From: Shirish Pargaonkar <[email protected]> Handle cifs_acl type of key. Extract a SID string from the description and map it to either an uid or gid using winbind APIs and return that id. If an SID can't be mapped, id stays 0 i.e. that of the root.
An entry such as this create cifs.cifs_acl * * /usr/sbin/cifs.upcall %k is needed in the file /etc/request-key.conf. Signed-off-by: Shirish Pargaonkar <[email protected]> --- cifs.upcall.c | 72 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 files changed, 72 insertions(+), 0 deletions(-) diff --git a/cifs.upcall.c b/cifs.upcall.c index 9b1436e..17ef57e 100644 --- a/cifs.upcall.c +++ b/cifs.upcall.c @@ -45,6 +45,13 @@ #include <time.h> #include <netdb.h> #include <arpa/inet.h> +#include <stdint.h> +#include <stdbool.h> +#include <stdio.h> +#include <stdlib.h> +#include <errno.h> +#include <limits.h> +#include <wbclient.h> #include "util.h" #include "replace.h" @@ -544,6 +551,66 @@ static int cifs_resolver(const key_serial_t key, const char *key_descr) return 0; } +static int +cifs_sid_resolver(const key_serial_t key, const char *key_descr) +{ + int i; + uid_t uid = 0; + gid_t gid = 0;; + wbcErr rc; + const char *keyend = key_descr; + struct wbcDomainSid sid; + + /* skip next 4 ';' delimiters to get to description */ + for (i = 1; i <= 4; ++i) { + keyend = index(keyend + 1, ';'); + if (!keyend) { + syslog(LOG_ERR, "invalid key description: %s", + key_descr); + return 1; + } + } + keyend++; + + if (strncmp(keyend, "os", 2) == 0) { + keyend = index(keyend + 1, ':'); + keyend++; + rc = wbcStringToSid(keyend, &sid); + if (!rc) { + rc = wbcSidToUid(&sid, &uid); + if (!rc) { + rc = keyctl_instantiate(key, &uid, + sizeof(uid_t), 0); + if (rc) + syslog(LOG_ERR, "%s: key inst: %s", + __func__, strerror(errno)); + } else + syslog(LOG_DEBUG, "OwnerSID to uid: %s, rc: %d", + keyend, rc); + } else + syslog(LOG_DEBUG, "O strtosid: %s, rc: %d", keyend, rc); + } else if (strncmp(keyend, "gs", 2) == 0) { + keyend = index(keyend + 1, ':'); + keyend++; + rc = wbcStringToSid(keyend, &sid); + if (!rc) { + rc = wbcSidToGid(&sid, &gid); + if (!rc) { + rc = keyctl_instantiate(key, &gid, + sizeof(gid_t), 0); + if (rc) + syslog(LOG_ERR, "%s: key inst: %s", + __func__, strerror(errno)); + } else + syslog(LOG_DEBUG, "GroupSID to gid: %s, rc: %d", + keyend, rc); + } else + syslog(LOG_DEBUG, "O strtosid: %s, rc: %d", keyend, rc); + } else + syslog(LOG_DEBUG, "Invalid SID"); + return 0; +} + /* * Older kernels sent IPv6 addresses without colons. Well, at least * they're fixed-length strings. Convert these addresses to have colon @@ -679,6 +746,11 @@ int main(const int argc, char *const argv[]) goto out; } + if ((strncmp(buf, "cifs.cifs_acl", sizeof("cifs.cifs_acl") - 1) == 0)) { + rc = cifs_sid_resolver(key, buf); + goto out; + } + memset(&arg, 0, sizeof(arg)); have = decode_key_description(buf, &arg); -- 1.6.0.2 -- To unsubscribe from this list: send the line "unsubscribe linux-cifs" in the body of a message to [email protected] More majordomo info at http://vger.kernel.org/majordomo-info.html
