3 * passwd database for nss_nonlocal proxy.
5 * Copyright © 2007–2010 Anders Kaseorg <andersk@mit.edu> and Tim
6 * Abbott <tabbott@mit.edu>
8 * This file is part of nss_nonlocal.
10 * nss_nonlocal is free software; you can redistribute it and/or
11 * modify it under the terms of the GNU Lesser General Public License
12 * as published by the Free Software Foundation; either version 2.1 of
13 * the License, or (at your option) any later version.
15 * nss_nonlocal is distributed in the hope that it will be useful, but
16 * WITHOUT ANY WARRANTY; without even the implied warranty of
17 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
18 * Lesser General Public License for more details.
20 * You should have received a copy of the GNU Lesser General Public
21 * License along with nss_nonlocal; if not, write to the Free Software
22 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
28 #include <sys/types.h>
40 #include "nsswitch-internal.h"
45 _nss_nonlocal_getpwuid_r(uid_t uid, struct passwd *pwd,
46 char *buffer, size_t buflen, int *errnop);
48 _nss_nonlocal_getpwnam_r(const char *name, struct passwd *pwd,
49 char *buffer, size_t buflen, int *errnop);
53 nss_passwd_nonlocal_database(void)
55 static service_user *nip = NULL;
57 __nss_database_lookup("passwd_nonlocal", NULL, "", &nip);
64 check_nonlocal_uid(const char *user, uid_t uid, int *errnop)
66 static const char *fct_name = "getpwuid_r";
67 static service_user *startp = NULL;
68 static void *fct_start = NULL;
69 enum nss_status status;
72 enum nss_status (*l)(uid_t uid, struct passwd *pwd,
73 char *buffer, size_t buflen, int *errnop);
77 int old_errno = errno;
79 size_t buflen = sysconf(_SC_GETPW_R_SIZE_MAX);
80 char *buf = malloc(buflen);
84 return NSS_STATUS_TRYAGAIN;
87 if (fct_start == NULL &&
88 __nss_passwd_lookup(&startp, fct_name, &fct_start) != 0) {
90 return NSS_STATUS_UNAVAIL;
96 if (fct.l == _nss_nonlocal_getpwuid_r)
97 status = NSS_STATUS_NOTFOUND;
99 status = DL_CALL_FCT(fct.l, (uid, &pwbuf, buf, buflen, errnop));
100 if (status == NSS_STATUS_TRYAGAIN && *errnop == ERANGE) {
103 buf = malloc(buflen);
107 return NSS_STATUS_TRYAGAIN;
111 } while (__nss_next(&nip, fct_name, &fct.ptr, status, 0) == 0);
113 if (status == NSS_STATUS_SUCCESS) {
114 syslog(LOG_ERR, "nss_nonlocal: possible spoofing attack: non-local user %s has same UID as local user %s!\n", user, pwbuf.pw_name);
115 status = NSS_STATUS_NOTFOUND;
116 } else if (status != NSS_STATUS_TRYAGAIN) {
117 status = NSS_STATUS_SUCCESS;
125 check_nonlocal_passwd(const char *user, struct passwd *pwd, int *errnop)
127 enum nss_status status = NSS_STATUS_SUCCESS;
128 int old_errno = errno;
133 uid = strtoul(pwd->pw_name, &end, 10);
134 if (errno == 0 && *end == '\0' && (uid_t)uid == uid) {
136 status = check_nonlocal_uid(user, uid, errnop);
140 if (status != NSS_STATUS_SUCCESS)
143 return check_nonlocal_uid(user, pwd->pw_uid, errnop);
147 check_nonlocal_user(const char *user, int *errnop)
