Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-15:Update
glibc.13450
nss-compat.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File nss-compat.patch of Package glibc.13450
2017-10-04 Andreas Schwab <schwab@suse.de> * nis/Makefile (services): Remove compat. (libnss_compat-routines, libnss_compat-inhibit-o): Don't define. ($(objpfx)libnss_compat.so): Remove rule. * nis/Versions (libnss_compat): Remove. * nss/Makefile (services): Add compat. (libnss_compat-routines, libnss_compat-inhibit-o): Define. * nss/Versions (libnss_compat): Define. * nss/nss_compat/compat-grp.c: Moved here from nis/nss_compat. Don't include <rpc/types.h>. Replace bool_t by bool. * nss/nss_compat/compat-initgroups.c: Likewise. * nss/nss_compat/compat-pwd.c: Likewise. Include "nisdomain.h" instead of <rpcsrv/ypclnt.h>. (getpwent_next_nss_netgr): Use __nss_get_default_domain instead of yp_get_default_domain. * nss/nss_compat/compat-pwd.c: Likewise. (getspent_next_nss_netgr): Use __nss_get_default_domain instead of yp_get_default_domain. * nss/nss_compat/nisdomain.c: New file. * nss/nss_compat/nisdomain.h: Likewise. Index: glibc-2.26/nis/Makefile =================================================================== --- glibc-2.26.orig/nis/Makefile +++ glibc-2.26/nis/Makefile @@ -33,7 +33,7 @@ databases = proto service hosts network spwd netgrp alias publickey # Specify rules for the nss_* modules. -services := nis nisplus compat +services := nis nisplus endif extra-libs = libnsl @@ -63,9 +63,6 @@ libnsl-routines = yp_xdr ypclnt ypupdate nis_clone_res nss-default ifeq ($(build-obsolete-nsl),yes) -libnss_compat-routines := $(addprefix compat-,grp pwd spwd initgroups) -libnss_compat-inhibit-o = $(filter-out .os,$(object-suffixes)) - libnss_nis-routines := $(addprefix nis-,$(databases)) nis-initgroups \ nss-nis libnss_nis-inhibit-o = $(filter-out .os,$(object-suffixes)) @@ -79,7 +76,6 @@ include ../Rules ifeq ($(build-obsolete-nsl),yes) -$(objpfx)libnss_compat.so: $(objpfx)libnsl.so$(libnsl.so-version) $(objpfx)libnss_nis.so: $(objpfx)libnsl.so$(libnsl.so-version) \ $(common-objpfx)nss/libnss_files.so $(objpfx)libnss_nisplus.so: $(objpfx)libnsl.so$(libnsl.so-version) Index: glibc-2.26/nis/Versions =================================================================== --- glibc-2.26.orig/nis/Versions +++ glibc-2.26/nis/Versions @@ -63,17 +63,6 @@ libnsl { } } -libnss_compat { - GLIBC_PRIVATE { - _nss_compat_endgrent; _nss_compat_endpwent; _nss_compat_endspent; - _nss_compat_getgrent_r; _nss_compat_getgrgid_r; _nss_compat_getgrnam_r; - _nss_compat_getpwent_r; _nss_compat_getpwnam_r; _nss_compat_getpwuid_r; - _nss_compat_getspent_r; _nss_compat_getspnam_r; - _nss_compat_setgrent; _nss_compat_setpwent; _nss_compat_setspent; - _nss_compat_initgroups_dyn; - } -} - libnss_nis { GLIBC_PRIVATE { _nss_nis_endaliasent; _nss_nis_endetherent; _nss_nis_endgrent; Index: glibc-2.26/nis/nss_compat/compat-grp.c =================================================================== --- glibc-2.26.orig/nis/nss_compat/compat-grp.c +++ /dev/null @@ -1,683 +0,0 @@ -/* Copyright (C) 1996-2017 Free Software Foundation, Inc. - This file is part of the GNU C Library. - Contributed by Thorsten Kukuk <kukuk@suse.de>, 1996. - - The GNU C Library is free software; you can redistribute it and/or - modify it under the terms of the GNU Lesser General Public - License as published by the Free Software Foundation; either - version 2.1 of the License, or (at your option) any later version. - - The GNU C Library is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - Lesser General Public License for more details. - - You should have received a copy of the GNU Lesser General Public - License along with the GNU C Library; if not, see - <http://www.gnu.org/licenses/>. */ - -#include <ctype.h> -#include <errno.h> -#include <fcntl.h> -#include <grp.h> -#include <nss.h> -#include <nsswitch.h> -#include <stdio_ext.h> -#include <string.h> -#include <rpc/types.h> -#include <libc-lock.h> -#include <kernel-features.h> - -static service_user *ni; -static enum nss_status (*nss_setgrent) (int stayopen); -static enum nss_status (*nss_getgrnam_r) (const char *name, - struct group * grp, char *buffer, - size_t buflen, int *errnop); -static enum nss_status (*nss_getgrgid_r) (gid_t gid, struct group * grp, - char *buffer, size_t buflen, - int *errnop); -static enum nss_status (*nss_getgrent_r) (struct group * grp, char *buffer, - size_t buflen, int *errnop); -static enum nss_status (*nss_endgrent) (void); - -/* Get the declaration of the parser function. */ -#define ENTNAME grent -#define STRUCTURE group -#define EXTERN_PARSER -#include <nss/nss_files/files-parse.c> - -/* Structure for remembering -group members ... */ -#define BLACKLIST_INITIAL_SIZE 512 -#define BLACKLIST_INCREMENT 256 -struct blacklist_t -{ - char *data; - int current; - int size; -}; - -struct ent_t -{ - bool_t files; - enum nss_status setent_status; - FILE *stream; - struct blacklist_t blacklist; -}; -typedef struct ent_t ent_t; - -static ent_t ext_ent = { TRUE, NSS_STATUS_SUCCESS, NULL, { NULL, 0, 0 }}; - -/* Protect global state against multiple changers. */ -__libc_lock_define_initialized (static, lock) - -/* Prototypes for local functions. */ -static void blacklist_store_name (const char *, ent_t *); -static int in_blacklist (const char *, int, ent_t *); - -/* Initialize the NSS interface/functions. The calling function must - hold the lock. */ -static void -init_nss_interface (void) -{ - if (__nss_database_lookup ("group_compat", NULL, "nis", &ni) >= 0) - { - nss_setgrent = __nss_lookup_function (ni, "setgrent"); - nss_getgrnam_r = __nss_lookup_function (ni, "getgrnam_r"); - nss_getgrgid_r = __nss_lookup_function (ni, "getgrgid_r"); - nss_getgrent_r = __nss_lookup_function (ni, "getgrent_r"); - nss_endgrent = __nss_lookup_function (ni, "endgrent"); - } -} - -static enum nss_status -internal_setgrent (ent_t *ent, int stayopen, int needent) -{ - enum nss_status status = NSS_STATUS_SUCCESS; - - ent->files = TRUE; - - if (ent->blacklist.data != NULL) - { - ent->blacklist.current = 1; - ent->blacklist.data[0] = '|'; - ent->blacklist.data[1] = '\0'; - } - else - ent->blacklist.current = 0; - - if (ent->stream == NULL) - { - ent->stream = fopen ("/etc/group", "rme"); - - if (ent->stream == NULL) - status = errno == EAGAIN ? NSS_STATUS_TRYAGAIN : NSS_STATUS_UNAVAIL; - else - /* We take care of locking ourself. */ - __fsetlocking (ent->stream, FSETLOCKING_BYCALLER); - } - else - rewind (ent->stream); - - if (needent && status == NSS_STATUS_SUCCESS && nss_setgrent) - ent->setent_status = nss_setgrent (stayopen); - - return status; -} - - -enum nss_status -_nss_compat_setgrent (int stayopen) -{ - enum nss_status result; - - __libc_lock_lock (lock); - - if (ni == NULL) - init_nss_interface (); - - result = internal_setgrent (&ext_ent, stayopen, 1); - - __libc_lock_unlock (lock); - - return result; -} - - -static enum nss_status -internal_endgrent (ent_t *ent) -{ - if (ent->stream != NULL) - { - fclose (ent->stream); - ent->stream = NULL; - } - - if (ent->blacklist.data != NULL) - { - ent->blacklist.current = 1; - ent->blacklist.data[0] = '|'; - ent->blacklist.data[1] = '\0'; - } - else - ent->blacklist.current = 0; - - return NSS_STATUS_SUCCESS; -} - -enum nss_status -_nss_compat_endgrent (void) -{ - enum nss_status result; - - __libc_lock_lock (lock); - - if (nss_endgrent) - nss_endgrent (); - - result = internal_endgrent (&ext_ent); - - __libc_lock_unlock (lock); - - return result; -} - -/* get the next group from NSS (+ entry) */ -static enum nss_status -getgrent_next_nss (struct group *result, ent_t *ent, char *buffer, - size_t buflen, int *errnop) -{ - if (!nss_getgrent_r) - return NSS_STATUS_UNAVAIL; - - /* If the setgrent call failed, say so. */ - if (ent->setent_status != NSS_STATUS_SUCCESS) - return ent->setent_status; - - do - { - enum nss_status status; - - if ((status = nss_getgrent_r (result, buffer, buflen, errnop)) != - NSS_STATUS_SUCCESS) - return