3 * group database for nss_nonlocal proxy
5 * Copyright © 2007 Anders Kaseorg <andersk@mit.edu> and Tim Abbott
8 * Permission is hereby granted, free of charge, to any person
9 * obtaining a copy of this software and associated documentation
10 * files (the "Software"), to deal in the Software without
11 * restriction, including without limitation the rights to use, copy,
12 * modify, merge, publish, distribute, sublicense, and/or sell copies
13 * of the Software, and to permit persons to whom the Software is
14 * furnished to do so, subject to the following conditions:
16 * The above copyright notice and this permission notice shall be
17 * included in all copies or substantial portions of the Software.
19 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
20 * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
21 * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
22 * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
23 * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
24 * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
25 * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
30 #include <sys/types.h>
41 #include "nsswitch-internal.h"
44 #define MAGIC_LOCAL_GR_BUFLEN (sysconf(_SC_GETGR_R_SIZE_MAX) + 7)
45 #define MAGIC_NONLOCAL_GROUPNAME "nss-nonlocal-users"
46 #define MAGIC_LOCAL_GROUPNAME "nss-local-users"
50 nss_group_nonlocal_database(void)
52 static service_user *nip = NULL;
54 __nss_database_lookup("group_nonlocal", NULL, "", &nip);
61 check_nonlocal_gid(const char *user, gid_t gid, int *errnop)
63 enum nss_status status = NSS_STATUS_SUCCESS;
65 struct group *gbufp = &gbuf;
67 int old_errno = errno;
68 int buflen = MAGIC_LOCAL_GR_BUFLEN;
69 char *buf = malloc(buflen);
73 return NSS_STATUS_TRYAGAIN;
76 ret = getgrgid_r(gid, gbufp, buf, buflen, &gbufp);
79 status = NSS_STATUS_TRYAGAIN;
80 } else if (gbufp != NULL) {
81 syslog(LOG_WARNING, "nss_nonlocal: removing local group %u (%s) from non-local user %s\n", gbuf.gr_gid, gbuf.gr_name, user);
82 status = NSS_STATUS_NOTFOUND;
90 get_local_group(const char *name, struct group *grp, char *buffer, size_t buflen, int *errnop)
92 enum nss_status status = NSS_STATUS_NOTFOUND;
94 struct group *gbufp = &gbuf;
96 int old_errno = errno;
97 int len = MAGIC_LOCAL_GR_BUFLEN;
98 char *buf = malloc(len);
102 return NSS_STATUS_TRYAGAIN;
105 ret = getgrnam_r(name, gbufp, buf, len, &gbufp);
108 status = NSS_STATUS_TRYAGAIN;
109 } else if (gbufp != NULL) {
110 status = NSS_STATUS_SUCCESS;
112 n = snprintf(buffer, buflen, "%s", gbufp->gr_name);
113 if (n < 0 || n >= buflen) {
115 status = NSS_STATUS_TRYAGAIN;
116 goto get_local_group_done;
118 grp->gr_name = buffer;
122 n = snprintf(buffer, buflen, "%s", gbufp->gr_passwd);
123 if (n < 0 || n >= buflen) {
125 status = NSS_STATUS_TRYAGAIN;
126 goto get_local_group_done;
128 grp->gr_passwd = buffer;
132 grp->gr_gid = gbufp->gr_gid;
134 if (buflen < sizeof(void *)) {
136 status = NSS_STATUS_TRYAGAIN;
137 goto get_local_group_done;
139 *(void **)buffer = NULL;
140 buffer += sizeof(void *);
141 buflen -= sizeof(void *);
143 get_local_group_done:
149 static service_user *grent_nip = NULL;
150 static void *grent_fct_start;
152 enum nss_status (*l)(struct group *grp, char *buffer, size_t buflen,
156 static const char *grent_fct_name = "getgrent_r";
159 _nss_nonlocal_setgrent(int stayopen)
161 static const char *fct_name = "setgrent";
