[nss_nonlocal.git] / nonlocal-passwd.c

/*
 * nonlocal-passwd.c
 * passwd database for nss_nonlocal proxy.
 *
 * Copyright © 2007 Anders Kaseorg <andersk@mit.edu> and Tim Abbott
 * <tabbott@mit.edu>
 *
 * Permission is hereby granted, free of charge, to any person
 * obtaining a copy of this software and associated documentation
 * files (the "Software"), to deal in the Software without
 * restriction, including without limitation the rights to use, copy,
 * modify, merge, publish, distribute, sublicense, and/or sell copies
 * of the Software, and to permit persons to whom the Software is
 * furnished to do so, subject to the following conditions:
 *
 * The above copyright notice and this permission notice shall be
 * included in all copies or substantial portions of the Software.
 *
 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
 * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
 * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
 * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
 * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
 * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
 * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
 * SOFTWARE.
 */


#define _GNU_SOURCE
#include <sys/types.h>
#include <unistd.h>
#include <stdlib.h>
#include <stdint.h>
#include <string.h>
#include <dlfcn.h>
#include <stdio.h>
#include <syslog.h>
#include <errno.h>
#include <pwd.h>
#include <grp.h>
#include <nss.h>
#include "nsswitch-internal.h"
#include "nonlocal.h"


enum nss_status
_nss_nonlocal_getpwuid_r(uid_t uid, struct passwd *pwd,
			 char *buffer, size_t buflen, int *errnop);
enum nss_status
_nss_nonlocal_getpwnam_r(const char *name, struct passwd *pwd,
			 char *buffer, size_t buflen, int *errnop);


static service_user *
nss_passwd_nonlocal_database(void)
{
    static service_user *nip = NULL;
    if (nip == NULL)
	__nss_database_lookup("passwd_nonlocal", NULL, "", &nip);

    return nip;
}


enum nss_status
check_nonlocal_uid(const char *user, uid_t uid, int *errnop)
{
    static const char *fct_name = "getpwuid_r";
    static service_user *startp = NULL;
    static void *fct_start = NULL;
    enum nss_status status;
    service_user *nip;
    union {
	enum nss_status (*l)(uid_t uid, struct passwd *pwd,
			     char *buffer, size_t buflen, int *errnop);
	void *ptr;
    } fct;
    struct passwd pwbuf;
    int old_errno = errno;

    size_t buflen = sysconf(_SC_GETPW_R_SIZE_MAX);
    char *buf = malloc(buflen);
    if (buf == NULL) {
	*errnop = ENOMEM;
	errno = old_errno;
	return NSS_STATUS_TRYAGAIN;
    }

    if (fct_start == NULL &&
	__nss_passwd_lookup(&startp, fct_name, &fct_start) != 0) {
	free(buf);
	return NSS_STATUS_UNAVAIL;
    }
    nip = startp;
    fct.ptr = fct_start;
    do {
    morebuf:
	if (fct.l == _nss_nonlocal_getpwuid_r)
	    status = NSS_STATUS_NOTFOUND;
	else
	    status = DL_CALL_FCT(fct.l, (uid, &pwbuf, buf, buflen, errnop));
	if (status == NSS_STATUS_TRYAGAIN && *errnop == ERANGE) {
	    free(buf);
	    buflen *= 2;
	    buf = malloc(buflen);
	    if (buf == NULL) {
		*errnop = ENOMEM;
		errno = old_errno;
		return NSS_STATUS_TRYAGAIN;
	    }
	    goto morebuf;
	}
    } while (__nss_next(&nip, fct_name, &fct.ptr, status, 0) == 0);

    if (status == NSS_STATUS_SUCCESS) {
	syslog(LOG_ERR, "nss_nonlocal: possible spoofing attack: non-local user %s has same UID as local user %s!\n", user, pwbuf.pw_name);
	status = NSS_STATUS_NOTFOUND;
    } else if (status != NSS_STATUS_TRYAGAIN) {
	status = NSS_STATUS_SUCCESS;
    }

