3 * passwd database for nss_nonlocal proxy.
5 * Copyright © 2007–2010 Anders Kaseorg <andersk@mit.edu> and Tim
6 * Abbott <tabbott@mit.edu>
8 * This file is part of nss_nonlocal.
10 * nss_nonlocal is free software; you can redistribute it and/or
11 * modify it under the terms of the GNU Lesser General Public License
12 * as published by the Free Software Foundation; either version 2.1 of
13 * the License, or (at your option) any later version.
15 * nss_nonlocal is distributed in the hope that it will be useful, but
16 * WITHOUT ANY WARRANTY; without even the implied warranty of
17 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
18 * Lesser General Public License for more details.
20 * You should have received a copy of the GNU Lesser General Public
21 * License along with nss_nonlocal; if not, write to the Free Software
22 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
29 #include <sys/types.h>
41 #include "nsswitch-internal.h"
46 _nss_nonlocal_getpwuid_r(uid_t uid, struct passwd *pwd,
47 char *buffer, size_t buflen, int *errnop);
49 _nss_nonlocal_getpwnam_r(const char *name, struct passwd *pwd,
50 char *buffer, size_t buflen, int *errnop);
53 static service_user *__nss_passwd_nonlocal_database;
57 __nss_passwd_nonlocal_lookup(service_user **ni, const char *fct_name,
60 if (__nss_passwd_nonlocal_database == NULL
61 && __nss_database_lookup("passwd_nonlocal", NULL, NULL,
62 &__nss_passwd_nonlocal_database) < 0)
65 *ni = __nss_passwd_nonlocal_database;
67 *fctp = __nss_lookup_function(*ni, fct_name);
73 check_nonlocal_uid(const char *user, uid_t uid, int *errnop)
75 enum nss_status status;
78 size_t buflen = sysconf(_SC_GETPW_R_SIZE_MAX);
79 const struct walk_nss w = {
80 .lookup = &__nss_passwd_lookup, .fct_name = "getpwuid_r",
81 .status = &status, .errnop = errnop, .buf = &buf, .buflen = &buflen
83 const __typeof__(&_nss_nonlocal_getpwuid_r) self = &_nss_nonlocal_getpwuid_r;
84 #define args (uid, &pwbuf, buf, buflen, errnop)
88 if (status == NSS_STATUS_SUCCESS) {
89 syslog(LOG_ERR, "nss_nonlocal: possible spoofing attack: non-local user %s has same UID as local user %s!\n", user, pwbuf.pw_name);
91 status = NSS_STATUS_NOTFOUND;
92 } else if (status != NSS_STATUS_TRYAGAIN) {
93 status = NSS_STATUS_SUCCESS;
100 check_nonlocal_passwd(const char *user, struct passwd *pwd, int *errnop)
102 enum nss_status status = NSS_STATUS_SUCCESS;
103 int old_errno = errno;
108 uid = strtoul(pwd->pw_name, &end, 10);
109 if (errno == 0 && *end == '\0' && (uid_t)uid == uid) {
111 status = check_nonlocal_uid(user, uid, errnop);
115 if (status != NSS_STATUS_SUCCESS)
118 return check_nonlocal_uid(user, pwd->pw_uid, errnop);
122 check_nonlocal_user(const char *user, int *errnop)
124 enum nss_status status;
127 size_t buflen = sysconf(_SC_GETPW_R_SIZE_MAX);
128 const struct walk_nss w = {
129 .lookup = __nss_passwd_lookup, .fct_name = "getpwnam_r",
130 .status = &status, .errnop = errnop, .buf = &buf, .buflen = &buflen
132 const __typeof__(&_nss_nonlocal_getpwnam_r) self = &_nss_nonlocal_getpwnam_r;
133 #define args (user, &pwbuf, buf, buflen, errnop)
134 #include "walk_nss.h"
137 if (status == NSS_STATUS_SUCCESS) {
139 status = NSS_STATUS_NOTFOUND;
140 } else if (status != NSS_STATUS_TRYAGAIN) {
141 status = NSS_STATUS_SUCCESS;
148 get_nonlocal_passwd(const char *name, struct passwd *pwd, char **buffer,
151 enum nss_status status;
152 size_t buflen = sysconf(_SC_GETPW_R_SIZE_MAX);
153 const struct walk_nss w = {
154 .lookup = __nss_passwd_nonlocal_lookup, .fct_name = "getpwnam_r",
155 .status = &status, .errnop = errnop, .buf = buffer, .buflen = &buflen
157 const __typeof__(&_nss_nonlocal_getpwnam_r) self = NULL;
158 #define args (name, pwd, *buffer, buflen, errnop)
159 #include "walk_nss.h"
165 static bool pwent_initialized = false;
166 static service_user *pwent_startp, *pwent_nip;
167 static void *pwent_fct_start;
