/src/samba/source3/lib/idmap_cache.c
Line | Count | Source |
1 | | /* |
2 | | Unix SMB/CIFS implementation. |
3 | | ID Mapping Cache |
4 | | |
5 | | Copyright (C) Volker Lendecke 2008 |
6 | | |
7 | | This program is free software; you can redistribute it and/or modify |
8 | | it under the terms of the GNU General Public License as published by |
9 | | the Free Software Foundation; either version 3 of the License, or |
10 | | (at your option) any later version. |
11 | | |
12 | | This program is distributed in the hope that it will be useful, |
13 | | but WITHOUT ANY WARRANTY; without even the implied warranty of |
14 | | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
15 | | GNU General Public License for more details. |
16 | | |
17 | | You should have received a copy of the GNU General Public License |
18 | | along with this program. If not, see <http://www.gnu.org/licenses/>.*/ |
19 | | |
20 | | #include "includes.h" |
21 | | #include "idmap_cache.h" |
22 | | #include "../libcli/security/security.h" |
23 | | #include "../librpc/gen_ndr/idmap.h" |
24 | | #include "lib/gencache.h" |
25 | | #include "lib/util/string_wrappers.h" |
26 | | |
27 | | /** |
28 | | * Find a sid2xid mapping |
29 | | * @param[in] sid the sid to map |
30 | | * @param[out] id where to put the result |
31 | | * @param[out] expired is the cache entry expired? |
32 | | * @retval Was anything in the cache at all? |
33 | | * |
34 | | * If id->id == -1 this was a negative mapping. |
35 | | */ |
36 | | |
37 | | bool idmap_cache_find_sid2unixid(const struct dom_sid *sid, struct unixid *id, |
38 | | bool *expired) |
39 | 0 | { |
40 | 0 | struct dom_sid_buf sidstr; |
41 | 0 | char *key; |
42 | 0 | char *value = NULL; |
43 | 0 | char *endptr; |
44 | 0 | time_t timeout; |
45 | 0 | bool ret; |
46 | 0 | struct unixid tmp_id; |
47 | |
|
48 | 0 | key = talloc_asprintf(talloc_tos(), "IDMAP/SID2XID/%s", |
49 | 0 | dom_sid_str_buf(sid, &sidstr)); |
50 | 0 | if (key == NULL) { |
51 | 0 | return false; |
52 | 0 | } |
53 | 0 | ret = gencache_get(key, talloc_tos(), &value, &timeout); |
54 | 0 | if (!ret) { |
55 | 0 | goto done; |
56 | 0 | } |
57 | | |
58 | 0 | DEBUG(10, ("Parsing value for key [%s]: value=[%s]\n", key, value)); |
59 | |
|
60 | 0 | if (value[0] == '\0') { |
61 | 0 | DEBUG(0, ("Failed to parse value for key [%s]: " |
62 | 0 | "value is empty\n", key)); |
63 | 0 | ret = false; |
64 | 0 | goto done; |
65 | 0 | } |
66 | | |
67 | 0 | tmp_id.id = strtol(value, &endptr, 10); |
68 | |
|
69 | 0 | if ((value == endptr) && (tmp_id.id == 0)) { |
70 | 0 | DEBUG(0, ("Failed to parse value for key [%s]: value[%s] does " |
71 | 0 | "not start with a number\n", key, value)); |
72 | 0 | ret = false; |
73 | 0 | goto done; |
74 | 0 | } |
75 | | |
76 | 0 | DEBUG(10, ("Parsing value for key [%s]: id=[%llu], endptr=[%s]\n", |
77 | 0 | key, (unsigned long long)tmp_id.id, endptr)); |
78 | |
|
79 | 0 | ret = (*endptr == ':'); |
