3 * passwd database for nss_nonlocal proxy.
5 * Copyright © 2007 Anders Kaseorg <andersk@mit.edu> and Tim Abbott
8 * Permission is hereby granted, free of charge, to any person
9 * obtaining a copy of this software and associated documentation
10 * files (the "Software"), to deal in the Software without
11 * restriction, including without limitation the rights to use, copy,
12 * modify, merge, publish, distribute, sublicense, and/or sell copies
13 * of the Software, and to permit persons to whom the Software is
14 * furnished to do so, subject to the following conditions:
16 * The above copyright notice and this permission notice shall be
17 * included in all copies or substantial portions of the Software.
19 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
20 * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
21 * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
22 * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
23 * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
24 * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
25 * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
31 #include <sys/types.h>
43 #include "nsswitch-internal.h"
48 _nss_nonlocal_getpwuid_r(uid_t uid, struct passwd *pwd,
49 char *buffer, size_t buflen, int *errnop);
51 _nss_nonlocal_getpwnam_r(const char *name, struct passwd *pwd,
52 char *buffer, size_t buflen, int *errnop);
56 nss_passwd_nonlocal_database(void)
58 static service_user *nip = NULL;
60 __nss_database_lookup("passwd_nonlocal", NULL, "", &nip);
67 check_nonlocal_uid(const char *user, uid_t uid, int *errnop)
69 static const char *fct_name = "getpwuid_r";
70 static service_user *startp = NULL;
71 static void *fct_start = NULL;
72 enum nss_status status;
75 enum nss_status (*l)(uid_t uid, struct passwd *pwd,
76 char *buffer, size_t buflen, int *errnop);
80 int old_errno = errno;
82 size_t buflen = sysconf(_SC_GETPW_R_SIZE_MAX);
83 char *buf = malloc(buflen);
87 return NSS_STATUS_TRYAGAIN;
90 if (fct_start == NULL &&
91 __nss_passwd_lookup(&startp, fct_name, &fct_start) != 0) {
93 return NSS_STATUS_UNAVAIL;
99 if (fct.l == _nss_nonlocal_getpwuid_r)
100 status = NSS_STATUS_NOTFOUND;
102 status = DL_CALL_FCT(fct.l, (uid, &pwbuf, buf, buflen, errnop));
103 if (status == NSS_STATUS_TRYAGAIN && *errnop == ERANGE) {
106 buf = malloc(buflen);
110 return NSS_STATUS_TRYAGAIN;
114 } while (__nss_next(&nip, fct_name, &fct.ptr, status, 0) == 0);
116 if (status == NSS_STATUS_SUCCESS) {
117 syslog(LOG_ERR, "nss_nonlocal: possible spoofing attack: non-local user %s has same UID as local user %s!\n", user, pwbuf.pw_name);
118 status = NSS_STATUS_NOTFOUND;
119 } else if (status != NSS_STATUS_TRYAGAIN) {
120 status = NSS_STATUS_SUCCESS;
128 check_nonlocal_user(const char *user, int *errnop)
130 static const char *fct_name = "getpwnam_r";
131 static service_user *startp = NULL;
132 static void *fct_start = NULL;
133 enum nss_status status;
136 enum nss_status (*l)(const char *name, struct passwd *pwd,
137 char *buffer, size_t buflen, int *errnop);
141 int old_errno = errno;
143 size_t buflen = sysconf(_SC_GETPW_R_SIZE_MAX);
144 char *buf = malloc(buflen);
148 return NSS_STATUS_TRYAGAIN;
151 if (fct_start == NULL &&
152 __nss_passwd_lookup(&startp, fct_name, &fct_start) != 0) {
154 return NSS_STATUS_UNAVAIL;
160 if (fct.l == _nss_nonlocal_getpwnam_r)
161 status = NSS_STATUS_NOTFOUND;
163 status = DL_CALL_FCT(fct.l, (user, &pwbuf, buf, buflen, errnop));
164 if (status == NSS_STATUS_TRYAGAIN && *errnop == ERANGE) {
167 buf = malloc(buflen);
171 return NSS_STATUS_TRYAGAIN;
175 } while (__nss_next(&nip, fct_name, &fct.ptr, status, 0) == 0);
177 if (status == NSS_STATUS_SUCCESS)
178 status = NSS_STATUS_NOTFOUND;
179 else if (status != NSS_STATUS_TRYAGAIN)
180 status = NSS_STATUS_SUCCESS;
187 static service_user *pwent_nip = NULL;
188 static void *pwent_fct_start;
190 enum nss_status (*l)(struct passwd *pwd, char *buffer, size_t buflen,
194 static const char *pwent_fct_name = "getpwent_r";
197 _nss_nonlocal_setpwent(int stayopen)
199 static const char *fct_name = "setpwent";
200 static void *fct_start = NULL;
201 enum nss_status status;