    free(buf);
    return status;
}

enum nss_status
check_nonlocal_passwd(const char *user, struct passwd *pwd, int *errnop)
{
    enum nss_status status = NSS_STATUS_SUCCESS;
    int old_errno = errno;
    char *end;
    unsigned long uid;

    errno = 0;
    uid = strtoul(pwd->pw_name, &end, 10);
    if (errno == 0 && *end == '\0' && (uid_t)uid == uid)
	status = check_nonlocal_uid(user, uid, errnop);
    errno = old_errno;
    if (status != NSS_STATUS_SUCCESS)
	return status;

    return check_nonlocal_uid(user, pwd->pw_uid, errnop);
}

enum nss_status
check_nonlocal_user(const char *user, int *errnop)
{
    static const char *fct_name = "getpwnam_r";
    static service_user *startp = NULL;
    static void *fct_start = NULL;
    enum nss_status status;
    service_user *nip;
    union {
	enum nss_status (*l)(const char *name, struct passwd *pwd,
			     char *buffer, size_t buflen, int *errnop);
	void *ptr;
    } fct;
    struct passwd pwbuf;
    int old_errno = errno;

    size_t buflen = sysconf(_SC_GETPW_R_SIZE_MAX);
    char *buf = malloc(buflen);
    if (buf == NULL) {
	*errnop = ENOMEM;
	errno = old_errno;
	return NSS_STATUS_TRYAGAIN;
    }

    if (fct_start == NULL &&
	__nss_passwd_lookup(&startp, fct_name, &fct_start) != 0) {
	free(buf);
	return NSS_STATUS_UNAVAIL;
    }
    nip = startp;
    fct.ptr = fct_start;
    do {
    morebuf:
	if (fct.l == _nss_nonlocal_getpwnam_r)
	    status = NSS_STATUS_NOTFOUND;
	else
	    status = DL_CALL_FCT(fct.l, (user, &pwbuf, buf, buflen, errnop));
	if (status == NSS_STATUS_TRYAGAIN && *errnop == ERANGE) {
	    free(buf);
	    buflen *= 2;
	    buf = malloc(buflen);
	    if (buf == NULL) {
		*errnop = ENOMEM;
		errno = old_errno;
		return NSS_STATUS_TRYAGAIN;
	    }
	    goto morebuf;
	}
    } while (__nss_next(&nip, fct_name, &fct.ptr, status, 0) == 0);

    if (status == NSS_STATUS_SUCCESS)
	status = NSS_STATUS_NOTFOUND;
    else if (status != NSS_STATUS_TRYAGAIN)
	status = NSS_STATUS_SUCCESS;

    free(buf);
    return status;
}


static service_user *pwent_nip = NULL;
static void *pwent_fct_start;
static union {
    enum nss_status (*l)(struct passwd *pwd, char *buffer, size_t buflen,
			 int *errnop);
    void *ptr;
} pwent_fct;
static const char *pwent_fct_name = "getpwent_r";

enum nss_status
_nss_nonlocal_setpwent(int stayopen)
{
    static const char *fct_name = "setpwent";
    static void *fct_start = NULL;
    enum nss_status status;
    service_user *nip;
    union {
	enum nss_status (*l)(int stayopen);
	void *ptr;
    } fct;

    nip = nss_passwd_nonlocal_database();
    if (nip == NULL)
	return NSS_STATUS_UNAVAIL;
    if (fct_start == NULL)
	fct_start = __nss_lookup_function(nip, fct_name);
    fct.ptr = fct_start;
    do {
	if (fct.ptr == NULL)
	    status = NSS_STATUS_UNAVAIL;
	else
	    status = DL_CALL_FCT(fct.l, (stayopen));
    } while (__nss_next(&nip, fct_name, &fct.ptr, status, 0) == 0);
    if (status != NSS_STATUS_SUCCESS)
	return status;

    pwent_nip = nip;
    if (pwent_fct_start == NULL)
	pwent_fct_start = __nss_lookup_function(nip, pwent_fct_name);
    pwent_fct.ptr = pwent_fct_start;
    return NSS_STATUS_SUCCESS;
}

