3 * passwd database for nss_nonlocal proxy.
5 * Copyright © 2007 Anders Kaseorg <andersk@mit.edu> and Tim Abbott
8 * Permission is hereby granted, free of charge, to any person
9 * obtaining a copy of this software and associated documentation
10 * files (the "Software"), to deal in the Software without
11 * restriction, including without limitation the rights to use, copy,
12 * modify, merge, publish, distribute, sublicense, and/or sell copies
13 * of the Software, and to permit persons to whom the Software is
14 * furnished to do so, subject to the following conditions:
16 * The above copyright notice and this permission notice shall be
17 * included in all copies or substantial portions of the Software.
19 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
20 * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
21 * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
22 * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
23 * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
24 * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
25 * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
31 #include <sys/types.h>
43 #include "nsswitch-internal.h"
46 #define MAGIC_LOCAL_PW_BUFLEN (sysconf(_SC_GETPW_R_SIZE_MAX) + 7)
50 nss_passwd_nonlocal_database(void)
52 static service_user *nip = NULL;
54 __nss_database_lookup("passwd_nonlocal", NULL, "", &nip);
61 check_nonlocal_uid(const char *user, uid_t uid, int *errnop)
63 enum nss_status status = NSS_STATUS_SUCCESS;
65 struct passwd *pwbufp = &pwbuf;
67 int old_errno = errno;
68 int buflen = MAGIC_LOCAL_PW_BUFLEN;
69 char *buf = malloc(buflen);
73 return NSS_STATUS_TRYAGAIN;
76 ret = getpwuid_r(uid, pwbufp, buf, buflen, &pwbufp);
79 status = NSS_STATUS_TRYAGAIN;
80 } else if (pwbufp != NULL) {
81 syslog(LOG_ERR, "nss_nonlocal: possible spoofing attack: non-local user %s has same UID as local user %s!\n", user, pwbuf.pw_name);
82 status = NSS_STATUS_NOTFOUND;
90 check_nonlocal_user(const char *user, int *errnop)
92 enum nss_status status = NSS_STATUS_SUCCESS;
94 struct passwd *pwbufp = &pwbuf;
96 int old_errno = errno;
97 int buflen = MAGIC_LOCAL_PW_BUFLEN;
98 char *buf = malloc(buflen);
102 return NSS_STATUS_TRYAGAIN;
105 ret = getpwnam_r(user, pwbufp, buf, buflen, &pwbufp);
108 status = NSS_STATUS_TRYAGAIN;
109 } else if (pwbufp != NULL) {
110 status = NSS_STATUS_NOTFOUND;
118 static service_user *pwent_nip = NULL;
119 static void *pwent_fct_start;
121 enum nss_status (*l)(struct passwd *pwd, char *buffer, size_t buflen,
125 static const char *pwent_fct_name = "getpwent_r";
128 _nss_nonlocal_setpwent(int stayopen)
130 static const char *fct_name = "setpwent";
131 static void *fct_start = NULL;
132 enum nss_status status;
135 enum nss_status (*l)(int stayopen);
139 nip = nss_passwd_nonlocal_database();
141 return NSS_STATUS_UNAVAIL;
142 if (fct_start == NULL)
143 fct_start = __nss_lookup_function(nip, fct_name);
147 status = NSS_STATUS_UNAVAIL;
149 status = DL_CALL_FCT(fct.l, (stayopen));
150 } while (__nss_next(&nip, fct_name, &fct.ptr, status, 0) == 0);
151 if (status != NSS_STATUS_SUCCESS)
155 if (pwent_fct_start == NULL)
156 pwent_fct_start = __nss_lookup_function(nip, pwent_fct_name);
157 pwent_fct.ptr = pwent_fct_start;
158 return NSS_STATUS_SUCCESS;
162 _nss_nonlocal_endpwent(void)
164 static const char *fct_name = "endpwent";
165 static void *fct_start = NULL;
166 enum nss_status status;
169 enum nss_status (*l)(void);
175 nip = nss_passwd_nonlocal_database();
177 return NSS_STATUS_UNAVAIL;
