X-Git-Url: http://andersk.mit.edu/gitweb/nss_nonlocal.git/blobdiff_plain/1e78305dcf5d03fbd569dcb8a28255c0a50dc21a..cf3383162f443111e02d16e95846c82ad360b5df:/nonlocal-passwd.c

diff --git a/nonlocal-passwd.c b/nonlocal-passwd.c
index 05a06bf..ffd5375 100644
--- a/nonlocal-passwd.c
+++ b/nonlocal-passwd.c
@@ -43,7 +43,13 @@
 #include "nsswitch-internal.h"
 #include "nonlocal.h"
 
-#define MAGIC_LOCAL_PW_BUFLEN (sysconf(_SC_GETPW_R_SIZE_MAX) + 7)
+
+enum nss_status
+_nss_nonlocal_getpwuid_r(uid_t uid, struct passwd *pwd,
+			 char *buffer, size_t buflen, int *errnop);
+enum nss_status
+_nss_nonlocal_getpwnam_r(const char *name, struct passwd *pwd,
+			 char *buffer, size_t buflen, int *errnop);
 
 
 static service_user *
@@ -60,57 +66,126 @@ nss_passwd_nonlocal_database(void)
 enum nss_status
 check_nonlocal_uid(const char *user, uid_t uid, int *errnop)
 {
-    enum nss_status status = NSS_STATUS_SUCCESS;
+    static const char *fct_name = "getpwuid_r";
+    static service_user *startp = NULL;
+    static void *fct_start = NULL;
+    enum nss_status status;
+    service_user *nip;
+    union {
+	enum nss_status (*l)(uid_t uid, struct passwd *pwd,
+			     char *buffer, size_t buflen, int *errnop);
+	void *ptr;
+    } fct;
     struct passwd pwbuf;
-    struct passwd *pwbufp = &pwbuf;
-    int ret;
     int old_errno = errno;
-    int buflen = MAGIC_LOCAL_PW_BUFLEN;
+
+    size_t buflen = sysconf(_SC_GETPW_R_SIZE_MAX);
     char *buf = malloc(buflen);
     if (buf == NULL) {
 	*errnop = ENOMEM;
 	errno = old_errno;
 	return NSS_STATUS_TRYAGAIN;
     }
-    errno = 0;
-    ret = getpwuid_r(uid, pwbufp, buf, buflen, &pwbufp);
-    if (ret != 0) {
-	*errnop = errno;
-	status = NSS_STATUS_TRYAGAIN;
-    } else if (pwbufp != NULL) {
+
+    if (fct_start == NULL &&
+	__nss_passwd_lookup(&startp, fct_name, &fct_start) != 0) {
+	free(buf);
+	return NSS_STATUS_UNAVAIL;
+    }
+    nip = startp;
+    fct.ptr = fct_start;
+    do {
+    morebuf:
+	if (fct.l == _nss_nonlocal_getpwuid_r)
+	    status = NSS_STATUS_NOTFOUND;
+	else
+	    status = DL_CALL_FCT(fct.l, (uid, &pwbuf, buf, buflen, errnop));
+	if (status == NSS_STATUS_TRYAGAIN && *errnop == ERANGE) {
+	    free(buf);
+	    buflen *= 2;
+	    buf = malloc(buflen);
+	    if (buf == NULL) {
+		*errnop = ENOMEM;
+		errno = old_errno;
+		return NSS_STATUS_TRYAGAIN;
+	    }
+	    goto morebuf;
+	}
+    } while (__nss_next(&nip, fct_name, &fct.ptr, status, 0) == 0);
+
+    if (status == NSS_STATUS_SUCCESS) {
 	syslog(LOG_ERR, "nss_nonlocal: possible spoofing attack: non-local user %s has same UID as local user %s!\n", user, pwbuf.pw_name);
 	status = NSS_STATUS_NOTFOUND;
+    } else if (status != NSS_STATUS_TRYAGAIN) {
+	status = NSS_STATUS_SUCCESS;
     }
+
     free(buf);
-    errno = old_errno;
     return status;
 }
 