80 | 0 | if (ret) { |
81 | 0 | switch (endptr[1]) { |
82 | 0 | case 'U': |
83 | 0 | tmp_id.type = ID_TYPE_UID; |
84 | 0 | break; |
85 | | |
86 | 0 | case 'G': |
87 | 0 | tmp_id.type = ID_TYPE_GID; |
88 | 0 | break; |
89 | | |
90 | 0 | case 'B': |
91 | 0 | tmp_id.type = ID_TYPE_BOTH; |
92 | 0 | break; |
93 | | |
94 | 0 | case 'N': |
95 | 0 | tmp_id.type = ID_TYPE_NOT_SPECIFIED; |
96 | 0 | break; |
97 | | |
98 | 0 | case '\0': |
99 | 0 | DEBUG(0, ("FAILED to parse value for key [%s] " |
100 | 0 | "(id=[%llu], endptr=[%s]): " |
101 | 0 | "no type character after colon\n", |
102 | 0 | key, (unsigned long long)tmp_id.id, endptr)); |
103 | 0 | ret = false; |
104 | 0 | goto done; |
105 | 0 | default: |
106 | 0 | DEBUG(0, ("FAILED to parse value for key [%s] " |
107 | 0 | "(id=[%llu], endptr=[%s]): " |
108 | 0 | "illegal type character '%c'\n", |
109 | 0 | key, (unsigned long long)tmp_id.id, endptr, |
110 | 0 | endptr[1])); |
111 | 0 | ret = false; |
112 | 0 | goto done; |
113 | 0 | } |
114 | 0 | if (endptr[2] != '\0') { |
115 | 0 | DEBUG(0, ("FAILED to parse value for key [%s] " |
116 | 0 | "(id=[%llu], endptr=[%s]): " |
117 | 0 | "more than 1 type character after colon\n", |
118 | 0 | key, (unsigned long long)tmp_id.id, endptr)); |
119 | 0 | ret = false; |
120 | 0 | goto done; |
121 | 0 | } |
122 | | |
123 | 0 | *id = tmp_id; |
124 | 0 | *expired = (timeout <= time(NULL)); |
125 | 0 | } else { |
126 | 0 | DEBUG(0, ("FAILED to parse value for key [%s] (value=[%s]): " |
127 | 0 | "colon missing after id=[%llu]\n", |
128 | 0 | key, value, (unsigned long long)tmp_id.id)); |
129 | 0 | } |
130 | | |
131 | 0 | done: |
132 | 0 | TALLOC_FREE(key); |
133 | 0 | TALLOC_FREE(value); |
134 | 0 | return ret; |
135 | 0 | } |
136 | | |
137 | | /** |
138 | | * Find a sid2uid mapping |
139 | | * @param[in] sid the sid to map |
140 | | * @param[out] puid where to put the result |
141 | | * @param[out] expired is the cache entry expired? |
142 | | * @retval Was anything in the cache at all? |
143 | | * |
144 | | * If *puid == -1 this was a negative mapping. |
145 | | */ |
146 | | |
147 | | bool idmap_cache_find_sid2uid(const struct dom_sid *sid, uid_t *puid, |
148 | | bool *expired) |
149 | 0 | { |
150 | 0 | bool ret; |
151 | 0 | struct unixid id; |
152 | 0 | ret = idmap_cache_find_sid2unixid(sid, &id, expired); |
153 | 0 | if (!ret) { |
154 | 0 | return false; |
155 | 0 | } |
156 | | |
157 | 0 | if (id.type == ID_TYPE_BOTH || id.type == ID_TYPE_UID) { |
158 | 0 | *puid = id.id; |
159 | 0 | } else { |
160 | 0 | *puid = -1; |
161 | 0 | } |
162 | 0 | return true; |
163 | 0 | } |
164 | | |
165 | | /** |
166 | | * Find a sid2gid mapping |
167 | | * @param[in] sid the sid to map |
168 | | * @param[out] pgid where to put the result |
169 | | * @param[out] expired is the cache entry expired? |
170 | | * @retval Was anything in the cache at all? |
171 | | * |
172 | | * If *pgid == -1 this was a negative mapping. |
