3 * passwd database for nss_nonlocal proxy.
5 * Copyright © 2007–2010 Anders Kaseorg <andersk@mit.edu> and Tim
6 * Abbott <tabbott@mit.edu>
8 * This file is part of nss_nonlocal.
10 * nss_nonlocal is free software; you can redistribute it and/or
11 * modify it under the terms of the GNU Lesser General Public License
12 * as published by the Free Software Foundation; either version 2.1 of
13 * the License, or (at your option) any later version.
15 * nss_nonlocal is distributed in the hope that it will be useful, but
16 * WITHOUT ANY WARRANTY; without even the implied warranty of
17 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
18 * Lesser General Public License for more details.
20 * You should have received a copy of the GNU Lesser General Public
21 * License along with nss_nonlocal; if not, write to the Free Software
22 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
28 #include <sys/types.h>
40 #include "nsswitch-internal.h"
45 _nss_nonlocal_getpwuid_r(uid_t uid, struct passwd *pwd,
46 char *buffer, size_t buflen, int *errnop);
48 _nss_nonlocal_getpwnam_r(const char *name, struct passwd *pwd,
49 char *buffer, size_t buflen, int *errnop);
52 static service_user *__nss_passwd_nonlocal_database;
56 __nss_passwd_nonlocal_lookup(service_user **ni, const char *fct_name,
59 if (__nss_passwd_nonlocal_database == NULL
60 && __nss_database_lookup("passwd_nonlocal", NULL, NULL,
61 &__nss_passwd_nonlocal_database) < 0)
64 *ni = __nss_passwd_nonlocal_database;
66 *fctp = __nss_lookup_function(*ni, fct_name);
72 check_nonlocal_uid(const char *user, uid_t uid, int *errnop)
74 enum nss_status status;
77 size_t buflen = sysconf(_SC_GETPW_R_SIZE_MAX);
78 const struct walk_nss w = {
79 .lookup = &__nss_passwd_lookup, .fct_name = "getpwuid_r",
80 .status = &status, .errnop = errnop, .buf = &buf, .buflen = &buflen
82 const __typeof__(&_nss_nonlocal_getpwuid_r) self = &_nss_nonlocal_getpwuid_r;
83 #define args (uid, &pwbuf, buf, buflen, errnop)
87 if (status == NSS_STATUS_SUCCESS) {
88 syslog(LOG_ERR, "nss_nonlocal: possible spoofing attack: non-local user %s has same UID as local user %s!\n", user, pwbuf.pw_name);
90 status = NSS_STATUS_NOTFOUND;
91 } else if (status != NSS_STATUS_TRYAGAIN) {
92 status = NSS_STATUS_SUCCESS;
99 check_nonlocal_passwd(const char *user, struct passwd *pwd, int *errnop)
101 enum nss_status status = NSS_STATUS_SUCCESS;
102 int old_errno = errno;
107 uid = strtoul(pwd->pw_name, &end, 10);
108 if (errno == 0 && *end == '\0' && (uid_t)uid == uid) {
110 status = check_nonlocal_uid(user, uid, errnop);
114 if (status != NSS_STATUS_SUCCESS)
117 return check_nonlocal_uid(user, pwd->pw_uid, errnop);
121 check_nonlocal_user(const char *user, int *errnop)
123 enum nss_status status;
126 size_t buflen = sysconf(_SC_GETPW_R_SIZE_MAX);
127 const struct walk_nss w = {
128 .lookup = __nss_passwd_lookup, .fct_name = "getpwnam_r",
129 .status = &status, .errnop = errnop, .buf = &buf, .buflen = &buflen
131 const __typeof__(&_nss_nonlocal_getpwnam_r) self = &_nss_nonlocal_getpwnam_r;
132 #define args (user, &pwbuf, buf, buflen, errnop)
133 #include "walk_nss.h"
136 if (status == NSS_STATUS_SUCCESS) {
138 status = NSS_STATUS_NOTFOUND;
139 } else if (status != NSS_STATUS_TRYAGAIN) {
140 status = NSS_STATUS_SUCCESS;
147 get_nonlocal_passwd(const char *name, struct passwd *pwd, char **buffer,
150 enum nss_status status;
151 size_t buflen = sysconf(_SC_GETPW_R_SIZE_MAX);
152 const struct walk_nss w = {
153 .lookup = __nss_passwd_nonlocal_lookup, .fct_name = "getpwnam_r",
154 .status = &status, .errnop = errnop, .buf = buffer, .buflen = &buflen
156 const __typeof__(&_nss_nonlocal_getpwnam_r) self = NULL;
157 #define args (name, pwd, *buffer, buflen, errnop)
158 #include "walk_nss.h"
164 static service_user *pwent_startp, *pwent_nip;