enum nss_status
_nss_nonlocal_endpwent(void)
{
    static const char *fct_name = "endpwent";
    static void *fct_start = NULL;
    enum nss_status status;
    service_user *nip;
    union {
	enum nss_status (*l)(void);
	void *ptr;
    } fct;

    pwent_nip = NULL;

    nip = nss_passwd_nonlocal_database();
    if (nip == NULL)
	return NSS_STATUS_UNAVAIL;
    if (fct_start == NULL)
	fct_start = __nss_lookup_function(nip, fct_name);
    fct.ptr = fct_start;
    do {
	if (fct.ptr == NULL)
	    status = NSS_STATUS_UNAVAIL;
	else
	    status = DL_CALL_FCT(fct.l, ());
    } while (__nss_next(&nip, fct_name, &fct.ptr, status, 0) == 0);
    return status;
}

enum nss_status
_nss_nonlocal_getpwent_r(struct passwd *pwd, char *buffer, size_t buflen,
			 int *errnop)
{
    enum nss_status status;

    char *nonlocal_ignore = getenv(NONLOCAL_IGNORE_ENV);
    if (nonlocal_ignore != NULL && nonlocal_ignore[0] != '\0')
	return NSS_STATUS_UNAVAIL;

    if (pwent_nip == NULL) {
	status = _nss_nonlocal_setpwent(0);
	if (status != NSS_STATUS_SUCCESS)
	    return status;
    }
    do {
	if (pwent_fct.ptr == NULL)
	    status = NSS_STATUS_UNAVAIL;
	else {
	    int nonlocal_errno;
	    do
		status = DL_CALL_FCT(pwent_fct.l, (pwd, buffer, buflen, errnop));
	    while (status == NSS_STATUS_SUCCESS &&
		   check_nonlocal_passwd(pwd->pw_name, pwd, &nonlocal_errno) != NSS_STATUS_SUCCESS);
	}
	if (status == NSS_STATUS_TRYAGAIN && *errnop == ERANGE)
	    return status;

	if (status == NSS_STATUS_SUCCESS)
	    return NSS_STATUS_SUCCESS;
    } while (__nss_next(&pwent_nip, pwent_fct_name, &pwent_fct.ptr, status, 0) == 0);

    pwent_nip = NULL;
    return NSS_STATUS_NOTFOUND;
}


enum nss_status
_nss_nonlocal_getpwnam_r(const char *name, struct passwd *pwd,
			 char *buffer, size_t buflen, int *errnop)
{
    static const char *fct_name = "getpwnam_r";
    static void *fct_start = NULL;
    enum nss_status status;
    service_user *nip;
    union {
	enum nss_status (*l)(const char *name, struct passwd *pwd,
			     char *buffer, size_t buflen, int *errnop);
	void *ptr;
    } fct;
    int group_errno;

    char *nonlocal_ignore = getenv(NONLOCAL_IGNORE_ENV);
    if (nonlocal_ignore != NULL && nonlocal_ignore[0] != '\0')
	return NSS_STATUS_UNAVAIL;

    nip = nss_passwd_nonlocal_database();
    if (nip == NULL)
	return NSS_STATUS_UNAVAIL;
    if (fct_start == NULL)
	fct_start = __nss_lookup_function(nip, fct_name);
    fct.ptr = fct_start;
    do {
	if (fct.ptr == NULL)
	    status = NSS_STATUS_UNAVAIL;
	else
	    status = DL_CALL_FCT(fct.l, (name, pwd, buffer, buflen, errnop));
	if (status == NSS_STATUS_TRYAGAIN && *errnop == ERANGE)
	    break;
    } while (__nss_next(&nip, fct_name, &fct.ptr, status, 0) == 0);
    if (status != NSS_STATUS_SUCCESS)
	return status;

    if (strcmp(name, pwd->pw_name) != 0) {
	syslog(LOG_ERR, "nss_nonlocal: discarding user %s from lookup for user %s\n", pwd->pw_name, name);
	return NSS_STATUS_NOTFOUND;
    }