149 static const char *fct_name = "getpwnam_r";
150 static service_user *startp = NULL;
151 static void *fct_start = NULL;
152 enum nss_status status;
155 enum nss_status (*l)(const char *name, struct passwd *pwd,
156 char *buffer, size_t buflen, int *errnop);
160 int old_errno = errno;
162 size_t buflen = sysconf(_SC_GETPW_R_SIZE_MAX);
163 char *buf = malloc(buflen);
167 return NSS_STATUS_TRYAGAIN;
170 if (fct_start == NULL &&
171 __nss_passwd_lookup(&startp, fct_name, &fct_start) != 0) {
173 return NSS_STATUS_UNAVAIL;
179 if (fct.l == _nss_nonlocal_getpwnam_r)
180 status = NSS_STATUS_NOTFOUND;
182 status = DL_CALL_FCT(fct.l, (user, &pwbuf, buf, buflen, errnop));
183 if (status == NSS_STATUS_TRYAGAIN && *errnop == ERANGE) {
186 buf = malloc(buflen);
190 return NSS_STATUS_TRYAGAIN;
194 } while (__nss_next(&nip, fct_name, &fct.ptr, status, 0) == 0);
196 if (status == NSS_STATUS_SUCCESS)
197 status = NSS_STATUS_NOTFOUND;
198 else if (status != NSS_STATUS_TRYAGAIN)
199 status = NSS_STATUS_SUCCESS;
206 static service_user *pwent_nip = NULL;
207 static void *pwent_fct_start;
209 enum nss_status (*l)(struct passwd *pwd, char *buffer, size_t buflen,
213 static const char *pwent_fct_name = "getpwent_r";
216 _nss_nonlocal_setpwent(int stayopen)
218 static const char *fct_name = "setpwent";
219 static void *fct_start = NULL;
220 enum nss_status status;
223 enum nss_status (*l)(int stayopen);
227 nip = nss_passwd_nonlocal_database();
229 return NSS_STATUS_UNAVAIL;
230 if (fct_start == NULL)
231 fct_start = __nss_lookup_function(nip, fct_name);
235 status = NSS_STATUS_UNAVAIL;
237 status = DL_CALL_FCT(fct.l, (stayopen));
238 } while (__nss_next(&nip, fct_name, &fct.ptr, status, 0) == 0);
239 if (status != NSS_STATUS_SUCCESS)
243 if (pwent_fct_start == NULL)
244 pwent_fct_start = __nss_lookup_function(nip, pwent_fct_name);
245 pwent_fct.ptr = pwent_fct_start;
246 return NSS_STATUS_SUCCESS;
250 _nss_nonlocal_endpwent(void)
252 static const char *fct_name = "endpwent";
253 static void *fct_start = NULL;
254 enum nss_status status;
257 enum nss_status (*l)(void);
263 nip = nss_passwd_nonlocal_database();
265 return NSS_STATUS_UNAVAIL;
266 if (fct_start == NULL)
267 fct_start = __nss_lookup_function(nip, fct_name);
271 status = NSS_STATUS_UNAVAIL;
273 status = DL_CALL_FCT(fct.l, ());
274 } while (__nss_next(&nip, fct_name, &fct.ptr, status, 0) == 0);
279 _nss_nonlocal_getpwent_r(struct passwd *pwd, char *buffer, size_t buflen,
282 enum nss_status status;
284 char *nonlocal_ignore = getenv(NONLOCAL_IGNORE_ENV);
285 if (nonlocal_ignore != NULL && nonlocal_ignore[0] != '\0')
286 return NSS_STATUS_UNAVAIL;
288 if (pwent_nip == NULL) {
289 status = _nss_nonlocal_setpwent(0);
290 if (status != NSS_STATUS_SUCCESS)
294 if (pwent_fct.ptr == NULL)
295 status = NSS_STATUS_UNAVAIL;
299 status = DL_CALL_FCT(pwent_fct.l, (pwd, buffer, buflen, errnop));
300 while (status == NSS_STATUS_SUCCESS &&