status; - } - while (in_blacklist (result->gr_name, strlen (result->gr_name), ent)); - - return NSS_STATUS_SUCCESS; -} - -/* This function handle the +group entrys in /etc/group */ -static enum nss_status -getgrnam_plusgroup (const char *name, struct group *result, ent_t *ent, - char *buffer, size_t buflen, int *errnop) -{ - if (!nss_getgrnam_r) - return NSS_STATUS_UNAVAIL; - - enum nss_status status = nss_getgrnam_r (name, result, buffer, buflen, - errnop); - if (status != NSS_STATUS_SUCCESS) - return status; - - if (in_blacklist (result->gr_name, strlen (result->gr_name), ent)) - return NSS_STATUS_NOTFOUND; - - /* We found the entry. */ - return NSS_STATUS_SUCCESS; -} - -static enum nss_status -getgrent_next_file (struct group *result, ent_t *ent, - char *buffer, size_t buflen, int *errnop) -{ - struct parser_data *data = (void *) buffer; - while (1) - { - fpos_t pos; - int parse_res = 0; - char *p; - - do - { - /* We need at least 3 characters for one line. */ - if (__glibc_unlikely (buflen < 3)) - { - erange: - *errnop = ERANGE; - return NSS_STATUS_TRYAGAIN; - } - - fgetpos (ent->stream, &pos); - buffer[buflen - 1] = '\xff'; - p = fgets_unlocked (buffer, buflen, ent->stream); - if (p == NULL && feof_unlocked (ent->stream)) - return NSS_STATUS_NOTFOUND; - - if (p == NULL || __builtin_expect (buffer[buflen - 1] != '\xff', 0)) - { - erange_reset: - fsetpos (ent->stream, &pos); - goto erange; - } - - /* Terminate the line for any case. */ - buffer[buflen - 1] = '\0'; - - /* Skip leading blanks. */ - while (isspace (*p)) - ++p; - } - while (*p == '\0' || *p == '#' || /* Ignore empty and comment lines. */ - /* Parse the line. If it is invalid, loop to - get the next line of the file to parse. */ - !(parse_res = _nss_files_parse_grent (p, result, data, buflen, - errnop))); - - if (__glibc_unlikely (parse_res == -1)) - /* The parser ran out of space. */ - goto erange_reset; - - if (result->gr_name[0] != '+' && result->gr_name[0] != '-') - /* This is a real entry. */ - break; - - /* -group */ - if (result->gr_name[0] == '-' && result->gr_name[1] != '\0' - && result->gr_name[1] != '@') - { - blacklist_store_name (&result->gr_name[1], ent); - continue; - } - - /* +group */ - if (result->gr_name[0] == '+' && result->gr_name[1] != '\0' - && result->gr_name[1] != '@') - { - size_t len = strlen (result->gr_name); - char buf[len]; - enum nss_status status; - - /* Store the group in the blacklist for the "+" at the end of - /etc/group */ - memcpy (buf, &result->gr_name[1], len); - status = getgrnam_plusgroup (&result->gr_name[1], result, ent, - buffer, buflen, errnop); - blacklist_store_name (buf, ent); - if (status == NSS_STATUS_SUCCESS) /* We found the entry. */ - break; - else if (status == NSS_STATUS_RETURN /* We couldn't parse the entry*/ - || status == NSS_STATUS_NOTFOUND) /* No group in NIS */ - continue; - else - { - if (status == NSS_STATUS_TRYAGAIN) - /* The parser ran out of space. */ - goto erange_reset; - - return status; - } - } - - /* +:... */ - if (result->gr_name[0] == '+' && result->gr_name[1] == '\0') - { - ent->files = FALSE; - - return getgrent_next_nss (result, ent, buffer, buflen, errnop); - } - } - - return NSS_STATUS_SUCCESS; -} - - -enum nss_status -_nss_compat_getgrent_r (struct group *grp, char *buffer, size_t buflen, - int *errnop) -{ - enum nss_status result = NSS_STATUS_SUCCESS; - - __libc_lock_lock (lock); - - /* Be prepared that the setgrent function was not called before. */ - if (ni == NULL) - init_nss_interface (); - - if (ext_ent.stream == NULL) - result = internal_setgrent (&ext_ent, 1, 1); - - if (result == NSS_STATUS_SUCCESS) - { - if (ext_ent.files) - result = getgrent_next_file (grp, &ext_ent, buffer, buflen, errnop); - else - result = getgrent_next_nss (grp, &ext_ent, buffer, buflen, errnop); - } - __libc_lock_unlock (lock); - - return result; -} - -/* Searches in /etc/group and the NIS/NIS+ map for a special group */ -static enum nss_status -internal_getgrnam_r (const char *name, struct