#include "nsswitch-internal.h"
#include "nonlocal.h"
-#define MAGIC_LOCAL_PW_BUFLEN (sysconf(_SC_GETPW_R_SIZE_MAX) + 7)
+
+enum nss_status
+_nss_nonlocal_getpwuid_r(uid_t uid, struct passwd *pwd,
+ char *buffer, size_t buflen, int *errnop);
+enum nss_status
+_nss_nonlocal_getpwnam_r(const char *name, struct passwd *pwd,
+ char *buffer, size_t buflen, int *errnop);
static service_user *
enum nss_status
check_nonlocal_uid(const char *user, uid_t uid, int *errnop)
{
- enum nss_status status = NSS_STATUS_SUCCESS;
+ static const char *fct_name = "getpwuid_r";
+ static service_user *startp = NULL;
+ static void *fct_start = NULL;
+ enum nss_status status;
+ service_user *nip;
+ union {
+ enum nss_status (*l)(uid_t uid, struct passwd *pwd,
+ char *buffer, size_t buflen, int *errnop);
+ void *ptr;
+ } fct;
struct passwd pwbuf;
- struct passwd *pwbufp = &pwbuf;
- int ret;
int old_errno = errno;
- int buflen = MAGIC_LOCAL_PW_BUFLEN;
+
+ int buflen = sysconf(_SC_GETPW_R_SIZE_MAX);
char *buf = malloc(buflen);
if (buf == NULL) {
*errnop = ENOMEM;
errno = old_errno;
return NSS_STATUS_TRYAGAIN;
}
- errno = 0;
- ret = getpwuid_r(uid, pwbufp, buf, buflen, &pwbufp);
- if (ret != 0) {
- *errnop = errno;
- status = NSS_STATUS_TRYAGAIN;
- } else if (pwbufp != NULL) {
+
+ if (fct_start == NULL &&
+ __nss_passwd_lookup(&startp, fct_name, &fct_start) != 0) {
+ free(buf);
+ return NSS_STATUS_UNAVAIL;
+ }
+ nip = startp;
+ fct.ptr = fct_start;
+ do {
+ morebuf:
+ if (fct.l == _nss_nonlocal_getpwuid_r)
+ status = NSS_STATUS_NOTFOUND;
+ else
+ status = DL_CALL_FCT(fct.l, (uid, &pwbuf, buf, buflen, errnop));
+ if (status == NSS_STATUS_TRYAGAIN && *errnop == ERANGE) {
+ free(buf);
+ buflen *= 2;
+ buf = malloc(buflen);
+ if (buf == NULL) {
+ *errnop = ENOMEM;
+ errno = old_errno;
+ return NSS_STATUS_TRYAGAIN;
+ }
+ goto morebuf;
+ }
+ } while (__nss_next(&nip, fct_name, &fct.ptr, status, 0) == 0);
+
+ if (status == NSS_STATUS_SUCCESS) {
syslog(LOG_ERR, "nss_nonlocal: possible spoofing attack: non-local user %s has same UID as local user %s!\n", user, pwbuf.pw_name);
status = NSS_STATUS_NOTFOUND;
+ } else if (status != NSS_STATUS_TRYAGAIN) {
+ status = NSS_STATUS_SUCCESS;
}
+
free(buf);
- errno = old_errno;
return status;
}
enum nss_status
check_nonlocal_user(const char *user, int *errnop)
{
- enum nss_status status = NSS_STATUS_SUCCESS;
+ static const char *fct_name = "getpwnam_r";
+ static service_user *startp = NULL;
+ static void *fct_start = NULL;
+ enum nss_status status;
+ service_user *nip;
+ union {
+ enum nss_status (*l)(const char *name, struct passwd *pwd,
+ char *buffer, size_t buflen, int *errnop);
+ void *ptr;
+ } fct;
struct passwd pwbuf;
- struct passwd *pwbufp = &pwbuf;
- int ret;
int old_errno = errno;
- int buflen = MAGIC_LOCAL_PW_BUFLEN;
+
+ int buflen = sysconf(_SC_GETPW_R_SIZE_MAX);
char *buf = malloc(buflen);
if (buf == NULL) {
*errnop = ENOMEM;
errno = old_errno;
return NSS_STATUS_TRYAGAIN;
}
- errno = 0;
- ret = getpwnam_r(user, pwbufp, buf, buflen, &pwbufp);
- if (ret != 0) {
- *errnop = errno;
- status = NSS_STATUS_TRYAGAIN;
- } else if (pwbufp != NULL) {
- status = NSS_STATUS_NOTFOUND;
+
+ if (fct_start == NULL &&
+ __nss_passwd_lookup(&startp, fct_name, &fct_start) != 0) {
+ free(buf);
+ return NSS_STATUS_UNAVAIL;
}
+ nip = startp;
+ fct.ptr = fct_start;
+ do {
+ morebuf:
+ if (fct.l == _nss_nonlocal_getpwnam_r)
+ status = NSS_STATUS_NOTFOUND;
+ else
+ status = DL_CALL_FCT(fct.l, (user, &pwbuf, buf, buflen, errnop));
+ if (status == NSS_STATUS_TRYAGAIN && *errnop == ERANGE) {
+ free(buf);
+ buflen *= 2;
+ buf = malloc(buflen);
+ if (buf == NULL) {
+ *errnop = ENOMEM;
+ errno = old_errno;
+ return NSS_STATUS_TRYAGAIN;
+ }
+ goto morebuf;
+ }
+ } while (__nss_next(&nip, fct_name, &fct.ptr, status, 0) == 0);
+
+ if (status == NSS_STATUS_SUCCESS)
+ status = NSS_STATUS_NOTFOUND;
+ else if (status != NSS_STATUS_TRYAGAIN)
+ status = NSS_STATUS_SUCCESS;
+
free(buf);
- errno = old_errno;
return status;
}
int *errnop)
{
enum nss_status status;
+
+ char *nonlocal_ignore = getenv(NONLOCAL_IGNORE_ENV);
+ if (nonlocal_ignore != NULL && nonlocal_ignore[0] != '\0')
+ return NSS_STATUS_UNAVAIL;
+
if (pwent_nip == NULL) {
status = _nss_nonlocal_setpwent(0);
if (status != NSS_STATUS_SUCCESS)
else {
int nonlocal_errno;
do
- status = DL_CALL_FCT(pwent_fct.l, (pwd, buffer, buflen, errnop));
+ status = DL_CALL_FCT(pwent_fct.l, (pwd, buffer, buflen, errnop));
while (status == NSS_STATUS_SUCCESS &&
check_nonlocal_uid(pwd->pw_name, pwd->pw_uid, &nonlocal_errno) != NSS_STATUS_SUCCESS);
}
} fct;
int group_errno;
- if (buflen == MAGIC_LOCAL_PW_BUFLEN)
+ char *nonlocal_ignore = getenv(NONLOCAL_IGNORE_ENV);
+ if (nonlocal_ignore != NULL && nonlocal_ignore[0] != '\0')
return NSS_STATUS_UNAVAIL;
nip = nss_passwd_nonlocal_database();
} fct;
int group_errno;
- if (buflen == MAGIC_LOCAL_PW_BUFLEN)
+ char *nonlocal_ignore = getenv(NONLOCAL_IGNORE_ENV);
+ if (nonlocal_ignore != NULL && nonlocal_ignore[0] != '\0')
return NSS_STATUS_UNAVAIL;
nip = nss_passwd_nonlocal_database();