    status = check_nonlocal_passwd(name, pwd, errnop);
    if (status != NSS_STATUS_SUCCESS)
	return status;

    if (check_nonlocal_gid(name, pwd->pw_gid, &group_errno) !=
	NSS_STATUS_SUCCESS)
	pwd->pw_gid = 65534 /* nogroup */;
    return NSS_STATUS_SUCCESS;
}

enum nss_status
_nss_nonlocal_getpwuid_r(uid_t uid, struct passwd *pwd,
			 char *buffer, size_t buflen, int *errnop)
{
    static const char *fct_name = "getpwuid_r";
    static void *fct_start = NULL;
    enum nss_status status;
    service_user *nip;
    union {
	enum nss_status (*l)(uid_t uid, struct passwd *pwd,
			     char *buffer, size_t buflen, int *errnop);
	void *ptr;
    } fct;
    int group_errno;

    char *nonlocal_ignore = getenv(NONLOCAL_IGNORE_ENV);
    if (nonlocal_ignore != NULL && nonlocal_ignore[0] != '\0')
	return NSS_STATUS_UNAVAIL;

    nip = nss_passwd_nonlocal_database();
    if (nip == NULL)
	return NSS_STATUS_UNAVAIL;
    if (fct_start == NULL)
	fct_start = __nss_lookup_function(nip, fct_name);
    fct.ptr = fct_start;
    do {
	if (fct.ptr == NULL)
	    status = NSS_STATUS_UNAVAIL;
	else
	    status = DL_CALL_FCT(fct.l, (uid, pwd, buffer, buflen, errnop));
	if (status == NSS_STATUS_TRYAGAIN && *errnop == ERANGE)
	    break;
    } while (__nss_next(&nip, fct_name, &fct.ptr, status, 0) == 0);
    if (status != NSS_STATUS_SUCCESS)
	return status;

    status = check_nonlocal_passwd(pwd->pw_name, pwd, errnop);
    if (status != NSS_STATUS_SUCCESS)
	return status;