204 enum nss_status (*l)(int stayopen);
208 nip = nss_passwd_nonlocal_database();
210 return NSS_STATUS_UNAVAIL;
211 if (fct_start == NULL)
212 fct_start = __nss_lookup_function(nip, fct_name);
216 status = NSS_STATUS_UNAVAIL;
218 status = DL_CALL_FCT(fct.l, (stayopen));
219 } while (__nss_next(&nip, fct_name, &fct.ptr, status, 0) == 0);
220 if (status != NSS_STATUS_SUCCESS)
224 if (pwent_fct_start == NULL)
225 pwent_fct_start = __nss_lookup_function(nip, pwent_fct_name);
226 pwent_fct.ptr = pwent_fct_start;
227 return NSS_STATUS_SUCCESS;
231 _nss_nonlocal_endpwent(void)
233 static const char *fct_name = "endpwent";
234 static void *fct_start = NULL;
235 enum nss_status status;
238 enum nss_status (*l)(void);
244 nip = nss_passwd_nonlocal_database();
246 return NSS_STATUS_UNAVAIL;
247 if (fct_start == NULL)
248 fct_start = __nss_lookup_function(nip, fct_name);
252 status = NSS_STATUS_UNAVAIL;
254 status = DL_CALL_FCT(fct.l, ());
255 } while (__nss_next(&nip, fct_name, &fct.ptr, status, 0) == 0);
260 _nss_nonlocal_getpwent_r(struct passwd *pwd, char *buffer, size_t buflen,
263 enum nss_status status;
265 char *nonlocal_ignore = getenv(NONLOCAL_IGNORE_ENV);
266 if (nonlocal_ignore != NULL && nonlocal_ignore[0] != '\0')
267 return NSS_STATUS_UNAVAIL;
269 if (pwent_nip == NULL) {
270 status = _nss_nonlocal_setpwent(0);
271 if (status != NSS_STATUS_SUCCESS)
275 if (pwent_fct.ptr == NULL)
276 status = NSS_STATUS_UNAVAIL;
280 status = DL_CALL_FCT(pwent_fct.l, (pwd, buffer, buflen, errnop));
281 while (status == NSS_STATUS_SUCCESS &&
282 check_nonlocal_uid(pwd->pw_name, pwd->pw_uid, &nonlocal_errno) != NSS_STATUS_SUCCESS);
284 if (status == NSS_STATUS_TRYAGAIN && *errnop == ERANGE)
287 if (status == NSS_STATUS_SUCCESS)
288 return NSS_STATUS_SUCCESS;
289 } while (__nss_next(&pwent_nip, pwent_fct_name, &pwent_fct.ptr, status, 0) == 0);
292 return NSS_STATUS_NOTFOUND;
297 _nss_nonlocal_getpwnam_r(const char *name, struct passwd *pwd,
298 char *buffer, size_t buflen, int *errnop)
300 static const char *fct_name = "getpwnam_r";
301 static void *fct_start = NULL;
302 enum nss_status status;
305 enum nss_status (*l)(const char *name, struct passwd *pwd,
306 char *buffer, size_t buflen, int *errnop);
311 char *nonlocal_ignore = getenv(NONLOCAL_IGNORE_ENV);
312 if (nonlocal_ignore != NULL && nonlocal_ignore[0] != '\0')
313 return NSS_STATUS_UNAVAIL;
315 nip = nss_passwd_nonlocal_database();
317 return NSS_STATUS_UNAVAIL;
318 if (fct_start == NULL)
319 fct_start = __nss_lookup_function(nip, fct_name);
323 status = NSS_STATUS_UNAVAIL;
325 status = DL_CALL_FCT(fct.l, (name, pwd, buffer, buflen, errnop));
326 if (status == NSS_STATUS_TRYAGAIN && *errnop == ERANGE)
328 } while (__nss_next(&nip, fct_name, &fct.ptr, status, 0) == 0);
329 if (status != NSS_STATUS_SUCCESS)
332 status = check_nonlocal_uid(name, pwd->pw_uid, errnop);
333 if (status != NSS_STATUS_SUCCESS)
336 if (check_nonlocal_gid(name, pwd->pw_gid, &group_errno) !=
338 pwd->pw_gid = 65534 /* nogroup */;
339 return NSS_STATUS_SUCCESS;
343 _nss_nonlocal_getpwuid_r(uid_t uid, struct passwd *pwd,
344 char *buffer, size_t buflen, int *errnop)
346 static const char *fct_name = "getpwuid_r";
347 static void *fct_start = NULL;
348 enum nss_status status;
351 enum nss_status (*l)(uid_t uid, struct passwd *pwd,
352 char *buffer, size_t buflen, int *errnop);
357 char *nonlocal_ignore = getenv(NONLOCAL_IGNORE_ENV);
358 if (nonlocal_ignore != NULL && nonlocal_ignore[0] != '\0')
359 return NSS_STATUS_UNAVAIL;
361 nip = nss_passwd_nonlocal_database();
363 return NSS_STATUS_UNAVAIL;
364 if (fct_start == NULL)
365 fct_start = __nss_lookup_function(nip, fct_name);
369 status = NSS_STATUS_UNAVAIL;
371 status = DL_CALL_FCT(fct.l, (uid, pwd, buffer, buflen, errnop));
372 if (status == NSS_STATUS_TRYAGAIN && *errnop == ERANGE)
374 } while (__nss_next(&nip, fct_name, &fct.ptr, status, 0) == 0);
375 if (status != NSS_STATUS_SUCCESS)
378 status = check_nonlocal_uid(pwd->pw_name, pwd->pw_uid, errnop);
379 if (status != NSS_STATUS_SUCCESS)
382 if (check_nonlocal_gid(pwd->pw_name, pwd->pw_gid, &group_errno) !=
384 pwd->pw_gid = 65534 /* nogroup */;
385 return NSS_STATUS_SUCCESS;