3 * passwd database for nss_nonlocal proxy.
5 * Copyright © 2007 Anders Kaseorg <andersk@mit.edu> and Tim Abbott
8 * Permission is hereby granted, free of charge, to any person
9 * obtaining a copy of this software and associated documentation
10 * files (the "Software"), to deal in the Software without
11 * restriction, including without limitation the rights to use, copy,
12 * modify, merge, publish, distribute, sublicense, and/or sell copies
13 * of the Software, and to permit persons to whom the Software is
14 * furnished to do so, subject to the following conditions:
16 * The above copyright notice and this permission notice shall be
17 * included in all copies or substantial portions of the Software.
19 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
20 * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
21 * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
22 * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
23 * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
24 * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
25 * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
31 #include <sys/types.h>
43 #include "nsswitch-internal.h"
46 #define MAGIC_LOCAL_PW_BUFLEN (sysconf(_SC_GETPW_R_SIZE_MAX) + 7)
50 nss_passwd_nonlocal_database(void)
52 static service_user *nip = NULL;
54 __nss_database_lookup("passwd_nonlocal", NULL, "", &nip);
61 check_nonlocal_uid(const char *user, uid_t uid, int *errnop)
63 static const char *fct_name = "getpwuid_r";
64 static service_user *startp = NULL;
65 static void *fct_start = NULL;
66 enum nss_status status;
69 enum nss_status (*l)(uid_t uid, struct passwd *pwd,
70 char *buffer, size_t buflen, int *errnop);
74 int old_errno = errno;
75 int buflen = MAGIC_LOCAL_PW_BUFLEN;
76 char *buf = malloc(buflen);
80 return NSS_STATUS_TRYAGAIN;
83 if (fct_start == NULL &&
84 __nss_passwd_lookup(&startp, fct_name, &fct_start) != 0) {
86 return NSS_STATUS_UNAVAIL;
91 status = DL_CALL_FCT(fct.l, (uid, &pwbuf, buf, buflen, errnop));
92 if (status == NSS_STATUS_TRYAGAIN && *errnop == ERANGE)
94 } while (__nss_next(&nip, fct_name, &fct.ptr, status, 0) == 0);
96 if (status == NSS_STATUS_SUCCESS) {
97 syslog(LOG_ERR, "nss_nonlocal: possible spoofing attack: non-local user %s has same UID as local user %s!\n", user, pwbuf.pw_name);
98 status = NSS_STATUS_NOTFOUND;
99 } else if (status != NSS_STATUS_TRYAGAIN) {
100 status = NSS_STATUS_SUCCESS;
108 check_nonlocal_user(const char *user, int *errnop)
110 static const char *fct_name = "getpwnam_r";
111 static service_user *startp = NULL;
112 static void *fct_start = NULL;
113 enum nss_status status;
116 enum nss_status (*l)(const char *name, struct passwd *pwd,
117 char *buffer, size_t buflen, int *errnop);
121 int old_errno = errno;
122 int buflen = MAGIC_LOCAL_PW_BUFLEN;
123 char *buf = malloc(buflen);
127 return NSS_STATUS_TRYAGAIN;
130 if (fct_start == NULL &&
131 __nss_passwd_lookup(&startp, fct_name, &fct_start) != 0) {
133 return NSS_STATUS_UNAVAIL;
138 status = DL_CALL_FCT(fct.l, (user, &pwbuf, buf, buflen, errnop));
139 if (status == NSS_STATUS_TRYAGAIN && *errnop == ERANGE)
141 } while (__nss_next(&nip, fct_name, &fct.ptr, status, 0) == 0);
143 if (status == NSS_STATUS_SUCCESS)
144 status = NSS_STATUS_NOTFOUND;
145 else if (status != NSS_STATUS_TRYAGAIN)
146 status = NSS_STATUS_SUCCESS;
153 static service_user *pwent_nip = NULL;
154 static void *pwent_fct_start;
156 enum nss_status (*l)(struct passwd *pwd, char *buffer, size_t buflen,
160 static const char *pwent_fct_name = "getpwent_r";
163 _nss_nonlocal_setpwent(int stayopen)
165 static const char *fct_name = "setpwent";
166 static void *fct_start = NULL;
167 enum nss_status status;
170 enum nss_status (*l)(int stayopen);
174 nip = nss_passwd_nonlocal_database();
176 return NSS_STATUS_UNAVAIL;
177 if (fct_start == NULL)
178 fct_start = __nss_lookup_function(nip, fct_name);
182 status = NSS_STATUS_UNAVAIL;
184 status = DL_CALL_FCT(fct.l, (stayopen));
