3 * passwd database for nss_nonlocal proxy.
5 * Copyright © 2007 Anders Kaseorg <andersk@mit.edu> and Tim Abbott
8 * Permission is hereby granted, free of charge, to any person
9 * obtaining a copy of this software and associated documentation
10 * files (the "Software"), to deal in the Software without
11 * restriction, including without limitation the rights to use, copy,
12 * modify, merge, publish, distribute, sublicense, and/or sell copies
13 * of the Software, and to permit persons to whom the Software is
14 * furnished to do so, subject to the following conditions:
16 * The above copyright notice and this permission notice shall be
17 * included in all copies or substantial portions of the Software.
19 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
20 * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
21 * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
22 * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
23 * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
24 * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
25 * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
31 #include <sys/types.h>
43 #include "nsswitch-internal.h"
48 _nss_nonlocal_getpwuid_r(uid_t uid, struct passwd *pwd,
49 char *buffer, size_t buflen, int *errnop);
51 _nss_nonlocal_getpwnam_r(const char *name, struct passwd *pwd,
52 char *buffer, size_t buflen, int *errnop);
56 nss_passwd_nonlocal_database(void)
58 static service_user *nip = NULL;
60 __nss_database_lookup("passwd_nonlocal", NULL, "", &nip);
67 check_nonlocal_uid(const char *user, uid_t uid, int *errnop)
69 static const char *fct_name = "getpwuid_r";
70 static service_user *startp = NULL;
71 static void *fct_start = NULL;
72 enum nss_status status;
75 enum nss_status (*l)(uid_t uid, struct passwd *pwd,
76 char *buffer, size_t buflen, int *errnop);
80 int old_errno = errno;
82 size_t buflen = sysconf(_SC_GETPW_R_SIZE_MAX);
83 char *buf = malloc(buflen);
87 return NSS_STATUS_TRYAGAIN;
90 if (fct_start == NULL &&
91 __nss_passwd_lookup(&startp, fct_name, &fct_start) != 0) {
93 return NSS_STATUS_UNAVAIL;
99 if (fct.l == _nss_nonlocal_getpwuid_r)
100 status = NSS_STATUS_NOTFOUND;
102 status = DL_CALL_FCT(fct.l, (uid, &pwbuf, buf, buflen, errnop));
103 if (status == NSS_STATUS_TRYAGAIN && *errnop == ERANGE) {
106 buf = malloc(buflen);
110 return NSS_STATUS_TRYAGAIN;
114 } while (__nss_next(&nip, fct_name, &fct.ptr, status, 0) == 0);
116 if (status == NSS_STATUS_SUCCESS) {
117 syslog(LOG_ERR, "nss_nonlocal: possible spoofing attack: non-local user %s has same UID as local user %s!\n", user, pwbuf.pw_name);
118 status = NSS_STATUS_NOTFOUND;
119 } else if (status != NSS_STATUS_TRYAGAIN) {
120 status = NSS_STATUS_SUCCESS;
128 check_nonlocal_passwd(const char *user, struct passwd *pwd, int *errnop)
130 return check_nonlocal_uid(user, pwd->pw_uid, errnop);
134 check_nonlocal_user(const char *user, int *errnop)
136 static const char *fct_name = "getpwnam_r";
137 static service_user *startp = NULL;
138 static void *fct_start = NULL;
139 enum nss_status status;
142 enum nss_status (*l)(const char *name, struct passwd *pwd,
143 char *buffer, size_t buflen, int *errnop);
147 int old_errno = errno;
149 size_t buflen = sysconf(_SC_GETPW_R_SIZE_MAX);
150 char *buf = malloc(buflen);
154 return NSS_STATUS_TRYAGAIN;
157 if (fct_start == NULL &&
158 __nss_passwd_lookup(&startp, fct_name, &fct_start) != 0) {
160 return NSS_STATUS_UNAVAIL;
166 if (fct.l == _nss_nonlocal_getpwnam_r)
167 status = NSS_STATUS_NOTFOUND;
169 status = DL_CALL_FCT(fct.l, (user, &pwbuf, buf, buflen, errnop));
170 if (status == NSS_STATUS_TRYAGAIN && *errnop == ERANGE) {
173 buf = malloc(buflen);
177 return NSS_STATUS_TRYAGAIN;
181 } while (__nss_next(&nip, fct_name, &fct.ptr, status, 0) == 0);
183 if (status == NSS_STATUS_SUCCESS)
184 status = NSS_STATUS_NOTFOUND;
185 else if (status != NSS_STATUS_TRYAGAIN)
186 status = NSS_STATUS_SUCCESS;
193 static service_user *pwent_nip = NULL;
194 static void *pwent_fct_start;
196 enum nss_status (*l)(struct passwd *pwd, char *buffer, size_t buflen,
200 static const char *pwent_fct_name = "getpwent_r";
203 _nss_nonlocal_setpwent(int stayopen)
205 static const char *fct_name = "setpwent";
206 static void *fct_start = NULL;
207 enum nss_status status;
210 enum nss_status (*l)(int stayopen);