    if (check_nonlocal_gid(pwd->pw_name, pwd->pw_gid, &group_errno) !=
	NSS_STATUS_SUCCESS)
	pwd->pw_gid = 65534 /* nogroup */;
    return NSS_STATUS_SUCCESS;
}
Commit	Line	Data
f6903667 AK	1	/*
	2	* nonlocal-passwd.c
	3	* passwd database for nss_nonlocal proxy.
	4	*
48479fc7 TA	5	* Copyright © 2007 Anders Kaseorg <andersk@mit.edu> and Tim Abbott
48479fc7 TA	6	* <tabbott@mit.edu>
f6903667 AK	7	*
	8	* Permission is hereby granted, free of charge, to any person
	9	* obtaining a copy of this software and associated documentation
	10	* files (the "Software"), to deal in the Software without
	11	* restriction, including without limitation the rights to use, copy,
	12	* modify, merge, publish, distribute, sublicense, and/or sell copies
	13	* of the Software, and to permit persons to whom the Software is
	14	* furnished to do so, subject to the following conditions:
	15	*
	16	* The above copyright notice and this permission notice shall be
	17	* included in all copies or substantial portions of the Software.
	18	*
	19	* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
	20	* EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
	21	* MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
	22	* NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
	23	* BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
	24	* ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
	25	* CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
	26	* SOFTWARE.
	27	*/
	28
	29
	30	#define _GNU_SOURCE
	31	#include <sys/types.h>
	32	#include <unistd.h>
	33	#include <stdlib.h>
	34	#include <stdint.h>
	35	#include <string.h>
	36	#include <dlfcn.h>
	37	#include <stdio.h>
	38	#include <syslog.h>
	39	#include <errno.h>
	40	#include <pwd.h>
	41	#include <grp.h>
	42	#include <nss.h>
	43	#include "nsswitch-internal.h"
	44	#include "nonlocal.h"
	45
c1812233 AK	46
	47	enum nss_status
	48	_nss_nonlocal_getpwuid_r(uid_t uid, struct passwd *pwd,
	49	char buffer, size_t buflen, int errnop);
	50	enum nss_status
	51	_nss_nonlocal_getpwnam_r(const char name, struct passwd pwd,
	52	char buffer, size_t buflen, int errnop);
f7293a54	53
f6903667 AK	54
	55	static service_user *
	56	nss_passwd_nonlocal_database(void)
	57	{
	58	static service_user *nip = NULL;
	59	if (nip == NULL)
	60	__nss_database_lookup("passwd_nonlocal", NULL, "", &nip);
	61
	62	return nip;
	63	}
	64
	65
f6903667 AK	66	enum nss_status
	67	check_nonlocal_uid(const char user, uid_t uid, int errnop)
	68	{
30fb3957 AK	69	static const char *fct_name = "getpwuid_r";
	70	static service_user *startp = NULL;
	71	static void *fct_start = NULL;
	72	enum nss_status status;
	73	service_user *nip;
	74	union {
	75	enum nss_status (l)(uid_t uid, struct passwd pwd,
	76	char buffer, size_t buflen, int errnop);
	77	void *ptr;
	78	} fct;
f7293a54	79	struct passwd pwbuf;
f7293a54	80	int old_errno = errno;
c1812233	81
8870ee9c	82	size_t buflen = sysconf(_SC_GETPW_R_SIZE_MAX);
f7293a54 AK	83	char *buf = malloc(buflen);
f7293a54 AK	84	if (buf == NULL) {
f6903667	85	*errnop = ENOMEM;
f7293a54	86	errno = old_errno;
f6903667 AK	87	return NSS_STATUS_TRYAGAIN;
f6903667 AK	88	}
30fb3957 AK	89
	90	if (fct_start == NULL &&
	91	__nss_passwd_lookup(&startp, fct_name, &fct_start) != 0) {
	92	free(buf);
	93	return NSS_STATUS_UNAVAIL;
