[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [Freeipa-devel] [PATCH] use fixed paths to sockets to make sure clients and server are (2nd try)



Simo Sorce schrieb:
> On Mon, 2009-03-09 at 10:26 -0400, Simo Sorce wrote:
>> On Mon, 2009-03-09 at 14:56 +0100, Sumit Bose wrote:
>>>
>>> Sumit Bose schrieb:
>>>> Hi,
>>>>
>>>> it makes little sense to have the responder socket names
>>> configurable
>>>> via confdb, because the pam and nss clients need to know them and
>>> will
>>>> not have access to confdb by design. This patch will move these
>>> paths
>>>> together with other protocol information to a common header file.
>>> accidentally I disabled pam in the default configuration. The new
>>> patch
>>> fixes this.
>> I think that the "/var/lib/sss" should be determined in config.h and
>> passed as an argument within make.
>> The default would probably be something like /usr/local/sss/lib
>>
>> I think we can ack this for now, because for all practical
>> uses /var/lib/sss is the right place for Fedora, but we should fix it
>> asap.
> 
> Looking at it more closely I think I am for a NACK.
> This is the SSS protocol, both the macro names and the place
> (under /server/responder) seem quite wrong.
> 
> If we need to move this stuff into a separate file at all, please do not
> change macros, and let's move it into /include/protocol.h
> 

Ok, find the new patch attached.

bye,
Sumit

>From b53c4420835b3e558b5060a170e86ad4b4970b1e Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose redhat com>
Date: Mon, 9 Mar 2009 17:05:23 +0100
Subject: [PATCH] use fixed paths to sockets to make sure clients and server are
 using the same

---
 server/confdb/confdb.c                     |    4 +
 server/responder/common/responder_cmd.h    |    4 +-
 server/responder/common/responder_common.c |  118 +++++++++++++++-------------
 server/responder/common/responder_common.h |    1 +
 server/responder/nss/nsssrv.c              |    5 +
 server/responder/nss/nsssrv.h              |    2 +-
 server/responder/pam/pamsrv.c              |    5 +-
 7 files changed, 80 insertions(+), 59 deletions(-)

diff --git a/server/confdb/confdb.c b/server/confdb/confdb.c
index 462a0f2..e4b37e8 100644
--- a/server/confdb/confdb.c
+++ b/server/confdb/confdb.c
@@ -521,11 +521,13 @@ static int confdb_init_db(struct confdb_ctx *cdb)
     ret = confdb_add_param(cdb, false, "config/services/pam", "command", val);
     if (ret != EOK) goto done;
 
+#if 0 /* for future use */
     /* Set the sssd_pam socket path */
     val[0] = talloc_asprintf(tmp_ctx, "%s/pam", PIPE_PATH);
     CONFDB_ZERO_CHECK_OR_JUMP(val[0], ret, ENOMEM, done);
     ret = confdb_add_param(cdb, false, "config/services/pam", "unixSocket", val);
     if (ret != EOK) goto done;
+#endif /* for future use */
 
     /* Add PAM to the list of active services */
     val[0] = "pam";
@@ -544,11 +546,13 @@ static int confdb_init_db(struct confdb_ctx *cdb)
     ret = confdb_add_param(cdb, false, "config/services/nss", "command", val);
     if (ret != EOK) goto done;
 
+#if 0 /* for future use */
     /* Set the sssd_nss socket path */
     val[0] = talloc_asprintf(tmp_ctx, "%s/sssd_nss", PIPE_PATH);
     CONFDB_ZERO_CHECK_OR_JUMP(val[0], ret, ENOMEM, done);
     ret = confdb_add_param(cdb, false, "config/services/nss", "unixSocket", val);
     if (ret != EOK) goto done;
+#endif /* for future use */
 
     /* Add NSS to the list of active services */
     val[0] = "nss";
diff --git a/server/responder/common/responder_cmd.h b/server/responder/common/responder_cmd.h
index e02d5f2..b70b297 100644
--- a/server/responder/common/responder_cmd.h
+++ b/server/responder/common/responder_cmd.h
@@ -48,8 +48,8 @@ struct nss_ctx {
     int priv_lfd;
     struct sysdb_ctx *sysdb;
     struct confdb_ctx *cdb;
-    char *sock_name;
-    char *priv_sock_name;
+    const char *sock_name;
+    const char *priv_sock_name;
     struct service_sbus_ctx *ss_ctx;
     struct service_sbus_ctx *dp_ctx;
     struct btreemap *domain_map;
diff --git a/server/responder/common/responder_common.c b/server/responder/common/responder_common.c
index 490f4e6..18d2f3d 100644
--- a/server/responder/common/responder_common.c
+++ b/server/responder/common/responder_common.c
@@ -329,6 +329,9 @@ static int sss_sbus_init(struct nss_ctx *nctx)
 static int set_unix_socket(struct nss_ctx *nctx)
 {
     struct sockaddr_un addr;
+
+/* for future use */
+#if 0
     char *default_pipe;
     int ret;
 
@@ -361,74 +364,79 @@ static int set_unix_socket(struct nss_ctx *nctx)
         return ret;
     }
     talloc_free(default_pipe);
+#endif
 