185 } while (__nss_next(&nip, fct_name, &fct.ptr, status, 0) == 0);
186 if (status != NSS_STATUS_SUCCESS)
190 if (pwent_fct_start == NULL)
191 pwent_fct_start = __nss_lookup_function(nip, pwent_fct_name);
192 pwent_fct.ptr = pwent_fct_start;
193 return NSS_STATUS_SUCCESS;
197 _nss_nonlocal_endpwent(void)
199 static const char *fct_name = "endpwent";
200 static void *fct_start = NULL;
201 enum nss_status status;
204 enum nss_status (*l)(void);
210 nip = nss_passwd_nonlocal_database();
212 return NSS_STATUS_UNAVAIL;
213 if (fct_start == NULL)
214 fct_start = __nss_lookup_function(nip, fct_name);
218 status = NSS_STATUS_UNAVAIL;
220 status = DL_CALL_FCT(fct.l, ());
221 } while (__nss_next(&nip, fct_name, &fct.ptr, status, 0) == 0);
226 _nss_nonlocal_getpwent_r(struct passwd *pwd, char *buffer, size_t buflen,
229 enum nss_status status;
231 char *nonlocal_ignore = getenv(NONLOCAL_IGNORE_ENV);
232 if (buflen == MAGIC_LOCAL_PW_BUFLEN ||
233 (nonlocal_ignore != NULL && nonlocal_ignore[0] != '\0'))
234 return NSS_STATUS_UNAVAIL;
236 if (pwent_nip == NULL) {
237 status = _nss_nonlocal_setpwent(0);
238 if (status != NSS_STATUS_SUCCESS)
242 if (pwent_fct.ptr == NULL)
243 status = NSS_STATUS_UNAVAIL;
247 status = DL_CALL_FCT(pwent_fct.l, (pwd, buffer, buflen, errnop));
248 while (status == NSS_STATUS_SUCCESS &&
249 check_nonlocal_uid(pwd->pw_name, pwd->pw_uid, &nonlocal_errno) != NSS_STATUS_SUCCESS);
251 if (status == NSS_STATUS_TRYAGAIN && *errnop == ERANGE)
254 if (status == NSS_STATUS_SUCCESS)
255 return NSS_STATUS_SUCCESS;
256 } while (__nss_next(&pwent_nip, pwent_fct_name, &pwent_fct.ptr, status, 0) == 0);
259 return NSS_STATUS_NOTFOUND;
264 _nss_nonlocal_getpwnam_r(const char *name, struct passwd *pwd,
265 char *buffer, size_t buflen, int *errnop)
267 static const char *fct_name = "getpwnam_r";
268 static void *fct_start = NULL;
269 enum nss_status status;
272 enum nss_status (*l)(const char *name, struct passwd *pwd,
273 char *buffer, size_t buflen, int *errnop);
278 char *nonlocal_ignore = getenv(NONLOCAL_IGNORE_ENV);
279 if (buflen == MAGIC_LOCAL_PW_BUFLEN ||
280 (nonlocal_ignore != NULL && nonlocal_ignore[0] != '\0'))
281 return NSS_STATUS_UNAVAIL;
283 nip = nss_passwd_nonlocal_database();
285 return NSS_STATUS_UNAVAIL;
286 if (fct_start == NULL)
287 fct_start = __nss_lookup_function(nip, fct_name);
291 status = NSS_STATUS_UNAVAIL;
293 status = DL_CALL_FCT(fct.l, (name, pwd, buffer, buflen, errnop));
294 if (status == NSS_STATUS_TRYAGAIN && *errnop == ERANGE)
296 } while (__nss_next(&nip, fct_name, &fct.ptr, status, 0) == 0);
297 if (status != NSS_STATUS_SUCCESS)
300 status = check_nonlocal_uid(name, pwd->pw_uid, errnop);
301 if (status != NSS_STATUS_SUCCESS)
304 if (check_nonlocal_gid(name, pwd->pw_gid, &group_errno) !=
306 pwd->pw_gid = 65534 /* nogroup */;
307 return NSS_STATUS_SUCCESS;
311 _nss_nonlocal_getpwuid_r(uid_t uid, struct passwd *pwd,
312 char *buffer, size_t buflen, int *errnop)
314 static const char *fct_name = "getpwuid_r";
315 static void *fct_start = NULL;
316 enum nss_status status;
319 enum nss_status (*l)(uid_t uid, struct passwd *pwd,
320 char *buffer, size_t buflen, int *errnop);
325 char *nonlocal_ignore = getenv(NONLOCAL_IGNORE_ENV);
326 if (buflen == MAGIC_LOCAL_PW_BUFLEN ||
327 (nonlocal_ignore != NULL && nonlocal_ignore[0] != '\0'))
328 return NSS_STATUS_UNAVAIL;
330 nip = nss_passwd_nonlocal_database();
332 return NSS_STATUS_UNAVAIL;
333 if (fct_start == NULL)
334 fct_start = __nss_lookup_function(nip, fct_name);
338 status = NSS_STATUS_UNAVAIL;
340 status = DL_CALL_FCT(fct.l, (uid, pwd, buffer, buflen, errnop));
341 if (status == NSS_STATUS_TRYAGAIN && *errnop == ERANGE)
343 } while (__nss_next(&nip, fct_name, &fct.ptr, status, 0) == 0);
344 if (status != NSS_STATUS_SUCCESS)
347 status = check_nonlocal_uid(pwd->pw_name, pwd->pw_uid, errnop);
348 if (status != NSS_STATUS_SUCCESS)
351 if (check_nonlocal_gid(pwd->pw_name, pwd->pw_gid, &group_errno) !=
353 pwd->pw_gid = 65534 /* nogroup */;
354 return NSS_STATUS_SUCCESS;