	94	}
	95	nip = startp;
	96	fct.ptr = fct_start;
	97	do {
d905b369	98	morebuf:
c1812233 AK	99	if (fct.l == _nss_nonlocal_getpwuid_r)
	100	status = NSS_STATUS_NOTFOUND;
	101	else
	102	status = DL_CALL_FCT(fct.l, (uid, &pwbuf, buf, buflen, errnop));
d905b369 AK	103	if (status == NSS_STATUS_TRYAGAIN && *errnop == ERANGE) {
	104	free(buf);
	105	buflen *= 2;
	106	buf = malloc(buflen);
	107	if (buf == NULL) {
	108	*errnop = ENOMEM;
	109	errno = old_errno;
	110	return NSS_STATUS_TRYAGAIN;
	111	}
	112	goto morebuf;
	113	}
30fb3957 AK	114	} while (__nss_next(&nip, fct_name, &fct.ptr, status, 0) == 0);
	115
	116	if (status == NSS_STATUS_SUCCESS) {
f7293a54	117	syslog(LOG_ERR, "nss_nonlocal: possible spoofing attack: non-local user %s has same UID as local user %s!\n", user, pwbuf.pw_name);
f6903667	118	status = NSS_STATUS_NOTFOUND;
30fb3957 AK	119	} else if (status != NSS_STATUS_TRYAGAIN) {
30fb3957 AK	120	status = NSS_STATUS_SUCCESS;
f6903667	121	}
30fb3957	122
f7293a54	123	free(buf);
f6903667 AK	124	return status;
	125	}
	126
cf338316 AK	127	enum nss_status
	128	check_nonlocal_passwd(const char user, struct passwd pwd, int *errnop)
	129	{
a07a7616 AK	130	enum nss_status status = NSS_STATUS_SUCCESS;
	131	int old_errno = errno;
	132	char *end;
	133	unsigned long uid;
	134
	135	errno = 0;
	136	uid = strtoul(pwd->pw_name, &end, 10);
	137	if (errno == 0 && *end == '\0' && (uid_t)uid == uid)
	138	status = check_nonlocal_uid(user, uid, errnop);
	139	errno = old_errno;
	140	if (status != NSS_STATUS_SUCCESS)
	141	return status;
	142
cf338316 AK	143	return check_nonlocal_uid(user, pwd->pw_uid, errnop);
	144	}
	145
48479fc7 TA	146	enum nss_status
	147	check_nonlocal_user(const char user, int errnop)
	148	{
30fb3957 AK	149	static const char *fct_name = "getpwnam_r";
	150	static service_user *startp = NULL;
	151	static void *fct_start = NULL;
	152	enum nss_status status;
	153	service_user *nip;
	154	union {
	155	enum nss_status (l)(const char name, struct passwd *pwd,
	156	char buffer, size_t buflen, int errnop);
	157	void *ptr;
	158	} fct;
48479fc7	159	struct passwd pwbuf;
48479fc7	160	int old_errno = errno;
c1812233	161
8870ee9c	162	size_t buflen = sysconf(_SC_GETPW_R_SIZE_MAX);
48479fc7 TA	163	char *buf = malloc(buflen);
	164	if (buf == NULL) {
	165	*errnop = ENOMEM;
	166	errno = old_errno;
	167	return NSS_STATUS_TRYAGAIN;
	168	}
30fb3957 AK	169
	170	if (fct_start == NULL &&
	171	__nss_passwd_lookup(&startp, fct_name, &fct_start) != 0) {
	172	free(buf);
	173	return NSS_STATUS_UNAVAIL;
48479fc7	174	}
30fb3957 AK	175	nip = startp;
	176	fct.ptr = fct_start;
	177	do {
d905b369	178	morebuf:
c1812233 AK	179	if (fct.l == _nss_nonlocal_getpwnam_r)
	180	status = NSS_STATUS_NOTFOUND;
	181	else
	182	status = DL_CALL_FCT(fct.l, (user, &pwbuf, buf, buflen, errnop));
d905b369 AK	183	if (status == NSS_STATUS_TRYAGAIN && *errnop == ERANGE) {
	184	free(buf);
	185	buflen *= 2;
	186	buf = malloc(buflen);
	187	if (buf == NULL) {
	188	*errnop = ENOMEM;
	189	errno = old_errno;
	190	return NSS_STATUS_TRYAGAIN;
	191	}
	192	goto morebuf;
	193	}
30fb3957 AK	194	} while (__nss_next(&nip, fct_name, &fct.ptr, status, 0) == 0);
	195
	196	if (status == NSS_STATUS_SUCCESS)
	197	status = NSS_STATUS_NOTFOUND;
	198	else if (status != NSS_STATUS_TRYAGAIN)