-    nctx->lfd = socket(AF_UNIX, SOCK_STREAM, 0);
-    if (nctx->lfd == -1) {
-        return EIO;
-    }
+    if (nctx->sock_name != NULL ) {
+        nctx->lfd = socket(AF_UNIX, SOCK_STREAM, 0);
+        if (nctx->lfd == -1) {
+            return EIO;
+        }
 
-    nctx->priv_lfd = socket(AF_UNIX, SOCK_STREAM, 0);
-    if (nctx->priv_lfd == -1) {
-        close(nctx->lfd);
-        return EIO;
-    }
+        /* Set the umask so that permissions are set right on the socket.
+         * It must be readable and writable by anybody on the system. */
+        umask(0111);
 
-    /* Set the umask so that permissions are set right on the socket.
-     * It must be readable and writable by anybody on the system. */
-    umask(0111);
+        set_nonblocking(nctx->lfd);
+        set_close_on_exec(nctx->lfd);
 
-    set_nonblocking(nctx->lfd);
-    set_close_on_exec(nctx->lfd);
+        memset(&addr, 0, sizeof(addr));
+        addr.sun_family = AF_UNIX;
+        strncpy(addr.sun_path, nctx->sock_name, sizeof(addr.sun_path));
 
-    memset(&addr, 0, sizeof(addr));
-    addr.sun_family = AF_UNIX;
-    strncpy(addr.sun_path, nctx->sock_name, sizeof(addr.sun_path));
+        /* make sure we have no old sockets around */
+        unlink(nctx->sock_name);
 
-    /* make sure we have no old sockets around */
-    unlink(nctx->sock_name);
+        if (bind(nctx->lfd, (struct sockaddr *)&addr, sizeof(addr)) == -1) {
+            DEBUG(0,("Unable to bind on socket '%s'\n", nctx->sock_name));
+            goto failed;
+        }
+        if (listen(nctx->lfd, 10) != 0) {
+            DEBUG(0,("Unable to listen on socket '%s'\n", nctx->sock_name));
+            goto failed;
+        }
 
-    if (bind(nctx->lfd, (struct sockaddr *)&addr, sizeof(addr)) == -1) {
-        DEBUG(0,("Unable to bind on socket '%s'\n", nctx->sock_name));
-        goto failed;
-    }
-    if (listen(nctx->lfd, 10) != 0) {
-        DEBUG(0,("Unable to listen on socket '%s'\n", nctx->sock_name));
-        goto failed;
+        nctx->lfde = tevent_add_fd(nctx->ev, nctx, nctx->lfd,
+                                   TEVENT_FD_READ, accept_fd_handler, nctx);
+        if (!nctx->lfde) {
+            DEBUG(0, ("Failed to queue handler on pipe\n"));
+            goto failed;
+        }
     }
 
-    /* create privileged pipe */
-    umask(0177);
+    if (nctx->priv_sock_name != NULL ) {
+        /* create privileged pipe */
+        nctx->priv_lfd = socket(AF_UNIX, SOCK_STREAM, 0);
+        if (nctx->priv_lfd == -1) {
+            close(nctx->lfd);
+            return EIO;
+        }
 
-    set_nonblocking(nctx->priv_lfd);
-    set_close_on_exec(nctx->priv_lfd);
+        umask(0177);
 
-    memset(&addr, 0, sizeof(addr));
-    addr.sun_family = AF_UNIX;
-    strncpy(addr.sun_path, nctx->priv_sock_name, sizeof(addr.sun_path));
+        set_nonblocking(nctx->priv_lfd);
+        set_close_on_exec(nctx->priv_lfd);
 
-    unlink(nctx->priv_sock_name);
+        memset(&addr, 0, sizeof(addr));
+        addr.sun_family = AF_UNIX;
+        strncpy(addr.sun_path, nctx->priv_sock_name, sizeof(addr.sun_path));
 
-    if (bind(nctx->priv_lfd, (struct sockaddr *)&addr, sizeof(addr)) == -1) {
-        DEBUG(0,("Unable to bind on socket '%s'\n", nctx->priv_sock_name));
-        goto failed;
-    }
-    if (listen(nctx->priv_lfd, 10) != 0) {
-        DEBUG(0,("Unable to listen on socket '%s'\n", nctx->priv_sock_name));
-        goto failed;
-    }
+        unlink(nctx->priv_sock_name);
 
-    nctx->lfde = tevent_add_fd(nctx->ev, nctx, nctx->lfd,
-                               TEVENT_FD_READ, accept_fd_handler, nctx);
-    if (!nctx->lfde) {
-        DEBUG(0, ("Failed to queue handler on pipe\n"));
-        goto failed;
-    }
+        if (bind(nctx->priv_lfd, (struct sockaddr *)&addr, sizeof(addr)) == -1) {
+            DEBUG(0,("Unable to bind on socket '%s'\n", nctx->priv_sock_name));
+            goto failed;
+        }
+        if (listen(nctx->priv_lfd, 10) != 0) {
+            DEBUG(0,("Unable to listen on socket '%s'\n", nctx->priv_sock_name));
+            goto failed;
+        }
 