group *result, ent_t *ent, - char *buffer, size_t buflen, int *errnop) -{ - struct parser_data *data = (void *) buffer; - while (1) - { - fpos_t pos; - int parse_res = 0; - char *p; - - do - { - /* We need at least 3 characters for one line. */ - if (__glibc_unlikely (buflen < 3)) - { - erange: - *errnop = ERANGE; - return NSS_STATUS_TRYAGAIN; - } - - fgetpos (ent->stream, &pos); - buffer[buflen - 1] = '\xff'; - p = fgets_unlocked (buffer, buflen, ent->stream); - if (p == NULL && feof_unlocked (ent->stream)) - return NSS_STATUS_NOTFOUND; - - if (p == NULL || __builtin_expect (buffer[buflen - 1] != '\xff', 0)) - { - erange_reset: - fsetpos (ent->stream, &pos); - goto erange; - } - - /* Terminate the line for any case. */ - buffer[buflen - 1] = '\0'; - - /* Skip leading blanks. */ - while (isspace (*p)) - ++p; - } - while (*p == '\0' || *p == '#' || /* Ignore empty and comment lines. */ - /* Parse the line. If it is invalid, loop to - get the next line of the file to parse. */ - !(parse_res = _nss_files_parse_grent (p, result, data, buflen, - errnop))); - - if (__glibc_unlikely (parse_res == -1)) - /* The parser ran out of space. */ - goto erange_reset; - - /* This is a real entry. */ - if (result->gr_name[0] != '+' && result->gr_name[0] != '-') - { - if (strcmp (result->gr_name, name) == 0) - return NSS_STATUS_SUCCESS; - else - continue; - } - - /* -group */ - if (result->gr_name[0] == '-' && result->gr_name[1] != '\0') - { - if (strcmp (&result->gr_name[1], name) == 0) - return NSS_STATUS_NOTFOUND; - else - continue; - } - - /* +group */ - if (result->gr_name[0] == '+' && result->gr_name[1] != '\0') - { - if (strcmp (name, &result->gr_name[1]) == 0) - { - enum nss_status status; - - status = getgrnam_plusgroup (name, result, ent, - buffer, buflen, errnop); - if (status == NSS_STATUS_RETURN) - /* We couldn't parse the entry */ - continue; - else - return status; - } - } - /* +:... */ - if (result->gr_name[0] == '+' && result->gr_name[1] == '\0') - { - enum nss_status status; - - status = getgrnam_plusgroup (name, result, ent, - buffer, buflen, errnop); - if (status == NSS_STATUS_RETURN) - /* We couldn't parse the entry */ - continue; - else - return status; - } - } - - return NSS_STATUS_SUCCESS; -} - -enum nss_status -_nss_compat_getgrnam_r (const char *name, struct group *grp, - char *buffer, size_t buflen, int *errnop) -{ - ent_t ent = { TRUE, NSS_STATUS_SUCCESS, NULL, { NULL, 0, 0 }}; - enum nss_status result; - - if (name[0] == '-' || name[0] == '+') - return NSS_STATUS_NOTFOUND; - - __libc_lock_lock (lock); - - if (ni == NULL) - init_nss_interface (); - - __libc_lock_unlock (lock); - - result = internal_setgrent (&ent, 0, 0); - - if (result == NSS_STATUS_SUCCESS) - result = internal_getgrnam_r (name, grp, &ent, buffer, buflen, errnop); - - internal_endgrent (&ent); - - return result; -} - -/* Searches in /etc/group and the NIS/NIS+ map for a special group id */ -static enum nss_status -internal_getgrgid_r (gid_t gid, struct group *result, ent_t *ent, - char *buffer, size_t buflen, int *errnop) -{ - struct parser_data *data = (void *) buffer; - while (1) - { - fpos_t pos; - int parse_res = 0; - char *p; - - do - { - /* We need at least 3 characters for one line. */ - if (__glibc_unlikely (buflen < 3)) - { - erange: - *errnop = ERANGE; - return NSS_STATUS_TRYAGAIN; - } - - fgetpos (ent->stream, &pos); - buffer[buflen - 1] = '\xff'; - p = fgets_unlocked (buffer, buflen, ent->stream); - if (p == NULL && feof_unlocked (ent->stream)) - return NSS_STATUS_NOTFOUND; - - if (p == NULL || __builtin_expect (buffer[buflen - 1] != '\xff', 0)) - { - erange_reset: - fsetpos (ent->stream, &pos); - goto erange; - } - - /* Terminate the line for any case. */ - buffer[buflen - 1] = '\0'; - - /* Skip leading blanks. */ - while (isspace (*p)) - ++p; - } - while (*p == '\0' || *p == '#' || /* Ignore empty and comment lines. */ - /* Parse the line. If it is invalid, loop to - get the next line of the file to parse. */ - !