169 enum nss_status (*l)(struct passwd *pwd, char *buffer, size_t buflen,
173 static const char *pwent_fct_name = "getpwent_r";
176 _nss_nonlocal_setpwent(int stayopen)
178 enum nss_status status;
179 const struct walk_nss w = {
180 .lookup = &__nss_passwd_nonlocal_lookup, .fct_name = "setpwent",
183 const __typeof__(&_nss_nonlocal_setpwent) self = NULL;
184 #define args (stayopen)
185 #include "walk_nss.h"
187 if (status != NSS_STATUS_SUCCESS)
190 if (!pwent_initialized) {
191 __nss_passwd_nonlocal_lookup(&pwent_startp, pwent_fct_name,
193 __sync_synchronize();
194 pwent_initialized = true;
196 pwent_nip = pwent_startp;
197 pwent_fct.ptr = pwent_fct_start;
198 return NSS_STATUS_SUCCESS;
202 _nss_nonlocal_endpwent(void)
204 enum nss_status status;
205 const struct walk_nss w = {
206 .lookup = &__nss_passwd_nonlocal_lookup, .fct_name = "endpwent",
209 const __typeof__(&_nss_nonlocal_endpwent) self = NULL;
214 #include "walk_nss.h"
220 _nss_nonlocal_getpwent_r(struct passwd *pwd, char *buffer, size_t buflen,
223 enum nss_status status;
225 char *nonlocal_ignore = getenv(NONLOCAL_IGNORE_ENV);
226 if (nonlocal_ignore != NULL && nonlocal_ignore[0] != '\0')
227 return NSS_STATUS_UNAVAIL;
229 if (pwent_nip == NULL) {
230 status = _nss_nonlocal_setpwent(0);
231 if (status != NSS_STATUS_SUCCESS)
235 if (pwent_fct.ptr == NULL)
236 status = NSS_STATUS_UNAVAIL;
240 status = DL_CALL_FCT(pwent_fct.l, (pwd, buffer, buflen, errnop));
241 while (status == NSS_STATUS_SUCCESS &&
242 check_nonlocal_passwd(pwd->pw_name, pwd, &nonlocal_errno) != NSS_STATUS_SUCCESS);
244 if (status == NSS_STATUS_TRYAGAIN && *errnop == ERANGE)
247 if (status == NSS_STATUS_SUCCESS)
248 return NSS_STATUS_SUCCESS;
249 } while (__nss_next(&pwent_nip, pwent_fct_name, &pwent_fct.ptr, status, 0) == 0);
252 return NSS_STATUS_NOTFOUND;
257 _nss_nonlocal_getpwnam_r(const char *name, struct passwd *pwd,
258 char *buffer, size_t buflen, int *errnop)
260 enum nss_status status;
262 const struct walk_nss w = {
263 .lookup = __nss_passwd_nonlocal_lookup, .fct_name = "getpwnam_r",
264 .status = &status, .errnop = errnop
266 const __typeof__(&_nss_nonlocal_getpwnam_r) self = NULL;
268 char *nonlocal_ignore = getenv(NONLOCAL_IGNORE_ENV);
269 if (nonlocal_ignore != NULL && nonlocal_ignore[0] != '\0')
270 return NSS_STATUS_UNAVAIL;
272 #define args (name, pwd, buffer, buflen, errnop)
273 #include "walk_nss.h"
275 if (status != NSS_STATUS_SUCCESS)
278 if (strcmp(name, pwd->pw_name) != 0) {
279 syslog(LOG_ERR, "nss_nonlocal: discarding user %s from lookup for user %s\n", pwd->pw_name, name);
280 return NSS_STATUS_NOTFOUND;
283 status = check_nonlocal_passwd(name, pwd, errnop);
284 if (status != NSS_STATUS_SUCCESS)
287 if (check_nonlocal_gid(name, NULL, pwd->pw_gid, &group_errno) !=
289 pwd->pw_gid = 65534 /* nogroup */;
290 return NSS_STATUS_SUCCESS;
294 _nss_nonlocal_getpwuid_r(uid_t uid, struct passwd *pwd,
295 char *buffer, size_t buflen, int *errnop)
297 enum nss_status status;
299 const struct walk_nss w = {
300 .lookup = &__nss_passwd_nonlocal_lookup, .fct_name = "getpwuid_r",
301 .status = &status, .errnop = errnop
303 const __typeof__(&_nss_nonlocal_getpwuid_r) self = NULL;
305 char *nonlocal_ignore = getenv(NONLOCAL_IGNORE_ENV);
306 if (nonlocal_ignore != NULL && nonlocal_ignore[0] != '\0')
307 return NSS_STATUS_UNAVAIL;
309 #define args (uid, pwd, buffer, buflen, errnop)
310 #include "walk_nss.h"
312 if (status != NSS_STATUS_SUCCESS)
315 if (uid != pwd->pw_uid) {
316 syslog(LOG_ERR, "nss_nonlocal: discarding uid %d from lookup for uid %d\n", pwd->pw_uid, uid);
317 return NSS_STATUS_NOTFOUND;
320 status = check_nonlocal_passwd(pwd->pw_name, pwd, errnop);
321 if (status != NSS_STATUS_SUCCESS)
324 if (check_nonlocal_gid(pwd->pw_name, NULL, pwd->pw_gid, &group_errno) !=
326 pwd->pw_gid = 65534 /* nogroup */;
327 return NSS_STATUS_SUCCESS;