-    nctx->priv_lfde = tevent_add_fd(nctx->ev, nctx, nctx->priv_lfd,
-                               TEVENT_FD_READ, accept_priv_fd_handler, nctx);
-    if (!nctx->priv_lfde) {
-        DEBUG(0, ("Failed to queue handler on privileged pipe\n"));
-        goto failed;
+        nctx->priv_lfde = tevent_add_fd(nctx->ev, nctx, nctx->priv_lfd,
+                                   TEVENT_FD_READ, accept_priv_fd_handler, nctx);
+        if (!nctx->priv_lfde) {
+            DEBUG(0, ("Failed to queue handler on privileged pipe\n"));
+            goto failed;
+        }
     }
 
     /* we want default permissions on created files to be very strict,
@@ -488,6 +496,7 @@ int sss_process_init(TALLOC_CTX *mem_ctx,
                      struct sbus_method sss_sbus_methods[],
                      struct sss_cmd_table sss_cmds[],
                      const char *sss_pipe_name,
+                     const char *sss_priv_pipe_name,
                      const char *confdb_socket_path,
                      struct sbus_method dp_methods[])
 {
@@ -503,7 +512,8 @@ int sss_process_init(TALLOC_CTX *mem_ctx,
     nctx->cdb = cdb;
     nctx->sss_sbus_methods = sss_sbus_methods;
     nctx->sss_cmds = sss_cmds;
-    nctx->sss_pipe_name = sss_pipe_name;
+    nctx->sock_name = sss_pipe_name;
+    nctx->priv_sock_name = sss_priv_pipe_name;
     nctx->confdb_socket_path = confdb_socket_path;
     nctx->dp_methods = dp_methods;
 
diff --git a/server/responder/common/responder_common.h b/server/responder/common/responder_common.h
index 3818070..0a5b627 100644
--- a/server/responder/common/responder_common.h
+++ b/server/responder/common/responder_common.h
@@ -15,6 +15,7 @@ int sss_process_init(TALLOC_CTX *mem_ctx,
                      struct sbus_method sss_sbus_methods[],
                      struct sss_cmd_table sss_cmds[],
                      const char *sss_pipe_name,
+                     const char *sss_priv_pipe_name,
                      const char *confdb_socket_path,
                      struct sbus_method dp_methods[]);
 
diff --git a/server/responder/nss/nsssrv.c b/server/responder/nss/nsssrv.c
index 248b8a1..a26f5ed 100644
--- a/server/responder/nss/nsssrv.c
+++ b/server/responder/nss/nsssrv.c
@@ -330,6 +330,9 @@ static int nss_sbus_init(struct nss_ctx *nctx)
 static int set_unix_socket(struct nss_ctx *nctx)
 {
     struct sockaddr_un addr;
+
+/* for future use */
+#if 0
     char *default_pipe;
     int ret;
 
@@ -346,6 +349,8 @@ static int set_unix_socket(struct nss_ctx *nctx)
         return ret;
     }
     talloc_free(default_pipe);
+#endif
+    nctx->sock_name = SSS_NSS_SOCKET_NAME;
 
     nctx->lfd = socket(AF_UNIX, SOCK_STREAM, 0);
     if (nctx->lfd == -1) {
diff --git a/server/responder/nss/nsssrv.h b/server/responder/nss/nsssrv.h
index b1f1ff7..949961a 100644
--- a/server/responder/nss/nsssrv.h
+++ b/server/responder/nss/nsssrv.h
@@ -57,7 +57,7 @@ struct nss_ctx {
     int lfd;
     struct sysdb_ctx *sysdb;
     struct confdb_ctx *cdb;
-    char *sock_name;
+    const char *sock_name;
     struct service_sbus_ctx *ss_ctx;
     struct service_sbus_ctx *dp_ctx;
     struct btreemap *domain_map;
diff --git a/server/responder/pam/pamsrv.c b/server/responder/pam/pamsrv.c
index b6593bc..de62e03 100644
--- a/server/responder/pam/pamsrv.c
+++ b/server/responder/pam/pamsrv.c
@@ -44,8 +44,8 @@
 #include "monitor/monitor_interfaces.h"
 #include "sbus/sbus_client.h"
 #include "responder/pam/pamsrv.h"
+#include "../sss_client/sss_cli.h"
 
-#define SSS_PAM_PIPE_NAME "pam"
 #define PAM_SBUS_SERVICE_VERSION 0x0001
 #define PAM_SBUS_SERVICE_NAME "pam"
 #define CONFDB_SOCKET_PATH "config/services/pam"
@@ -158,7 +158,8 @@ int main(int argc, const char *argv[])
                            main_ctx->confdb_ctx,
                            sss_sbus_methods,
                            sss_cmds,
-                           SSS_PAM_PIPE_NAME,
+                           SSS_PAM_SOCKET_NAME,
+                           SSS_PAM_PRIV_SOCKET_NAME,
                            CONFDB_SOCKET_PATH,
                            pam_dp_methods);
     if (ret != EOK) return 3;
-- 
1.6.0.6


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]