162 static void *fct_start = NULL;
163 enum nss_status status;
166 enum nss_status (*l)(int stayopen);
170 nip = nss_group_nonlocal_database();
172 return NSS_STATUS_UNAVAIL;
173 if (fct_start == NULL)
174 fct_start = __nss_lookup_function(nip, fct_name);
178 status = NSS_STATUS_UNAVAIL;
180 status = DL_CALL_FCT(fct.l, (stayopen));
181 } while (__nss_next(&nip, fct_name, &fct.ptr, status, 0) == 0);
182 if (status != NSS_STATUS_SUCCESS)
186 if (grent_fct_start == NULL)
187 grent_fct_start = __nss_lookup_function(nip, grent_fct_name);
188 grent_fct.ptr = grent_fct_start;
189 return NSS_STATUS_SUCCESS;
193 _nss_nonlocal_endgrent(void)
195 static const char *fct_name = "endgrent";
196 static void *fct_start = NULL;
197 enum nss_status status;
200 enum nss_status (*l)(void);
206 nip = nss_group_nonlocal_database();
208 return NSS_STATUS_UNAVAIL;
209 if (fct_start == NULL)
210 fct_start = __nss_lookup_function(nip, fct_name);
214 status = NSS_STATUS_UNAVAIL;
216 status = DL_CALL_FCT(fct.l, ());
217 } while (__nss_next(&nip, fct_name, &fct.ptr, status, 0) == 0);
222 _nss_nonlocal_getgrent_r(struct group *grp, char *buffer, size_t buflen,
225 enum nss_status status;
226 if (grent_nip == NULL) {
227 status = _nss_nonlocal_setgrent(0);
228 if (status != NSS_STATUS_SUCCESS)
232 if (grent_fct.ptr == NULL)
233 status = NSS_STATUS_UNAVAIL;
237 status = DL_CALL_FCT(grent_fct.l, (grp, buffer, buflen, errnop));
238 while (status == NSS_STATUS_SUCCESS &&
239 check_nonlocal_gid("(unknown)", grp->gr_gid, &nonlocal_errno) != NSS_STATUS_SUCCESS);
241 if (status == NSS_STATUS_TRYAGAIN && *errnop == ERANGE)
244 if (status == NSS_STATUS_SUCCESS)
245 return NSS_STATUS_SUCCESS;
246 } while (__nss_next(&grent_nip, grent_fct_name, &grent_fct.ptr, status, 0) == 0);
249 return NSS_STATUS_NOTFOUND;
254 _nss_nonlocal_getgrnam_r(const char *name, struct group *grp,
255 char *buffer, size_t buflen, int *errnop)
257 static const char *fct_name = "getgrnam_r";
258 static void *fct_start = NULL;
259 enum nss_status status;
262 enum nss_status (*l)(const char *name, struct group *grp,
263 char *buffer, size_t buflen, int *errnop);
267 if (buflen == MAGIC_LOCAL_GR_BUFLEN)
268 return NSS_STATUS_UNAVAIL;
270 nip = nss_group_nonlocal_database();
272 return NSS_STATUS_UNAVAIL;
273 if (fct_start == NULL)
274 fct_start = __nss_lookup_function(nip, fct_name);
278 status = NSS_STATUS_UNAVAIL;
280 status = DL_CALL_FCT(fct.l, (name, grp, buffer, buflen, errnop));
281 if (status == NSS_STATUS_TRYAGAIN && *errnop == ERANGE)
283 } while (__nss_next(&nip, fct_name, &fct.ptr, status, 0) == 0);
284 if (status != NSS_STATUS_SUCCESS)
287 return check_nonlocal_gid(name, grp->gr_gid, errnop);
291 _nss_nonlocal_getgrgid_r(gid_t gid, struct group *grp,
292 char *buffer, size_t buflen, int *errnop)
294 static const char *fct_name = "getgrgid_r";
295 static void *fct_start = NULL;
296 enum nss_status status;
299 enum nss_status (*l)(gid_t gid, struct group *grp,
300 char *buffer, size_t buflen, int *errnop);
304 if (buflen == MAGIC_LOCAL_GR_BUFLEN)
305 return NSS_STATUS_UNAVAIL;
307 nip = nss_group_nonlocal_database();
309 return NSS_STATUS_UNAVAIL;
310 if (fct_start == NULL)
311 fct_start = __nss_lookup_function(nip, fct_name);
315 status = NSS_STATUS_UNAVAIL;
317 status = DL_CALL_FCT(fct.l, (gid, grp, buffer, buflen, errnop));
318 if (status == NSS_STATUS_TRYAGAIN && *errnop == ERANGE)