(parse_res = _nss_files_parse_grent (p, result, data, buflen, - errnop))); - - if (__glibc_unlikely (parse_res == -1)) - /* The parser ran out of space. */ - goto erange_reset; - - /* This is a real entry. */ - if (result->gr_name[0] != '+' && result->gr_name[0] != '-') - { - if (result->gr_gid == gid) - return NSS_STATUS_SUCCESS; - else - continue; - } - - /* -group */ - if (result->gr_name[0] == '-' && result->gr_name[1] != '\0') - { - blacklist_store_name (&result->gr_name[1], ent); - continue; - } - - /* +group */ - if (result->gr_name[0] == '+' && result->gr_name[1] != '\0') - { - /* Yes, no +1, see the memcpy call below. */ - size_t len = strlen (result->gr_name); - char buf[len]; - enum nss_status status; - - /* Store the group in the blacklist for the "+" at the end of - /etc/group */ - memcpy (buf, &result->gr_name[1], len); - status = getgrnam_plusgroup (&result->gr_name[1], result, ent, - buffer, buflen, errnop); - blacklist_store_name (buf, ent); - if (status == NSS_STATUS_SUCCESS && result->gr_gid == gid) - break; - else - continue; - } - /* +:... */ - if (result->gr_name[0] == '+' && result->gr_name[1] == '\0') - { - if (!nss_getgrgid_r) - return NSS_STATUS_UNAVAIL; - - enum nss_status status = nss_getgrgid_r (gid, result, buffer, buflen, - errnop); - if (status == NSS_STATUS_RETURN) /* We couldn't parse the entry */ - return NSS_STATUS_NOTFOUND; - else - return status; - } - } - - return NSS_STATUS_SUCCESS; -} - -enum nss_status -_nss_compat_getgrgid_r (gid_t gid, struct group *grp, - char *buffer, size_t buflen, int *errnop) -{ - ent_t ent = { TRUE, NSS_STATUS_SUCCESS, NULL, { NULL, 0, 0 }}; - enum nss_status result; - - __libc_lock_lock (lock); - - if (ni == NULL) - init_nss_interface (); - - __libc_lock_unlock (lock); - - result = internal_setgrent (&ent, 0, 0); - - if (result == NSS_STATUS_SUCCESS) - result = internal_getgrgid_r (gid, grp, &ent, buffer, buflen, errnop); - - internal_endgrent (&ent); - - return result; -} - - -/* Support routines for remembering -@netgroup and -user entries. - The names are stored in a single string with `|' as separator. */ -static void -blacklist_store_name (const char *name, ent_t *ent) -{ - int namelen = strlen (name); - char *tmp; - - /* first call, setup cache */ - if (ent->blacklist.size == 0) - { - ent->blacklist.size = MAX (BLACKLIST_INITIAL_SIZE, 2 * namelen); - ent->blacklist.data = malloc (ent->blacklist.size); - if (ent->blacklist.data == NULL) - return; - ent->blacklist.data[0] = '|'; - ent->blacklist.data[1] = '\0'; - ent->blacklist.current = 1; - } - else - { - if (in_blacklist (name, namelen, ent)) - return; /* no duplicates */ - - if (ent->blacklist.current + namelen + 1 >= ent->blacklist.size) - { - ent->blacklist.size += MAX (BLACKLIST_INCREMENT, 2 * namelen); - tmp = realloc (ent->blacklist.data, ent->blacklist.size); - if (tmp == NULL) - { - free (ent->blacklist.data); - ent->blacklist.size = 0; - return; - } - ent->blacklist.data = tmp; - } - } - - tmp = stpcpy (ent->blacklist.data + ent->blacklist.current, name); - *tmp++ = '|'; - *tmp = '\0'; - ent->blacklist.current += namelen + 1; - - return; -} - -/* returns TRUE if ent->blacklist contains name, else FALSE */ -static bool_t -in_blacklist (const char *name, int namelen, ent_t *ent) -{ - char buf[namelen + 3]; - char *cp; - - if (ent->blacklist.data == NULL) - return FALSE; - - buf[0] = '|'; - cp = stpcpy (&buf[1], name); - *cp++ = '|'; - *cp = '\0'; - return strstr (ent->blacklist.data, buf) != NULL; -} Index: glibc-2.26/nis/nss_compat/compat-initgroups.c =================================================================== --- glibc-2.26.orig/nis/nss_compat/compat-initgroups.c +++ /dev/null @@ -1,576 +0,0 @@ -/* Copyright (C) 1998-2017 Free Software Foundation, Inc. - This file is part of the GNU C Library. - Contributed by Thorsten Kukuk <kukuk@suse.de>, 1998. - - The GNU C Library is free software; you can redistribute it and/or - modify it under the terms of the GNU Lesser General Public - License as published