178 if (fct_start == NULL)
179 fct_start = __nss_lookup_function(nip, fct_name);
183 status = NSS_STATUS_UNAVAIL;
185 status = DL_CALL_FCT(fct.l, ());
186 } while (__nss_next(&nip, fct_name, &fct.ptr, status, 0) == 0);
191 _nss_nonlocal_getpwent_r(struct passwd *pwd, char *buffer, size_t buflen,
194 enum nss_status status;
196 char *nonlocal_ignore = getenv(NONLOCAL_IGNORE_ENV);
197 if (buflen == MAGIC_LOCAL_PW_BUFLEN ||
198 (nonlocal_ignore != NULL && nonlocal_ignore[0] != '\0'))
199 return NSS_STATUS_UNAVAIL;
201 if (pwent_nip == NULL) {
202 status = _nss_nonlocal_setpwent(0);
203 if (status != NSS_STATUS_SUCCESS)
207 if (pwent_fct.ptr == NULL)
208 status = NSS_STATUS_UNAVAIL;
212 status = DL_CALL_FCT(pwent_fct.l, (pwd, buffer, buflen, errnop));
213 while (status == NSS_STATUS_SUCCESS &&
214 check_nonlocal_uid(pwd->pw_name, pwd->pw_uid, &nonlocal_errno) != NSS_STATUS_SUCCESS);
216 if (status == NSS_STATUS_TRYAGAIN && *errnop == ERANGE)
219 if (status == NSS_STATUS_SUCCESS)
220 return NSS_STATUS_SUCCESS;
221 } while (__nss_next(&pwent_nip, pwent_fct_name, &pwent_fct.ptr, status, 0) == 0);
224 return NSS_STATUS_NOTFOUND;
229 _nss_nonlocal_getpwnam_r(const char *name, struct passwd *pwd,
230 char *buffer, size_t buflen, int *errnop)
232 static const char *fct_name = "getpwnam_r";
233 static void *fct_start = NULL;
234 enum nss_status status;
237 enum nss_status (*l)(const char *name, struct passwd *pwd,
238 char *buffer, size_t buflen, int *errnop);
243 char *nonlocal_ignore = getenv(NONLOCAL_IGNORE_ENV);
244 if (buflen == MAGIC_LOCAL_PW_BUFLEN ||
245 (nonlocal_ignore != NULL && nonlocal_ignore[0] != '\0'))
246 return NSS_STATUS_UNAVAIL;
248 nip = nss_passwd_nonlocal_database();
250 return NSS_STATUS_UNAVAIL;
251 if (fct_start == NULL)
252 fct_start = __nss_lookup_function(nip, fct_name);
256 status = NSS_STATUS_UNAVAIL;
258 status = DL_CALL_FCT(fct.l, (name, pwd, buffer, buflen, errnop));
259 if (status == NSS_STATUS_TRYAGAIN && *errnop == ERANGE)
261 } while (__nss_next(&nip, fct_name, &fct.ptr, status, 0) == 0);
262 if (status != NSS_STATUS_SUCCESS)
265 status = check_nonlocal_uid(name, pwd->pw_uid, errnop);
266 if (status != NSS_STATUS_SUCCESS)
269 if (check_nonlocal_gid(name, pwd->pw_gid, &group_errno) !=
271 pwd->pw_gid = 65534 /* nogroup */;
272 return NSS_STATUS_SUCCESS;
276 _nss_nonlocal_getpwuid_r(uid_t uid, struct passwd *pwd,
277 char *buffer, size_t buflen, int *errnop)
279 static const char *fct_name = "getpwuid_r";
280 static void *fct_start = NULL;
281 enum nss_status status;
284 enum nss_status (*l)(uid_t uid, struct passwd *pwd,
285 char *buffer, size_t buflen, int *errnop);
290 char *nonlocal_ignore = getenv(NONLOCAL_IGNORE_ENV);
291 if (buflen == MAGIC_LOCAL_PW_BUFLEN ||
292 (nonlocal_ignore != NULL && nonlocal_ignore[0] != '\0'))
293 return NSS_STATUS_UNAVAIL;
295 nip = nss_passwd_nonlocal_database();
297 return NSS_STATUS_UNAVAIL;
298 if (fct_start == NULL)
299 fct_start = __nss_lookup_function(nip, fct_name);
303 status = NSS_STATUS_UNAVAIL;
305 status = DL_CALL_FCT(fct.l, (uid, pwd, buffer, buflen, errnop));
306 if (status == NSS_STATUS_TRYAGAIN && *errnop == ERANGE)
308 } while (__nss_next(&nip, fct_name, &fct.ptr, status, 0) == 0);
309 if (status != NSS_STATUS_SUCCESS)
312 status = check_nonlocal_uid(pwd->pw_name, pwd->pw_uid, errnop);
313 if (status != NSS_STATUS_SUCCESS)
316 if (check_nonlocal_gid(pwd->pw_name, pwd->pw_gid, &group_errno) !=
318 pwd->pw_gid = 65534 /* nogroup */;
319 return NSS_STATUS_SUCCESS;