DWORD
CTCopyFileWithOriginalPerms(
PCSTR pszSrcPath,
PCSTR pszDstPath
)
{
DWORD ceError = ERROR_SUCCESS;
uid_t uid;
gid_t gid;
mode_t mode;
ceError = CTGetOwnerAndPermissions(pszSrcPath, &uid, &gid, &mode);
BAIL_ON_CENTERIS_ERROR(ceError);
ceError = CTCopyFileWithPerms(pszSrcPath, pszDstPath, mode);
BAIL_ON_CENTERIS_ERROR(ceError);
ceError = CTChangeOwnerAndPermissions(pszDstPath, uid, gid, mode);
BAIL_ON_CENTERIS_ERROR(ceError);
error:
return ceError;
}
static PSTR GetNsswitchDescription(const JoinProcessOptions *options, LWException **exc)
{
PSTR ret = NULL;
PCSTR configureSteps;
BOOLEAN hasBadSeLinux;
QueryResult compatResult = FullyConfigured;
PSTR compatDescription = NULL;
NsswitchConf conf;
DWORD ceError = ERROR_SUCCESS;
memset(&conf, 0, sizeof(conf));
LW_CLEANUP_CTERR(exc, UnsupportedSeLinuxEnabled(&hasBadSeLinux));
if(hasBadSeLinux)
{
LW_CLEANUP_CTERR(exc, CTAllocateStringPrintf(&ret,
"Your machine is using an unsupported SeLinux policy. This must be disabled before nsswitch can be modified to allow active directory users. Please run '/usr/sbin/setenforce Permissive' and then re-run this program."));
goto cleanup;
}
ceError = ReadNsswitchConf(&conf, "", TRUE);
if(ceError == ERROR_FILE_NOT_FOUND)
{
ceError = ERROR_SUCCESS;
if (options->warningCallback != NULL)
{
options->warningCallback(options, "Could not find file", "Could not find nsswitch file");
}
goto cleanup;
}
LW_CLEANUP_CTERR(exc, ceError);
if(options->joiningDomain)
{
LW_TRY(exc, compatResult = RemoveCompat(&conf, &compatDescription, &LW_EXC));
}
if(compatResult == FullyConfigured)
{
CT_SAFE_FREE_STRING(compatDescription);
LW_CLEANUP_CTERR(exc, CTStrdup("", &compatDescription));
}
if (options->joiningDomain)
{
uid_t uid = 0;
gid_t gid = 0;
mode_t mode = 0;
LW_CLEANUP_CTERR(exc, CTGetOwnerAndPermissions(
conf.filename, &uid, &gid, &mode));
if ((mode & 0444) != 0444)
{
LW_CLEANUP_CTERR(exc, CTAllocateStringPrintf(&ret,
"The permissions of 0%03o on %s are invalid. All users must have at least read permission for the file. You can fix this by running 'chmod a+r %s'.", (int)(mode&0777), conf.filename, conf.filename));
goto cleanup;
}
}
conf.modified = FALSE;
LW_CLEANUP_CTERR(exc, UpdateNsswitchConf(&conf, options->joiningDomain));
if(options->joiningDomain && conf.modified)
configureSteps =
"The following steps are required and can be performed automatically:\n"
"\t* Edit nsswitch apparmor profile to allow libraries in the " PREFIXDIR "/lib and " PREFIXDIR "/lib64 directories\n"
"\t* List lwidentity module in /usr/lib/security/methods.cfg (AIX only)\n"
"\t* Add lwidentity to passwd and group/groups line /etc/nsswitch.conf or /etc/netsvc.conf\n";
else if(conf.modified)
configureSteps =
"The following steps are required and can be performed automatically:\n"
"\t* Remove lwidentity module from /usr/lib/security/methods.cfg (AIX only)\n"
"\t* Remove lwidentity from passwd and group/groups line /etc/nsswitch.conf or /etc/netsvc.conf\n"
"The following step is optional:\n"
"\t* Remove apparmor exception for likewise nsswitch libraries\n";
else
configureSteps = "";
if(strlen(compatDescription) || strlen(configureSteps))
{
LW_CLEANUP_CTERR(exc, CTAllocateStringPrintf(&ret,
"%s%sIf any changes are performed, then the following services must be restarted:\n"
"\t* GDM\n"
"\t* XDM\n"
"\t* Cron\n"
"\t* Dbus\n"
"\t* Nscd", compatDescription, configureSteps));
}
else
LW_CLEANUP_CTERR(exc, CTStrdup("Fully Configured", &ret));
cleanup:
CT_SAFE_FREE_STRING(compatDescription);
FreeNsswitchConfContents(&conf);
return ret;
}
static QueryResult QueryNsswitch(const JoinProcessOptions *options, LWException **exc)
{
QueryResult result = FullyConfigured;
BOOLEAN configured;
BOOLEAN exists;
BOOLEAN hasBadSeLinux;
NsswitchConf conf;
DWORD ceError = ERROR_SUCCESS;
uid_t uid = 0;
gid_t gid = 0;
mode_t mode = 0;
memset(&conf, 0, sizeof(conf));
if (options->enableMultipleJoins)
{
result = NotApplicable;
goto cleanup;
}
if (options->joiningDomain)
{
ceError = ReadNsswitchConf(&conf, NULL, FALSE);
if(ceError == ERROR_FILE_NOT_FOUND)
{
ceError = ERROR_SUCCESS;
DJ_LOG_WARNING("Warning: Could not find nsswitch file");
goto cleanup;
}
LW_CLEANUP_CTERR(exc, ceError);
LW_TRY(exc, result = RemoveCompat(&conf, NULL, &LW_EXC));
if(result == CannotConfigure || result == NotConfigured)
{
goto cleanup;
}
LW_CLEANUP_CTERR(exc, CTGetOwnerAndPermissions(
conf.filename, &uid, &gid, &mode));
if ((mode & 0444) != 0444)
{
// The user has to fix the permissions
result = CannotConfigure;
goto cleanup;
}
LW_CLEANUP_CTERR(exc, UpdateNsswitchConf(&conf, TRUE));
if(conf.modified)
{
LW_CLEANUP_CTERR(exc, UnsupportedSeLinuxEnabled(&hasBadSeLinux));
if(hasBadSeLinux)
result = CannotConfigure;
else
result = NotConfigured;
goto cleanup;
}
LW_CLEANUP_CTERR(exc, DJHasMethodsCfg(&exists));
if(exists)
{
LW_CLEANUP_CTERR(exc, DJIsMethodsCfgConfigured(&configured));
if(!configured)
{
result = NotConfigured;
goto cleanup;
}
}
LW_CLEANUP_CTERR(exc, IsApparmorConfigured(&configured));
if(!configured)
{
result = NotConfigured;
goto cleanup;
}
}
else
{
LW_CLEANUP_CTERR(exc, DJHasMethodsCfg(&exists));
if(exists)
{
LW_CLEANUP_CTERR(exc, DJIsMethodsCfgConfigured(&configured));
if(configured)
{
result = NotConfigured;
goto cleanup;
}
}
}
cleanup:
FreeNsswitchConfContents(&conf);
return result;
}