173 | | */ |
174 | | |
175 | | bool idmap_cache_find_sid2gid(const struct dom_sid *sid, gid_t *pgid, |
176 | | bool *expired) |
177 | 0 | { |
178 | 0 | bool ret; |
179 | 0 | struct unixid id; |
180 | 0 | ret = idmap_cache_find_sid2unixid(sid, &id, expired); |
181 | 0 | if (!ret) { |
182 | 0 | return false; |
183 | 0 | } |
184 | | |
185 | 0 | if (id.type == ID_TYPE_BOTH || id.type == ID_TYPE_GID) { |
186 | 0 | *pgid = id.id; |
187 | 0 | } else { |
188 | 0 | *pgid = -1; |
189 | 0 | } |
190 | 0 | return true; |
191 | 0 | } |
192 | | |
193 | | struct idmap_cache_xid2sid_state { |
194 | | struct dom_sid *sid; |
195 | | bool *expired; |
196 | | bool ret; |
197 | | }; |
198 | | |
199 | | static void idmap_cache_xid2sid_parser(const struct gencache_timeout *timeout, |
200 | | DATA_BLOB blob, |
201 | | void *private_data) |
202 | 0 | { |
203 | 0 | struct idmap_cache_xid2sid_state *state = |
204 | 0 | (struct idmap_cache_xid2sid_state *)private_data; |
205 | 0 | char *value; |
206 | |
|
207 | 0 | if ((blob.length == 0) || (blob.data[blob.length-1] != 0)) { |
208 | | /* |
209 | | * Not a string, can't be a valid mapping |
210 | | */ |
211 | 0 | state->ret = false; |
212 | 0 | return; |
213 | 0 | } |
214 | | |
215 | 0 | value = (char *)blob.data; |
216 | |
|
217 | 0 | if ((value[0] == '-') && (value[1] == '\0')) { |
218 | | /* |
219 | | * Return NULL SID, see comment to uid2sid |
220 | | */ |
221 | 0 | *state->sid = (struct dom_sid) {0}; |
222 | 0 | state->ret = true; |
223 | 0 | } else { |
224 | 0 | state->ret = string_to_sid(state->sid, value); |
225 | 0 | } |
226 | 0 | if (state->ret) { |
227 | 0 | *state->expired = gencache_timeout_expired(timeout); |
228 | 0 | } |
229 | 0 | } |
230 | | |
231 | | /** |
232 | | * Find a xid2sid mapping |
233 | | * @param[in] id the unix id to map |
234 | | * @param[out] sid where to put the result |
235 | | * @param[out] expired is the cache entry expired? |
236 | | * @retval Was anything in the cache at all? |
237 | | * |
238 | | * If "is_null_sid(sid)", this was a negative mapping. |
239 | | */ |
240 | | bool idmap_cache_find_xid2sid( |
241 | | const struct unixid *id, struct dom_sid *sid, bool *expired) |
242 | 0 | { |
243 | 0 | struct idmap_cache_xid2sid_state state = { |
244 | 0 | .sid = sid, .expired = expired |
245 | 0 | }; |
246 | 0 | fstring key; |
247 | 0 | char c; |
248 | |
|
249 | 0 | switch (id->type) { |
250 | 0 | case ID_TYPE_UID: |
251 | 0 | c = 'U'; |
252 | 0 | break; |
253 | 0 | case ID_TYPE_GID: |
254 | 0 | c = 'G'; |
255 | 0 | break; |
256 | 0 | default: |
257 | 0 | return false; |
258 | 0 | } |
259 | | |
260 | 0 | fstr_sprintf(key, "IDMAP/%cID2SID/%d", c, (int)id->id); |
261 | |
|
262 | 0 | gencache_parse(key, idmap_cache_xid2sid_parser, &state); |
263 | 0 | return state.ret; |
264 | 0 | } |
265 | | |
266 | | |
267 | | /** |
268 | | * Store a mapping in the idmap cache |
269 | | * @param[in] sid the sid to map |