by the Free Software Foundation; either - version 2.1 of the License, or (at your option) any later version. - - The GNU C Library is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - Lesser General Public License for more details. - - You should have received a copy of the GNU Lesser General Public - License along with the GNU C Library; if not, see - <http://www.gnu.org/licenses/>. */ - -#include <ctype.h> -#include <errno.h> -#include <fcntl.h> -#include <grp.h> -#include <nss.h> -#include <stdio_ext.h> -#include <string.h> -#include <unistd.h> -#include <rpc/types.h> -#include <sys/param.h> -#include <nsswitch.h> -#include <libc-lock.h> -#include <kernel-features.h> -#include <scratch_buffer.h> - -static service_user *ni; -/* Type of the lookup function. */ -static enum nss_status (*nss_initgroups_dyn) (const char *, gid_t, - long int *, long int *, - gid_t **, long int, int *); -static enum nss_status (*nss_getgrnam_r) (const char *name, - struct group * grp, char *buffer, - size_t buflen, int *errnop); -static enum nss_status (*nss_getgrgid_r) (gid_t gid, struct group * grp, - char *buffer, size_t buflen, - int *errnop); -static enum nss_status (*nss_setgrent) (int stayopen); -static enum nss_status (*nss_getgrent_r) (struct group * grp, char *buffer, - size_t buflen, int *errnop); -static enum nss_status (*nss_endgrent) (void); - -/* Protect global state against multiple changers. */ -__libc_lock_define_initialized (static, lock) - - -/* Get the declaration of the parser function. */ -#define ENTNAME grent -#define STRUCTURE group -#define EXTERN_PARSER -#include <nss/nss_files/files-parse.c> - -/* Structure for remembering -group members ... */ -#define BLACKLIST_INITIAL_SIZE 512 -#define BLACKLIST_INCREMENT 256 -struct blacklist_t -{ - char *data; - int current; - int size; -}; - -struct ent_t -{ - bool files; - bool need_endgrent; - bool skip_initgroups_dyn; - FILE *stream; - struct blacklist_t blacklist; -}; -typedef struct ent_t ent_t; - -/* Prototypes for local functions. */ -static void blacklist_store_name (const char *, ent_t *); -static int in_blacklist (const char *, int, ent_t *); - -/* Initialize the NSS interface/functions. The calling function must - hold the lock. */ -static void -init_nss_interface (void) -{ - __libc_lock_lock (lock); - - /* Retest. */ - if (ni == NULL - && __nss_database_lookup ("group_compat", NULL, "nis", &ni) >= 0) - { - nss_initgroups_dyn = __nss_lookup_function (ni, "initgroups_dyn"); - nss_getgrnam_r = __nss_lookup_function (ni, "getgrnam_r"); - nss_getgrgid_r = __nss_lookup_function (ni, "getgrgid_r"); - nss_setgrent = __nss_lookup_function (ni, "setgrent"); - nss_getgrent_r = __nss_lookup_function (ni, "getgrent_r"); - nss_endgrent = __nss_lookup_function (ni, "endgrent"); - } - - __libc_lock_unlock (lock); -} - -static enum nss_status -internal_setgrent (ent_t *ent) -{ - enum nss_status status = NSS_STATUS_SUCCESS; - - ent->files = true; - - if (ni == NULL) - init_nss_interface (); - - if (ent->blacklist.data != NULL) - { - ent->blacklist.current = 1; - ent->blacklist.data[0] = '|'; - ent->blacklist.data[1] = '\0'; - } - else - ent->blacklist.current = 0; - - ent->stream = fopen ("/etc/group", "rme"); - - if (ent->stream == NULL) - status = errno == EAGAIN ? NSS_STATUS_TRYAGAIN : NSS_STATUS_UNAVAIL; - else - /* We take care of locking ourself. */ - __fsetlocking (ent->stream, FSETLOCKING_BYCALLER); - - return status; -} - - -static enum nss_status -internal_endgrent (ent_t *ent) -{ - if (ent->stream != NULL) - { - fclose (ent->stream); - ent->stream = NULL; - } - - if (ent->blacklist.data != NULL) - { - ent->blacklist.current = 1; - ent->blacklist.data[0] = '|'; - ent->blacklist.data[1] = '\0'; - } - else - ent->blacklist.current = 0; - - if (ent->need_endgrent && nss_endgrent != NULL) - nss_endgrent (); - - return NSS_STATUS_SUCCESS; -} - -/* Add new group record. */ -static void -add_group (long int *start, long int *size, gid_t **groupsp, long int limit, - gid_t