+enum nss_status
+check_nonlocal_passwd(const char *user, struct passwd *pwd, int *errnop)
+{
+    return check_nonlocal_uid(user, pwd->pw_uid, errnop);
+}
+
 enum nss_status
 check_nonlocal_user(const char *user, int *errnop)
 {
-    enum nss_status status = NSS_STATUS_SUCCESS;
+    static const char *fct_name = "getpwnam_r";
+    static service_user *startp = NULL;
+    static void *fct_start = NULL;
+    enum nss_status status;
+    service_user *nip;
+    union {
+	enum nss_status (*l)(const char *name, struct passwd *pwd,
+			     char *buffer, size_t buflen, int *errnop);
+	void *ptr;
+    } fct;
     struct passwd pwbuf;
-    struct passwd *pwbufp = &pwbuf;
-    int ret;
     int old_errno = errno;
-    int buflen = MAGIC_LOCAL_PW_BUFLEN;
+
+    size_t buflen = sysconf(_SC_GETPW_R_SIZE_MAX);
     char *buf = malloc(buflen);
     if (buf == NULL) {
 	*errnop = ENOMEM;
 	errno = old_errno;
 	return NSS_STATUS_TRYAGAIN;
     }
-    errno = 0;
-    ret = getpwnam_r(user, pwbufp, buf, buflen, &pwbufp);
-    if (ret != 0) {
-	*errnop = errno;
-	status = NSS_STATUS_TRYAGAIN;
-    } else if (pwbufp != NULL) {
-	status = NSS_STATUS_NOTFOUND;
+
+    if (fct_start == NULL &&
+	__nss_passwd_lookup(&startp, fct_name, &fct_start) != 0) {
+	free(buf);
+	return NSS_STATUS_UNAVAIL;
     }
+    nip = startp;
+    fct.ptr = fct_start;
+    do {
+    morebuf:
+	if (fct.l == _nss_nonlocal_getpwnam_r)
+	    status = NSS_STATUS_NOTFOUND;
+	else
+	    status = DL_CALL_FCT(fct.l, (user, &pwbuf, buf, buflen, errnop));
+	if (status == NSS_STATUS_TRYAGAIN && *errnop == ERANGE) {
+	    free(buf);
+	    buflen *= 2;
+	    buf = malloc(buflen);
+	    if (buf == NULL) {
+		*errnop = ENOMEM;
+		errno = old_errno;
+		return NSS_STATUS_TRYAGAIN;
+	    }
+	    goto morebuf;
+	}
+    } while (__nss_next(&nip, fct_name, &fct.ptr, status, 0) == 0);
+
+    if (status == NSS_STATUS_SUCCESS)
+	status = NSS_STATUS_NOTFOUND;
+    else if (status != NSS_STATUS_TRYAGAIN)
+	status = NSS_STATUS_SUCCESS;
+
     free(buf);
-    errno = old_errno;
     return status;
 }
 
@@ -192,6 +267,11 @@ _nss_nonlocal_getpwent_r(struct passwd *pwd, char *buffer, size_t buflen,
 			 int *errnop)
 {
     enum nss_status status;
+
+    char *nonlocal_ignore = getenv(NONLOCAL_IGNORE_ENV);
+    if (nonlocal_ignore != NULL && nonlocal_ignore[0] != '\0')
+	return NSS_STATUS_UNAVAIL;
+
     if (pwent_nip == NULL) {
 	status = _nss_nonlocal_setpwent(0);
 	if (status != NSS_STATUS_SUCCESS)
@@ -203,9 +283,9 @@ _nss_nonlocal_getpwent_r(struct passwd *pwd, char *buffer, size_t buflen,
 	else {
 	    int nonlocal_errno;
 	    do
-		status = DL_CALL_FCT(pwent_fct.l, (pwd, buffer, buflen, errnop));	
+		status = DL_CALL_FCT(pwent_fct.l, (pwd, buffer, buflen, errnop));
 	    while (status == NSS_STATUS_SUCCESS &&
-		   check_nonlocal_uid(pwd->pw_name, pwd->pw_uid, &nonlocal_errno) != NSS_STATUS_SUCCESS);
+		   check_nonlocal_passwd(pwd->pw_name, pwd, &nonlocal_errno) != NSS_STATUS_SUCCESS);
 	}
 	if (status == NSS_STATUS_TRYAGAIN && *errnop == ERANGE)
 	    return status;
@@ -234,7 +314,8 @@ _nss_nonlocal_getpwnam_r(const char *name, struct passwd *pwd,
     } fct;
     int group_errno;
 
-    if (buflen == MAGIC_LOCAL_PW_BUFLEN)
+    char *nonlocal_ignore = getenv(NONLOCAL_IGNORE_ENV);
+    if (nonlocal_ignore != NULL && nonlocal_ignore[0] != '\0')
 	return NSS_STATUS_UNAVAIL;
 
     nip = nss_passwd_nonlocal_database();
@@ -254,7 +335,12 @@ _nss_nonlocal_getpwnam_r(const char *name, struct passwd *pwd,
     if (status != NSS_STATUS_SUCCESS)
 	return status;
 
-    status = check_nonlocal_uid(name, pwd->pw_uid, errnop);
+    if (strcmp(name, pwd->pw_name) != 0) {
+	syslog(LOG_ERR, "nss_nonlocal: discarding user %s from lookup for user %s\n", pwd->pw_name, name);
+	return NSS_STATUS_NOTFOUND;
+    }
+
+    status = check_nonlocal_passwd(name, pwd, errnop);
     if (status != NSS_STATUS_SUCCESS)
 	return status;
 
@@ -279,7 +365,8 @@ _nss_nonlocal_getpwuid_r(uid_t uid, struct passwd *pwd,
     } fct;
     int group_errno;
 
-    if (buflen == MAGIC_LOCAL_PW_BUFLEN)
+    char *nonlocal_ignore = getenv(NONLOCAL_IGNORE_ENV);
+    if (nonlocal_ignore != NULL && nonlocal_ignore[0] != '\0')
 	return NSS_STATUS_UNAVAIL;
 
     nip = nss_passwd_nonlocal_database();
@@ -299,7 +386,7 @@ _nss_nonlocal_getpwuid_r(uid_t uid, struct passwd *pwd,
     if (status != NSS_STATUS_SUCCESS)
 	return status;
 
-    status = check_nonlocal_uid(pwd->pw_name, pwd->pw_uid, errnop);
+    status = check_nonlocal_passwd(pwd->pw_name, pwd, errnop);
     if (status != NSS_STATUS_SUCCESS)
 	return status;