	199	status = NSS_STATUS_SUCCESS;
	200
48479fc7	201	free(buf);
48479fc7 TA	202	return status;
48479fc7 TA	203	}
f6903667	204
1e78305d	205
f6903667 AK	206	static service_user *pwent_nip = NULL;
	207	static void *pwent_fct_start;
	208	static union {
	209	enum nss_status (l)(struct passwd pwd, char *buffer, size_t buflen,
	210	int *errnop);
	211	void *ptr;
	212	} pwent_fct;
	213	static const char *pwent_fct_name = "getpwent_r";
	214
	215	enum nss_status
	216	_nss_nonlocal_setpwent(int stayopen)
	217	{
	218	static const char *fct_name = "setpwent";
	219	static void *fct_start = NULL;
	220	enum nss_status status;
	221	service_user *nip;
	222	union {
	223	enum nss_status (*l)(int stayopen);
	224	void *ptr;
	225	} fct;
	226
	227	nip = nss_passwd_nonlocal_database();
	228	if (nip == NULL)
	229	return NSS_STATUS_UNAVAIL;
	230	if (fct_start == NULL)
	231	fct_start = __nss_lookup_function(nip, fct_name);
	232	fct.ptr = fct_start;
	233	do {
	234	if (fct.ptr == NULL)
	235	status = NSS_STATUS_UNAVAIL;
	236	else
	237	status = DL_CALL_FCT(fct.l, (stayopen));
	238	} while (__nss_next(&nip, fct_name, &fct.ptr, status, 0) == 0);
	239	if (status != NSS_STATUS_SUCCESS)
	240	return status;
	241
	242	pwent_nip = nip;
	243	if (pwent_fct_start == NULL)
	244	pwent_fct_start = __nss_lookup_function(nip, pwent_fct_name);
	245	pwent_fct.ptr = pwent_fct_start;
	246	return NSS_STATUS_SUCCESS;
	247	}
	248
	249	enum nss_status
	250	_nss_nonlocal_endpwent(void)
	251	{
	252	static const char *fct_name = "endpwent";
	253	static void *fct_start = NULL;
	254	enum nss_status status;
	255	service_user *nip;
	256	union {
	257	enum nss_status (*l)(void);
	258	void *ptr;
	259	} fct;
	260
	261	pwent_nip = NULL;
	262
	263	nip = nss_passwd_nonlocal_database();
	264	if (nip == NULL)
	265	return NSS_STATUS_UNAVAIL;
	266	if (fct_start == NULL)
	267	fct_start = __nss_lookup_function(nip, fct_name);
	268	fct.ptr = fct_start;
	269	do {
270	if (fct.ptr == NULL)
271	status = NSS_STATUS_UNAVAIL;
272	else
273	status = DL_CALL_FCT(fct.l, ());
274	} while (__nss_next(&nip, fct_name, &fct.ptr, status, 0) == 0);
275	return status;
276	}
277
278	enum nss_status
279	_nss_nonlocal_getpwent_r(struct passwd pwd, char buffer, size_t buflen,
280	int *errnop)
281	{
282	enum nss_status status;
a360549e TA	283
a360549e TA	284	char *nonlocal_ignore = getenv(NONLOCAL_IGNORE_ENV);
c1812233	285	if (nonlocal_ignore != NULL && nonlocal_ignore[0] != '\0')
a360549e TA	286	return NSS_STATUS_UNAVAIL;
a360549e TA	287
f6903667 AK	288	if (pwent_nip == NULL) {
	289	status = _nss_nonlocal_setpwent(0);
	290	if (status != NSS_STATUS_SUCCESS)
	291	return status;
	292	}
	293	do {
	294	if (pwent_fct.ptr == NULL)
	295	status = NSS_STATUS_UNAVAIL;
	296	else {
	297	int nonlocal_errno;
	298	do
a360549e	299	status = DL_CALL_FCT(pwent_fct.l, (pwd, buffer, buflen, errnop));
f6903667	300	while (status == NSS_STATUS_SUCCESS &&
cf338316	301	check_nonlocal_passwd(pwd->pw_name, pwd, &nonlocal_errno) != NSS_STATUS_SUCCESS);
f6903667 AK	302	}
	303	if (status == NSS_STATUS_TRYAGAIN && *errnop == ERANGE)
	304	return status;
	305
	306	if (status == NSS_STATUS_SUCCESS)
	307	return NSS_STATUS_SUCCESS;
	308	} while (__nss_next(&pwent_nip, pwent_fct_name, &pwent_fct.ptr, status, 0) == 0);
	309
	310	pwent_nip = NULL;
	311	return NSS_STATUS_NOTFOUND;