gid) -{ - gid_t *groups = *groupsp; - - /* Matches user. Insert this group. */ - if (__glibc_unlikely (*start == *size)) - { - /* Need a bigger buffer. */ - gid_t *newgroups; - long int newsize; - - if (limit > 0 && *size == limit) - /* We reached the maximum. */ - return; - - if (limit <= 0) - newsize = 2 * *size; - else - newsize = MIN (limit, 2 * *size); - - newgroups = realloc (groups, newsize * sizeof (*groups)); - if (newgroups == NULL) - return; - *groupsp = groups = newgroups; - *size = newsize; - } - - groups[*start] = gid; - *start += 1; -} - -/* This function checks, if the user is a member of this group and if - yes, add the group id to the list. Return nonzero is we couldn't - handle the group because the user is not in the member list. */ -static int -check_and_add_group (const char *user, gid_t group, long int *start, - long int *size, gid_t **groupsp, long int limit, - struct group *grp) -{ - char **member; - - /* Don't add main group to list of groups. */ - if (grp->gr_gid == group) - return 0; - - for (member = grp->gr_mem; *member != NULL; ++member) - if (strcmp (*member, user) == 0) - { - add_group (start, size, groupsp, limit, grp->gr_gid); - return 0; - } - - return 1; -} - -/* Get the next group from NSS (+ entry). If the NSS module supports - initgroups_dyn, get all entries at once. */ -static enum nss_status -getgrent_next_nss (ent_t *ent, char *buffer, size_t buflen, const char *user, - gid_t group, long int *start, long int *size, - gid_t **groupsp, long int limit, int *errnop) -{ - enum nss_status status; - struct group grpbuf; - - /* Try nss_initgroups_dyn if supported. We also need getgrgid_r. - If this function is not supported, step through the whole group - database with getgrent_r. */ - if (! ent->skip_initgroups_dyn) - { - long int mystart = 0; - long int mysize = limit <= 0 ? *size : limit; - gid_t *mygroups = malloc (mysize * sizeof (gid_t)); - - if (mygroups == NULL) - return NSS_STATUS_TRYAGAIN; - - /* For every gid in the list we get from the NSS module, - get the whole group entry. We need to do this, since we - need the group name to check if it is in the blacklist. - In worst case, this is as twice as slow as stepping with - getgrent_r through the whole group database. But for large - group databases this is faster, since the user can only be - in a limited number of groups. */ - if (nss_initgroups_dyn (user, group, &mystart, &mysize, &mygroups, - limit, errnop) == NSS_STATUS_SUCCESS) - { - status = NSS_STATUS_NOTFOUND; - - /* If there is no blacklist we can trust the underlying - initgroups implementation. */ - if (ent->blacklist.current <= 1) - for (int i = 0; i < mystart; i++) - add_group (start, size, groupsp, limit, mygroups[i]); - else - { - /* A temporary buffer. We use the normal buffer, until we find - an entry, for which this buffer is to small. In this case, we - overwrite the pointer with one to a bigger buffer. */ - char *tmpbuf = buffer; - size_t tmplen = buflen; - bool use_malloc = false; - - for (int i = 0; i < mystart; i++) - { - while ((status = nss_getgrgid_r (mygroups[i], &grpbuf, - tmpbuf, tmplen, errnop)) - == NSS_STATUS_TRYAGAIN - && *errnop == ERANGE) - { - if (__libc_use_alloca (tmplen * 2)) - { - if (tmpbuf == buffer) - { - tmplen *= 2; - tmpbuf = __alloca (tmplen); - } - else - tmpbuf = extend_alloca (tmpbuf, tmplen, tmplen * 2); - } - else - { - tmplen *= 2; - char *newbuf = realloc (use_malloc ? tmpbuf : NULL, tmplen); - - if (newbuf == NULL) - { - status = NSS_STATUS_TRYAGAIN; - goto done; - } - use_malloc = true; - tmpbuf = newbuf; - } - } - - if (__builtin_expect (status != NSS_STATUS_NOTFOUND, 1)) - { - if (__builtin_expect (status != NSS_STATUS_SUCCESS, 0)) - goto done; - - if (!in_blacklist (grpbuf.gr_name, - strlen (grpbuf.gr_name), ent) - && check_and_add_group (user, group, start, size, - groupsp, limit, &grpbuf)) - { - if (nss_setgrent != NULL) - { - nss_setgrent (1); - ent->need_endgrent = true; - } - ent->skip_initgroups_dyn = true; - - goto