270 | | * @param[in] unix_id the unix_id to map |
271 | | * |
272 | | * If both parameters are valid values, then a positive mapping in both |
273 | | * directions is stored. If "is_null_sid(sid)" is true, then this will be a |
274 | | * negative mapping of xid, we want to cache that for this xid we could not |
275 | | * find anything. Likewise if "xid==-1", then we want to cache that we did not |
276 | | * find a mapping for the sid passed here. |
277 | | */ |
278 | | |
279 | | void idmap_cache_set_sid2unixid(const struct dom_sid *sid, struct unixid *unix_id) |
280 | 0 | { |
281 | 0 | time_t now = time(NULL); |
282 | 0 | time_t timeout; |
283 | 0 | fstring key, value; |
284 | |
|
285 | 0 | if (!is_null_sid(sid)) { |
286 | 0 | struct dom_sid_buf sidstr; |
287 | 0 | fstr_sprintf(key, "IDMAP/SID2XID/%s", |
288 | 0 | dom_sid_str_buf(sid, &sidstr)); |
289 | 0 | switch (unix_id->type) { |
290 | 0 | case ID_TYPE_UID: |
291 | 0 | fstr_sprintf(value, "%d:U", (int)unix_id->id); |
292 | 0 | break; |
293 | 0 | case ID_TYPE_GID: |
294 | 0 | fstr_sprintf(value, "%d:G", (int)unix_id->id); |
295 | 0 | break; |
296 | 0 | case ID_TYPE_BOTH: |
297 | 0 | fstr_sprintf(value, "%d:B", (int)unix_id->id); |
298 | 0 | break; |
299 | 0 | case ID_TYPE_NOT_SPECIFIED: |
300 | 0 | fstr_sprintf(value, "%d:N", (int)unix_id->id); |
301 | 0 | break; |
302 | 0 | default: |
303 | 0 | return; |
304 | 0 | } |
305 | 0 | timeout = (unix_id->id == -1) |
306 | 0 | ? lp_idmap_negative_cache_time() |
307 | 0 | : lp_idmap_cache_time(); |
308 | 0 | gencache_set(key, value, now + timeout); |
309 | 0 | } |
310 | 0 | if (unix_id->id != -1) { |
311 | 0 | if (is_null_sid(sid)) { |
312 | | /* negative xid mapping */ |
313 | 0 | fstrcpy(value, "-"); |
314 | 0 | timeout = lp_idmap_negative_cache_time(); |
315 | 0 | } |
316 | 0 | else { |
317 | 0 | sid_to_fstring(value, sid); |
318 | 0 | timeout = lp_idmap_cache_time(); |
319 | 0 | } |
320 | 0 | switch (unix_id->type) { |
321 | 0 | case ID_TYPE_BOTH: |
322 | 0 | fstr_sprintf(key, "IDMAP/UID2SID/%d", (int)unix_id->id); |
323 | 0 | gencache_set(key, value, now + timeout); |
324 | 0 | fstr_sprintf(key, "IDMAP/GID2SID/%d", (int)unix_id->id); |
325 | 0 | gencache_set(key, value, now + timeout); |
326 | 0 | return; |
327 | | |
328 | 0 | case ID_TYPE_UID: |
329 | 0 | fstr_sprintf(key, "IDMAP/UID2SID/%d", (int)unix_id->id); |
330 | 0 | break; |
331 | | |
332 | 0 | case ID_TYPE_GID: |
333 | 0 | fstr_sprintf(key, "IDMAP/GID2SID/%d", (int)unix_id->id); |
334 | 0 | break; |
335 | | |
336 | 0 | default: |
337 | 0 | return; |
338 | 0 | } |
339 | 0 | gencache_set(key, value, now + timeout); |
340 | 0 | } |
341 | 0 | } |
342 | | |
343 | 0 | static char* key_xid2sid_str(TALLOC_CTX* mem_ctx, char t, const char* id) { |
344 | 0 | return talloc_asprintf(mem_ctx, "IDMAP/%cID2SID/%s", t, id); |
345 | 0 | } |
346 | | |
347 | 0 | static char* key_xid2sid(TALLOC_CTX* mem_ctx, char t, int id) { |
348 | 0 | char str[32]; |