165 static void *pwent_fct_start;
167 enum nss_status (*l)(struct passwd *pwd, char *buffer, size_t buflen,
171 static const char *pwent_fct_name = "getpwent_r";
174 _nss_nonlocal_setpwent(int stayopen)
176 enum nss_status status;
177 const struct walk_nss w = {
178 .lookup = &__nss_passwd_nonlocal_lookup, .fct_name = "setpwent",
181 const __typeof__(&_nss_nonlocal_setpwent) self = NULL;
182 #define args (stayopen)
183 #include "walk_nss.h"
185 if (status != NSS_STATUS_SUCCESS)
188 if (pwent_fct_start == NULL)
189 __nss_passwd_nonlocal_lookup(&pwent_startp, pwent_fct_name,
191 pwent_nip = pwent_startp;
192 pwent_fct.ptr = pwent_fct_start;
193 return NSS_STATUS_SUCCESS;
197 _nss_nonlocal_endpwent(void)
199 enum nss_status status;
200 const struct walk_nss w = {
201 .lookup = &__nss_passwd_nonlocal_lookup, .fct_name = "endpwent",
204 const __typeof__(&_nss_nonlocal_endpwent) self = NULL;
209 #include "walk_nss.h"
215 _nss_nonlocal_getpwent_r(struct passwd *pwd, char *buffer, size_t buflen,
218 enum nss_status status;
220 char *nonlocal_ignore = getenv(NONLOCAL_IGNORE_ENV);
221 if (nonlocal_ignore != NULL && nonlocal_ignore[0] != '\0')
222 return NSS_STATUS_UNAVAIL;
224 if (pwent_nip == NULL) {
225 status = _nss_nonlocal_setpwent(0);
226 if (status != NSS_STATUS_SUCCESS)
230 if (pwent_fct.ptr == NULL)
231 status = NSS_STATUS_UNAVAIL;
235 status = DL_CALL_FCT(pwent_fct.l, (pwd, buffer, buflen, errnop));
236 while (status == NSS_STATUS_SUCCESS &&
237 check_nonlocal_passwd(pwd->pw_name, pwd, &nonlocal_errno) != NSS_STATUS_SUCCESS);
239 if (status == NSS_STATUS_TRYAGAIN && *errnop == ERANGE)
242 if (status == NSS_STATUS_SUCCESS)
243 return NSS_STATUS_SUCCESS;
244 } while (__nss_next(&pwent_nip, pwent_fct_name, &pwent_fct.ptr, status, 0) == 0);
247 return NSS_STATUS_NOTFOUND;
252 _nss_nonlocal_getpwnam_r(const char *name, struct passwd *pwd,
253 char *buffer, size_t buflen, int *errnop)
255 enum nss_status status;
257 const struct walk_nss w = {
258 .lookup = __nss_passwd_nonlocal_lookup, .fct_name = "getpwnam_r",
259 .status = &status, .errnop = errnop
261 const __typeof__(&_nss_nonlocal_getpwnam_r) self = NULL;
263 char *nonlocal_ignore = getenv(NONLOCAL_IGNORE_ENV);
264 if (nonlocal_ignore != NULL && nonlocal_ignore[0] != '\0')
265 return NSS_STATUS_UNAVAIL;
267 #define args (name, pwd, buffer, buflen, errnop)
268 #include "walk_nss.h"
270 if (status != NSS_STATUS_SUCCESS)
273 if (strcmp(name, pwd->pw_name) != 0) {
274 syslog(LOG_ERR, "nss_nonlocal: discarding user %s from lookup for user %s\n", pwd->pw_name, name);
275 return NSS_STATUS_NOTFOUND;
278 status = check_nonlocal_passwd(name, pwd, errnop);
279 if (status != NSS_STATUS_SUCCESS)
282 if (check_nonlocal_gid(name, NULL, pwd->pw_gid, &group_errno) !=
284 pwd->pw_gid = 65534 /* nogroup */;
285 return NSS_STATUS_SUCCESS;
289 _nss_nonlocal_getpwuid_r(uid_t uid, struct passwd *pwd,
290 char *buffer, size_t buflen, int *errnop)
292 enum nss_status status;
294 const struct walk_nss w = {
295 .lookup = &__nss_passwd_nonlocal_lookup, .fct_name = "getpwuid_r",
296 .status = &status, .errnop = errnop
298 const __typeof__(&_nss_nonlocal_getpwuid_r) self = NULL;
300 char *nonlocal_ignore = getenv(NONLOCAL_IGNORE_ENV);
301 if (nonlocal_ignore != NULL && nonlocal_ignore[0] != '\0')
302 return NSS_STATUS_UNAVAIL;
304 #define args (uid, pwd, buffer, buflen, errnop)
305 #include "walk_nss.h"
307 if (status != NSS_STATUS_SUCCESS)
310 if (uid != pwd->pw_uid) {
311 syslog(LOG_ERR, "nss_nonlocal: discarding uid %d from lookup for uid %d\n", pwd->pw_uid, uid);
312 return NSS_STATUS_NOTFOUND;
315 status = check_nonlocal_passwd(pwd->pw_name, pwd, errnop);
316 if (status != NSS_STATUS_SUCCESS)
319 if (check_nonlocal_gid(pwd->pw_name, NULL, pwd->pw_gid, &group_errno) !=
321 pwd->pw_gid = 65534 /* nogroup */;
322 return NSS_STATUS_SUCCESS;