320 } while (__nss_next(&nip, fct_name, &fct.ptr, status, 0) == 0);
321 if (status != NSS_STATUS_SUCCESS)
324 return check_nonlocal_gid(grp->gr_name, grp->gr_gid, errnop);
328 _nss_nonlocal_initgroups_dyn(const char *user, gid_t group, long int *start,
329 long int *size, gid_t **groupsp, long int limit,
332 static const char *fct_name = "initgroups_dyn";
333 static void *fct_start = NULL;
334 enum nss_status status;
337 enum nss_status (*l)(const char *user, gid_t group, long int *start,
338 long int *size, gid_t **groupsp, long int limit,
343 struct group local_users_group, nonlocal_users_group;
344 gid_t local_users_gid, gid;
349 /* Check that the user is a nonlocal user before adding any groups. */
350 status = check_nonlocal_user(user, errnop);
351 if (status == NSS_STATUS_NOTFOUND)
353 else if (status != NSS_STATUS_SUCCESS)
356 int old_errno = errno;
358 buflen = sysconf(_SC_GETGR_R_SIZE_MAX);
359 buffer = malloc(buflen);
360 if (buffer == NULL) {
363 return NSS_STATUS_TRYAGAIN;
365 status = get_local_group(MAGIC_LOCAL_GROUPNAME,
366 &local_users_group, buffer, buflen, errnop);
367 if (status == NSS_STATUS_NOTFOUND) {
368 syslog(LOG_WARNING, "nss_nonlocal: Group %s does not exist locally!",
369 MAGIC_LOCAL_GROUPNAME);
370 local_users_gid = -1;
371 } else if (status != NSS_STATUS_SUCCESS) {
374 local_users_gid = local_users_group.gr_gid;
378 gid = local_users_gid;
380 buflen = sysconf(_SC_GETGR_R_SIZE_MAX);
381 buffer = malloc(buflen);
382 if (buffer == NULL) {
385 return NSS_STATUS_TRYAGAIN;
387 status = get_local_group(MAGIC_NONLOCAL_GROUPNAME,
388 &nonlocal_users_group, buffer, buflen, errnop);
389 if (status == NSS_STATUS_NOTFOUND) {
390 syslog(LOG_WARNING, "nss_nonlocal: Group %s does not exist locally!",
391 MAGIC_NONLOCAL_GROUPNAME);
393 } else if (status != NSS_STATUS_SUCCESS) {
397 gid = nonlocal_users_group.gr_gid;
403 for (i = 0; i < *start; ++i)
404 if ((*groupsp)[i] == gid)
407 if (*start + 1 > *size) {
409 long int newsize = 2 * *size;
412 return NSS_STATUS_SUCCESS;
416 newgroups = realloc(*groupsp, *size * sizeof((*groupsp)[0]));
417 if (newgroups == NULL) {
420 return NSS_STATUS_TRYAGAIN;
422 *groupsp = newgroups;
425 (*groupsp)[(*start)++] = gid;
432 return NSS_STATUS_SUCCESS;
434 int in = *start, out = *start, i;
436 nip = nss_group_nonlocal_database();
438 return NSS_STATUS_UNAVAIL;
439 if (fct_start == NULL)
440 fct_start = __nss_lookup_function(nip, fct_name);
445 status = NSS_STATUS_UNAVAIL;
447 status = DL_CALL_FCT(fct.l, (user, group, start, size, groupsp, limit, errnop));
448 if (status == NSS_STATUS_TRYAGAIN && *errnop == ERANGE)
450 } while (__nss_next(&nip, fct_name, &fct.ptr, status, 0) == 0);
451 if (status != NSS_STATUS_SUCCESS)
454 for (; in < *start; ++in) {
455 int nonlocal_errno = *errnop;
457 for (i = 0; i < out; ++i)
458 if ((*groupsp)[i] == (*groupsp)[in])
463 /* Don't let users get into MAGIC_LOCAL_GROUPNAME from nonlocal reasons. */
464 if (local_users_gid == (*groupsp)[in]) {
465 syslog(LOG_WARNING, "nss_nonlocal: Nonlocal user %s removed from special local users group %s",
466 user, MAGIC_LOCAL_GROUPNAME);
470 status = check_nonlocal_gid(user, (*groupsp)[in], &nonlocal_errno);
471 if (status == NSS_STATUS_SUCCESS) {
472 (*groupsp)[out++] = (*groupsp)[in];
473 } else if (status != NSS_STATUS_NOTFOUND) {
475 *errnop = nonlocal_errno;
481 return NSS_STATUS_SUCCESS;