214 nip = nss_passwd_nonlocal_database();
216 return NSS_STATUS_UNAVAIL;
217 if (fct_start == NULL)
218 fct_start = __nss_lookup_function(nip, fct_name);
222 status = NSS_STATUS_UNAVAIL;
224 status = DL_CALL_FCT(fct.l, (stayopen));
225 } while (__nss_next(&nip, fct_name, &fct.ptr, status, 0) == 0);
226 if (status != NSS_STATUS_SUCCESS)
230 if (pwent_fct_start == NULL)
231 pwent_fct_start = __nss_lookup_function(nip, pwent_fct_name);
232 pwent_fct.ptr = pwent_fct_start;
233 return NSS_STATUS_SUCCESS;
237 _nss_nonlocal_endpwent(void)
239 static const char *fct_name = "endpwent";
240 static void *fct_start = NULL;
241 enum nss_status status;
244 enum nss_status (*l)(void);
250 nip = nss_passwd_nonlocal_database();
252 return NSS_STATUS_UNAVAIL;
253 if (fct_start == NULL)
254 fct_start = __nss_lookup_function(nip, fct_name);
258 status = NSS_STATUS_UNAVAIL;
260 status = DL_CALL_FCT(fct.l, ());
261 } while (__nss_next(&nip, fct_name, &fct.ptr, status, 0) == 0);
266 _nss_nonlocal_getpwent_r(struct passwd *pwd, char *buffer, size_t buflen,
269 enum nss_status status;
271 char *nonlocal_ignore = getenv(NONLOCAL_IGNORE_ENV);
272 if (nonlocal_ignore != NULL && nonlocal_ignore[0] != '\0')
273 return NSS_STATUS_UNAVAIL;
275 if (pwent_nip == NULL) {
276 status = _nss_nonlocal_setpwent(0);
277 if (status != NSS_STATUS_SUCCESS)
281 if (pwent_fct.ptr == NULL)
282 status = NSS_STATUS_UNAVAIL;
286 status = DL_CALL_FCT(pwent_fct.l, (pwd, buffer, buflen, errnop));
287 while (status == NSS_STATUS_SUCCESS &&
288 check_nonlocal_passwd(pwd->pw_name, pwd, &nonlocal_errno) != NSS_STATUS_SUCCESS);
290 if (status == NSS_STATUS_TRYAGAIN && *errnop == ERANGE)
293 if (status == NSS_STATUS_SUCCESS)
294 return NSS_STATUS_SUCCESS;
295 } while (__nss_next(&pwent_nip, pwent_fct_name, &pwent_fct.ptr, status, 0) == 0);
298 return NSS_STATUS_NOTFOUND;
303 _nss_nonlocal_getpwnam_r(const char *name, struct passwd *pwd,
304 char *buffer, size_t buflen, int *errnop)
306 static const char *fct_name = "getpwnam_r";
307 static void *fct_start = NULL;
308 enum nss_status status;
311 enum nss_status (*l)(const char *name, struct passwd *pwd,
312 char *buffer, size_t buflen, int *errnop);
317 char *nonlocal_ignore = getenv(NONLOCAL_IGNORE_ENV);
318 if (nonlocal_ignore != NULL && nonlocal_ignore[0] != '\0')
319 return NSS_STATUS_UNAVAIL;
321 nip = nss_passwd_nonlocal_database();
323 return NSS_STATUS_UNAVAIL;
324 if (fct_start == NULL)
325 fct_start = __nss_lookup_function(nip, fct_name);
329 status = NSS_STATUS_UNAVAIL;
331 status = DL_CALL_FCT(fct.l, (name, pwd, buffer, buflen, errnop));
332 if (status == NSS_STATUS_TRYAGAIN && *errnop == ERANGE)
334 } while (__nss_next(&nip, fct_name, &fct.ptr, status, 0) == 0);
335 if (status != NSS_STATUS_SUCCESS)
338 if (strcmp(name, pwd->pw_name) != 0) {
339 syslog(LOG_ERR, "nss_nonlocal: discarding user %s from lookup for user %s\n", pwd->pw_name, name);
340 return NSS_STATUS_NOTFOUND;
343 status = check_nonlocal_passwd(name, pwd, errnop);
344 if (status != NSS_STATUS_SUCCESS)
347 if (check_nonlocal_gid(name, pwd->pw_gid, &group_errno) !=
349 pwd->pw_gid = 65534 /* nogroup */;
350 return NSS_STATUS_SUCCESS;
354 _nss_nonlocal_getpwuid_r(uid_t uid, struct passwd *pwd,
355 char *buffer, size_t buflen, int *errnop)
357 static const char *fct_name = "getpwuid_r";
358 static void *fct_start = NULL;
359 enum nss_status status;
362 enum nss_status (*l)(uid_t uid, struct passwd *pwd,
363 char *buffer, size_t buflen, int *errnop);
368 char *nonlocal_ignore = getenv(NONLOCAL_IGNORE_ENV);
369 if (nonlocal_ignore != NULL && nonlocal_ignore[0] != '\0')
370 return NSS_STATUS_UNAVAIL;
372 nip = nss_passwd_nonlocal_database();
374 return NSS_STATUS_UNAVAIL;
375 if (fct_start == NULL)
376 fct_start = __nss_lookup_function(nip, fct_name);
380 status = NSS_STATUS_UNAVAIL;
382 status = DL_CALL_FCT(fct.l, (uid, pwd, buffer, buflen, errnop));
383 if (status == NSS_STATUS_TRYAGAIN && *errnop == ERANGE)
385 } while (__nss_next(&nip, fct_name, &fct.ptr, status, 0) == 0);
386 if (status != NSS_STATUS_SUCCESS)
389 status = check_nonlocal_passwd(pwd->pw_name, pwd, errnop);
390 if (status != NSS_STATUS_SUCCESS)
393 if (check_nonlocal_gid(pwd->pw_name, pwd->pw_gid, &group_errno) !=
395 pwd->pw_gid = 65534 /* nogroup */;
396 return NSS_STATUS_SUCCESS;