3 * passwd database for nss_nonlocal proxy.
5 * Copyright © 2007 Anders Kaseorg <andersk@mit.edu> and Tim Abbott
8 * Permission is hereby granted, free of charge, to any person
9 * obtaining a copy of this software and associated documentation
10 * files (the "Software"), to deal in the Software without
11 * restriction, including without limitation the rights to use, copy,
12 * modify, merge, publish, distribute, sublicense, and/or sell copies
13 * of the Software, and to permit persons to whom the Software is
14 * furnished to do so, subject to the following conditions:
16 * The above copyright notice and this permission notice shall be
17 * included in all copies or substantial portions of the Software.
19 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
20 * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
21 * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
22 * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
23 * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
24 * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
25 * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
31 #include <sys/types.h>
43 #include "nsswitch-internal.h"
46 #define MAGIC_LOCAL_PW_BUFLEN (sysconf(_SC_GETPW_R_SIZE_MAX) + 7)
50 nss_passwd_nonlocal_database(void)
52 static service_user *nip = NULL;
54 __nss_database_lookup("passwd_nonlocal", NULL, "", &nip);
61 check_nonlocal_uid(const char *user, uid_t uid, int *errnop)
63 enum nss_status status = NSS_STATUS_SUCCESS;
65 struct passwd *pwbufp = &pwbuf;
67 int old_errno = errno;
68 int buflen = MAGIC_LOCAL_PW_BUFLEN;
69 char *buf = malloc(buflen);
73 return NSS_STATUS_TRYAGAIN;
75 ret = getpwuid_r(uid, pwbufp, buf, buflen, &pwbufp);
78 status = NSS_STATUS_TRYAGAIN;
79 } else if (pwbufp != NULL) {
80 syslog(LOG_ERR, "nss_nonlocal: possible spoofing attack: non-local user %s has same UID as local user %s!\n", user, pwbuf.pw_name);
81 status = NSS_STATUS_NOTFOUND;
89 check_nonlocal_user(const char *user, int *errnop)
91 enum nss_status status = NSS_STATUS_SUCCESS;
93 struct passwd *pwbufp = &pwbuf;
95 int old_errno = errno;
96 int buflen = MAGIC_LOCAL_PW_BUFLEN;
97 char *buf = malloc(buflen);
101 return NSS_STATUS_TRYAGAIN;
103 ret = getpwnam_r(user, pwbufp, buf, buflen, &pwbufp);
106 status = NSS_STATUS_TRYAGAIN;
107 } else if (pwbufp != NULL) {
108 status = NSS_STATUS_NOTFOUND;
116 static service_user *pwent_nip = NULL;
117 static void *pwent_fct_start;
119 enum nss_status (*l)(struct passwd *pwd, char *buffer, size_t buflen,
123 static const char *pwent_fct_name = "getpwent_r";
126 _nss_nonlocal_setpwent(int stayopen)
128 static const char *fct_name = "setpwent";
129 static void *fct_start = NULL;
130 enum nss_status status;
133 enum nss_status (*l)(int stayopen);
137 nip = nss_passwd_nonlocal_database();
139 return NSS_STATUS_UNAVAIL;
140 if (fct_start == NULL)
141 fct_start = __nss_lookup_function(nip, fct_name);
145 status = NSS_STATUS_UNAVAIL;
147 status = DL_CALL_FCT(fct.l, (stayopen));
148 } while (__nss_next(&nip, fct_name, &fct.ptr, status, 0) == 0);
149 if (status != NSS_STATUS_SUCCESS)
153 if (pwent_fct_start == NULL)
154 pwent_fct_start = __nss_lookup_function(nip, pwent_fct_name);
155 pwent_fct.ptr = pwent_fct_start;
156 return NSS_STATUS_SUCCESS;
160 _nss_nonlocal_endpwent(void)
162 static const char *fct_name = "endpwent";
163 static void *fct_start = NULL;
164 enum nss_status status;
167 enum nss_status (*l)(void);
173 nip = nss_passwd_nonlocal_database();
175 return NSS_STATUS_UNAVAIL;