349 | 0 | snprintf(str, sizeof(str), "%d", id); |
350 | 0 | return key_xid2sid_str(mem_ctx, t, str); |
351 | 0 | } |
352 | | |
353 | 0 | static char* key_sid2xid_str(TALLOC_CTX* mem_ctx, const char* id) { |
354 | 0 | return talloc_asprintf(mem_ctx, "IDMAP/SID2XID/%s", id); |
355 | 0 | } |
356 | | |
357 | | static bool idmap_cache_del_xid(char t, int xid) |
358 | 0 | { |
359 | 0 | TALLOC_CTX* mem_ctx = talloc_stackframe(); |
360 | 0 | const char* key = key_xid2sid(mem_ctx, t, xid); |
361 | 0 | char* sid_str = NULL; |
362 | 0 | time_t timeout; |
363 | 0 | bool ret = true; |
364 | |
|
365 | 0 | if (!gencache_get(key, mem_ctx, &sid_str, &timeout)) { |
366 | 0 | DEBUG(3, ("no entry: %s\n", key)); |
367 | 0 | ret = false; |
368 | 0 | goto done; |
369 | 0 | } |
370 | | |
371 | 0 | if (sid_str[0] != '-') { |
372 | 0 | const char* sid_key = key_sid2xid_str(mem_ctx, sid_str); |
373 | 0 | if (!gencache_del(sid_key)) { |
374 | 0 | DEBUG(2, ("failed to delete: %s\n", sid_key)); |
375 | 0 | ret = false; |
376 | 0 | } else { |
377 | 0 | DEBUG(5, ("delete: %s\n", sid_key)); |
378 | 0 | } |
379 | |
|
380 | 0 | } |
381 | |
|
382 | 0 | if (!gencache_del(key)) { |
383 | 0 | DEBUG(1, ("failed to delete: %s\n", key)); |
384 | 0 | ret = false; |
385 | 0 | } else { |
386 | 0 | DEBUG(5, ("delete: %s\n", key)); |
387 | 0 | } |
388 | |
|
389 | 0 | done: |
390 | 0 | talloc_free(mem_ctx); |
391 | 0 | return ret; |
392 | 0 | } |
393 | | |
394 | 0 | bool idmap_cache_del_uid(uid_t uid) { |
395 | 0 | return idmap_cache_del_xid('U', uid); |
396 | 0 | } |
397 | | |
398 | 0 | bool idmap_cache_del_gid(gid_t gid) { |
399 | 0 | return idmap_cache_del_xid('G', gid); |
400 | 0 | } |
401 | | |
402 | | bool idmap_cache_del_sid(const struct dom_sid *sid) |
403 | 0 | { |
404 | 0 | TALLOC_CTX* mem_ctx = talloc_stackframe(); |
405 | 0 | bool ret = true; |
406 | 0 | bool expired; |
407 | 0 | struct unixid id; |
408 | 0 | struct dom_sid_buf sidbuf; |
409 | 0 | const char *sid_key; |
410 | |
|
411 | 0 | if (!idmap_cache_find_sid2unixid(sid, &id, &expired)) { |
412 | 0 | ret = false; |
413 | 0 | goto done; |
414 | 0 | } |
415 | | |
416 | 0 | if (id.id != -1) { |
417 | 0 | switch (id.type) { |
418 | 0 | case ID_TYPE_BOTH: |
419 | 0 | idmap_cache_del_xid('U', id.id); |
420 | 0 | idmap_cache_del_xid('G', id.id); |
421 | 0 | break; |
422 | 0 | case ID_TYPE_UID: |
423 | 0 | idmap_cache_del_xid('U', id.id); |
424 | 0 | break; |
425 | 0 | case ID_TYPE_GID: |
426 | 0 | idmap_cache_del_xid('G', id.id); |
427 | 0 | break; |
428 | 0 | default: |
429 | 0 | break; |
430 | 0 | } |
431 | 0 | } |
432 | | |
433 | 0 | sid_key = key_sid2xid_str(mem_ctx, dom_sid_str_buf(sid, &sidbuf)); |
434 | 0 | if (sid_key == NULL) { |
435 | 0 | return false; |
436 | 0 | } |
437 | | /* If the mapping was symmetric, then this should fail */ |
438 | 0 | gencache_del(sid_key); |
439 | 0 | done: |
440 | | talloc_free(mem_ctx); |
441 | 0 | return ret; |
442 | 0 | } |