc_iev->handler = main_dispatch_client;
595
596 env.sc_iev->events = EV_READ;
597 env.sc_iev->data = &env;
598 event_set(&env.sc_iev->ev, env.sc_iev->ibuf.fd, env.sc_iev->events,
599 env.sc_iev->handler, &env);
600 event_add(&env.sc_iev->ev, NULL);
601
602 yp_init(&env);
603
604 if ((pw = getpwnam(YPLDAP_USER)) == NULL)
605 fatal("getpwnam");
606
607 #ifndef DEBUG
608 if (setgroups(1, &pw->pw_gid) ||
609 setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) ||
610 setresuid(pw->pw_uid, pw->pw_uid, pw->pw_uid))
611 fatal("cannot drop privileges");
612 #else
613 #warning disabling privilege revocation in debug mode
614 #endif
615
616 if (pledge("stdio inet", NULL) == -1)
617 fatal("pledge");
618
619 memset(&tv, 0, sizeof(tv));
620 evtimer_set(&ev_timer, main_init_timer, &env);
621 evtimer_add(&ev_timer, &tv);
622
623 yp_enable_events();
624 event_dispatch();
625 main_shutdown();
626
627 return (0);
628 }
629
630 void
imsg_event_add(struct imsgev * iev)631 imsg_event_add(struct imsgev *iev)
632 {
633 if (iev->handler == NULL) {
634 imsgbuf_flush(&iev->ibuf);
635 return;
636 }
637
638 iev->events = EV_READ;
639 if (imsgbuf_queuelen(&iev->ibuf) > 0)
640 iev->events |= EV_WRITE;
641
642 event_del(&iev->ev);
643 event_set(&iev->ev, iev->ibuf.fd, iev->events, iev->handler, iev->data);
644 event_add(&iev->ev, NULL);
645 }
646
647 int
imsg_compose_event(struct imsgev * iev,u_int16_t type,u_int32_t peerid,pid_t pid,int fd,void * data,u_int16_t datalen)648 imsg_compose_event(struct imsgev *iev, u_int16_t type, u_int32_t peerid,
649 pid_t pid, int fd, void *data, u_int16_t datalen)
650 {
651 int ret;
652
653 if ((ret = imsg_compose(&iev->ibuf, type, peerid,
654 pid, fd, data, datalen)) != -1)
655 imsg_event_add(iev);
656 return (ret);
657 }
658