176 if (fct_start == NULL)
177 fct_start = __nss_lookup_function(nip, fct_name);
181 status = NSS_STATUS_UNAVAIL;
183 status = DL_CALL_FCT(fct.l, ());
184 } while (__nss_next(&nip, fct_name, &fct.ptr, status, 0) == 0);
189 _nss_nonlocal_getpwent_r(struct passwd *pwd, char *buffer, size_t buflen,
192 enum nss_status status;
194 char *nonlocal_ignore = getenv(NONLOCAL_IGNORE_ENV);
195 if (buflen == MAGIC_LOCAL_PW_BUFLEN ||
196 (nonlocal_ignore != NULL && nonlocal_ignore[0] != '\0'))
197 return NSS_STATUS_UNAVAIL;
199 if (pwent_nip == NULL) {
200 status = _nss_nonlocal_setpwent(0);
201 if (status != NSS_STATUS_SUCCESS)
205 if (pwent_fct.ptr == NULL)
206 status = NSS_STATUS_UNAVAIL;
210 status = DL_CALL_FCT(pwent_fct.l, (pwd, buffer, buflen, errnop));
211 while (status == NSS_STATUS_SUCCESS &&
212 check_nonlocal_uid(pwd->pw_name, pwd->pw_uid, &nonlocal_errno) != NSS_STATUS_SUCCESS);
214 if (status == NSS_STATUS_TRYAGAIN && *errnop == ERANGE)
217 if (status == NSS_STATUS_SUCCESS)
218 return NSS_STATUS_SUCCESS;
219 } while (__nss_next(&pwent_nip, pwent_fct_name, &pwent_fct.ptr, status, 0) == 0);
222 return NSS_STATUS_NOTFOUND;
227 _nss_nonlocal_getpwnam_r(const char *name, struct passwd *pwd,
228 char *buffer, size_t buflen, int *errnop)
230 static const char *fct_name = "getpwnam_r";
231 static void *fct_start = NULL;
232 enum nss_status status;
235 enum nss_status (*l)(const char *name, struct passwd *pwd,
236 char *buffer, size_t buflen, int *errnop);
241 char *nonlocal_ignore = getenv(NONLOCAL_IGNORE_ENV);
242 if (buflen == MAGIC_LOCAL_PW_BUFLEN ||
243 (nonlocal_ignore != NULL && nonlocal_ignore[0] != '\0'))
244 return NSS_STATUS_UNAVAIL;
246 nip = nss_passwd_nonlocal_database();
248 return NSS_STATUS_UNAVAIL;
249 if (fct_start == NULL)
250 fct_start = __nss_lookup_function(nip, fct_name);
254 status = NSS_STATUS_UNAVAIL;
256 status = DL_CALL_FCT(fct.l, (name, pwd, buffer, buflen, errnop));
257 if (status == NSS_STATUS_TRYAGAIN && *errnop == ERANGE)
259 } while (__nss_next(&nip, fct_name, &fct.ptr, status, 0) == 0);
260 if (status != NSS_STATUS_SUCCESS)
263 status = check_nonlocal_uid(name, pwd->pw_uid, errnop);
264 if (status != NSS_STATUS_SUCCESS)
267 if (check_nonlocal_gid(name, pwd->pw_gid, &group_errno) !=
269 pwd->pw_gid = 65534 /* nogroup */;
270 return NSS_STATUS_SUCCESS;
274 _nss_nonlocal_getpwuid_r(uid_t uid, struct passwd *pwd,
275 char *buffer, size_t buflen, int *errnop)
277 static const char *fct_name = "getpwuid_r";
278 static void *fct_start = NULL;
279 enum nss_status status;
282 enum nss_status (*l)(uid_t uid, struct passwd *pwd,
283 char *buffer, size_t buflen, int *errnop);
288 char *nonlocal_ignore = getenv(NONLOCAL_IGNORE_ENV);
289 if (buflen == MAGIC_LOCAL_PW_BUFLEN ||
290 (nonlocal_ignore != NULL && nonlocal_ignore[0] != '\0'))
291 return NSS_STATUS_UNAVAIL;
293 nip = nss_passwd_nonlocal_database();
295 return NSS_STATUS_UNAVAIL;
296 if (fct_start == NULL)
297 fct_start = __nss_lookup_function(nip, fct_name);
301 status = NSS_STATUS_UNAVAIL;
303 status = DL_CALL_FCT(fct.l, (uid, pwd, buffer, buflen, errnop));
304 if (status == NSS_STATUS_TRYAGAIN && *errnop == ERANGE)
306 } while (__nss_next(&nip, fct_name, &fct.ptr, status, 0) == 0);
307 if (status != NSS_STATUS_SUCCESS)
310 status = check_nonlocal_uid(pwd->pw_name, pwd->pw_uid, errnop);
311 if (status != NSS_STATUS_SUCCESS)
314 if (check_nonlocal_gid(pwd->pw_name, pwd->pw_gid, &group_errno) !=
316 pwd->pw_gid = 65534 /* nogroup */;
317 return NSS_STATUS_SUCCESS;