	312	}
	313
	314
	315	enum nss_status
	316	_nss_nonlocal_getpwnam_r(const char name, struct passwd pwd,
	317	char buffer, size_t buflen, int errnop)
	318	{
	319	static const char *fct_name = "getpwnam_r";
	320	static void *fct_start = NULL;
	321	enum nss_status status;
	322	service_user *nip;
	323	union {
	324	enum nss_status (l)(const char name, struct passwd *pwd,
	325	char buffer, size_t buflen, int errnop);
	326	void *ptr;
	327	} fct;
	328	int group_errno;
	329
a360549e	330	char *nonlocal_ignore = getenv(NONLOCAL_IGNORE_ENV);
c1812233	331	if (nonlocal_ignore != NULL && nonlocal_ignore[0] != '\0')
48479fc7 TA	332	return NSS_STATUS_UNAVAIL;
48479fc7 TA	333
f6903667 AK	334	nip = nss_passwd_nonlocal_database();
	335	if (nip == NULL)
	336	return NSS_STATUS_UNAVAIL;
	337	if (fct_start == NULL)
	338	fct_start = __nss_lookup_function(nip, fct_name);
	339	fct.ptr = fct_start;
	340	do {
	341	if (fct.ptr == NULL)
	342	status = NSS_STATUS_UNAVAIL;
	343	else
	344	status = DL_CALL_FCT(fct.l, (name, pwd, buffer, buflen, errnop));
	345	if (status == NSS_STATUS_TRYAGAIN && *errnop == ERANGE)
	346	break;
	347	} while (__nss_next(&nip, fct_name, &fct.ptr, status, 0) == 0);
	348	if (status != NSS_STATUS_SUCCESS)
	349	return status;
	350
22562df0 AK	351	if (strcmp(name, pwd->pw_name) != 0) {
	352	syslog(LOG_ERR, "nss_nonlocal: discarding user %s from lookup for user %s\n", pwd->pw_name, name);
	353	return NSS_STATUS_NOTFOUND;
	354	}
	355
cf338316	356	status = check_nonlocal_passwd(name, pwd, errnop);
f6903667 AK	357	if (status != NSS_STATUS_SUCCESS)
	358	return status;
	359
	360	if (check_nonlocal_gid(name, pwd->pw_gid, &group_errno) !=
	361	NSS_STATUS_SUCCESS)
	362	pwd->pw_gid = 65534 /* nogroup */;
	363	return NSS_STATUS_SUCCESS;
	364	}
	365
	366	enum nss_status
	367	_nss_nonlocal_getpwuid_r(uid_t uid, struct passwd *pwd,
	368	char buffer, size_t buflen, int errnop)
	369	{
	370	static const char *fct_name = "getpwuid_r";
	371	static void *fct_start = NULL;
	372	enum nss_status status;
	373	service_user *nip;
	374	union {
	375	enum nss_status (l)(uid_t uid, struct passwd pwd,
	376	char buffer, size_t buflen, int errnop);
	377	void *ptr;
	378	} fct;
	379	int group_errno;
	380
a360549e	381	char *nonlocal_ignore = getenv(NONLOCAL_IGNORE_ENV);
c1812233	382	if (nonlocal_ignore != NULL && nonlocal_ignore[0] != '\0')
f6903667 AK	383	return NSS_STATUS_UNAVAIL;
	384
	385	nip = nss_passwd_nonlocal_database();
	386	if (nip == NULL)
	387	return NSS_STATUS_UNAVAIL;
	388	if (fct_start == NULL)
	389	fct_start = __nss_lookup_function(nip, fct_name);
	390	fct.ptr = fct_start;
	391	do {
	392	if (fct.ptr == NULL)
	393	status = NSS_STATUS_UNAVAIL;
	394	else
	395	status = DL_CALL_FCT(fct.l, (uid, pwd, buffer, buflen, errnop));
	396	if (status == NSS_STATUS_TRYAGAIN && *errnop == ERANGE)
	397	break;
	398	} while (__nss_next(&nip, fct_name, &fct.ptr, status, 0) == 0);
	399	if (status != NSS_STATUS_SUCCESS)
	400	return status;
	401
cf338316	402	status = check_nonlocal_passwd(pwd->pw_name, pwd, errnop);
f6903667 AK	403	if (status != NSS_STATUS_SUCCESS)
	404	return status;
	405
	406	if (check_nonlocal_gid(pwd->pw_name, pwd->pw_gid, &group_errno) !=
	407	NSS_STATUS_SUCCESS)
	408	pwd->pw_gid = 65534 /* nogroup */;
	409	return NSS_STATUS_SUCCESS;
	410	}