301 check_nonlocal_passwd(pwd->pw_name, pwd, &nonlocal_errno) != NSS_STATUS_SUCCESS);
303 if (status == NSS_STATUS_TRYAGAIN && *errnop == ERANGE)
306 if (status == NSS_STATUS_SUCCESS)
307 return NSS_STATUS_SUCCESS;
308 } while (__nss_next(&pwent_nip, pwent_fct_name, &pwent_fct.ptr, status, 0) == 0);
311 return NSS_STATUS_NOTFOUND;
316 _nss_nonlocal_getpwnam_r(const char *name, struct passwd *pwd,
317 char *buffer, size_t buflen, int *errnop)
319 static const char *fct_name = "getpwnam_r";
320 static void *fct_start = NULL;
321 enum nss_status status;
324 enum nss_status (*l)(const char *name, struct passwd *pwd,
325 char *buffer, size_t buflen, int *errnop);
330 char *nonlocal_ignore = getenv(NONLOCAL_IGNORE_ENV);
331 if (nonlocal_ignore != NULL && nonlocal_ignore[0] != '\0')
332 return NSS_STATUS_UNAVAIL;
334 nip = nss_passwd_nonlocal_database();
336 return NSS_STATUS_UNAVAIL;
337 if (fct_start == NULL)
338 fct_start = __nss_lookup_function(nip, fct_name);
342 status = NSS_STATUS_UNAVAIL;
344 status = DL_CALL_FCT(fct.l, (name, pwd, buffer, buflen, errnop));
345 if (status == NSS_STATUS_TRYAGAIN && *errnop == ERANGE)
347 } while (__nss_next(&nip, fct_name, &fct.ptr, status, 0) == 0);
348 if (status != NSS_STATUS_SUCCESS)
351 if (strcmp(name, pwd->pw_name) != 0) {
352 syslog(LOG_ERR, "nss_nonlocal: discarding user %s from lookup for user %s\n", pwd->pw_name, name);
353 return NSS_STATUS_NOTFOUND;
356 status = check_nonlocal_passwd(name, pwd, errnop);
357 if (status != NSS_STATUS_SUCCESS)
360 if (check_nonlocal_gid(name, pwd->pw_gid, &group_errno) !=
362 pwd->pw_gid = 65534 /* nogroup */;
363 return NSS_STATUS_SUCCESS;
367 _nss_nonlocal_getpwuid_r(uid_t uid, struct passwd *pwd,
368 char *buffer, size_t buflen, int *errnop)
370 static const char *fct_name = "getpwuid_r";
371 static void *fct_start = NULL;
372 enum nss_status status;
375 enum nss_status (*l)(uid_t uid, struct passwd *pwd,
376 char *buffer, size_t buflen, int *errnop);
381 char *nonlocal_ignore = getenv(NONLOCAL_IGNORE_ENV);
382 if (nonlocal_ignore != NULL && nonlocal_ignore[0] != '\0')
383 return NSS_STATUS_UNAVAIL;
385 nip = nss_passwd_nonlocal_database();
387 return NSS_STATUS_UNAVAIL;
388 if (fct_start == NULL)
389 fct_start = __nss_lookup_function(nip, fct_name);
393 status = NSS_STATUS_UNAVAIL;
395 status = DL_CALL_FCT(fct.l, (uid, pwd, buffer, buflen, errnop));
396 if (status == NSS_STATUS_TRYAGAIN && *errnop == ERANGE)
398 } while (__nss_next(&nip, fct_name, &fct.ptr, status, 0) == 0);
399 if (status != NSS_STATUS_SUCCESS)
402 if (uid != pwd->pw_uid) {
403 syslog(LOG_ERR, "nss_nonlocal: discarding uid %d from lookup for uid %d\n", pwd->pw_uid, uid);
404 return NSS_STATUS_NOTFOUND;
407 status = check_nonlocal_passwd(pwd->pw_name, pwd, errnop);
408 if (status != NSS_STATUS_SUCCESS)
411 if (check_nonlocal_gid(pwd->pw_name, pwd->pw_gid, &group_errno) !=
413 pwd->pw_gid = 65534 /* nogroup */;
414 return NSS_STATUS_SUCCESS;