iter; - } - } - } - - status = NSS_STATUS_NOTFOUND; - - done: - if (use_malloc) - free (tmpbuf); - } - - free (mygroups); - - return status; - } - - free (mygroups); - } - - /* If we come here, the NSS module does not support initgroups_dyn - or we were confronted with a split group. In these cases we have - to step through the whole list ourself. */ - iter: - do - { - if ((status = nss_getgrent_r (&grpbuf, buffer, buflen, errnop)) != - NSS_STATUS_SUCCESS) - break; - } - while (in_blacklist (grpbuf.gr_name, strlen (grpbuf.gr_name), ent)); - - if (status == NSS_STATUS_SUCCESS) - check_and_add_group (user, group, start, size, groupsp, limit, &grpbuf); - - return status; -} - -static enum nss_status -internal_getgrent_r (ent_t *ent, char *buffer, size_t buflen, const char *user, - gid_t group, long int *start, long int *size, - gid_t **groupsp, long int limit, int *errnop) -{ - struct parser_data *data = (void *) buffer; - struct group grpbuf; - - if (!ent->files) - return getgrent_next_nss (ent, buffer, buflen, user, group, - start, size, groupsp, limit, errnop); - - while (1) - { - fpos_t pos; - int parse_res = 0; - char *p; - - do - { - /* We need at least 3 characters for one line. */ - if (__glibc_unlikely (buflen < 3)) - { - erange: - *errnop = ERANGE; - return NSS_STATUS_TRYAGAIN; - } - - fgetpos (ent->stream, &pos); - buffer[buflen - 1] = '\xff'; - p = fgets_unlocked (buffer, buflen, ent->stream); - if (p == NULL && feof_unlocked (ent->stream)) - return NSS_STATUS_NOTFOUND; - - if (p == NULL || __builtin_expect (buffer[buflen - 1] != '\xff', 0)) - { - erange_reset: - fsetpos (ent->stream, &pos); - goto erange; - } - - /* Terminate the line for any case. */ - buffer[buflen - 1] = '\0'; - - /* Skip leading blanks. */ - while (isspace (*p)) - ++p; - } - while (*p == '\0' || *p == '#' || /* Ignore empty and comment lines. */ - /* Parse the line. If it is invalid, loop to - get the next line of the file to parse. */ - !(parse_res = _nss_files_parse_grent (p, &grpbuf, data, buflen, - errnop))); - - if (__glibc_unlikely (parse_res == -1)) - /* The parser ran out of space. */ - goto erange_reset; - - if (grpbuf.gr_name[0] != '+' && grpbuf.gr_name[0] != '-') - /* This is a real entry. */ - break; - - /* -group */ - if (grpbuf.gr_name[0] == '-' && grpbuf.gr_name[1] != '\0' - && grpbuf.gr_name[1] != '@') - { - blacklist_store_name (&grpbuf.gr_name[1], ent); - continue; - } - - /* +group */ - if (grpbuf.gr_name[0] == '+' && grpbuf.gr_name[1] != '\0' - && grpbuf.gr_name[1] != '@') - { - if (in_blacklist (&grpbuf.gr_name[1], - strlen (&grpbuf.gr_name[1]), ent)) - continue; - /* Store the group in the blacklist for the "+" at the end of - /etc/group */ - blacklist_store_name (&grpbuf.gr_name[1], ent); - if (nss_getgrnam_r == NULL) - return NSS_STATUS_UNAVAIL; - else if (nss_getgrnam_r (&grpbuf.gr_name[1], &grpbuf, buffer, - buflen, errnop) != NSS_STATUS_SUCCESS) - continue; - - check_and_add_group (user, group, start, size, groupsp, - limit, &grpbuf); - - return NSS_STATUS_SUCCESS; - } - - /* +:... */ - if (grpbuf.gr_name[0] == '+' && grpbuf.gr_name[1] == '\0') - { - /* If the selected module does not support getgrent_r or - initgroups_dyn, abort. We cannot find the needed group - entries. */ - if (nss_initgroups_dyn == NULL || nss_getgrgid_r == NULL) - { - if (nss_setgrent != NULL) - { - nss_setgrent (1); - ent->need_endgrent = true; - } - ent->skip_initgroups_dyn = true; - - if (nss_getgrent_r == NULL) - return NSS_STATUS_UNAVAIL; - } - - ent->files = false; - - return getgrent_next_nss (ent, buffer, buflen, user, group, - start, size, groupsp, limit, errnop); - } - } - - check_and_add_group (user, group, start, size, groupsp, limit, &grpbuf); - - return NSS_STATUS_SUCCESS; -} - - -enum nss_status -_nss_compat_initgroups_dyn (const char *user, gid_t group, long int *start, - long int *size, gid_t **groupsp, long int limit, - int *errnop) -{ - enum nss_status status; - ent_t intern = { true, false, false, NULL, {NULL, 0, 0} }; - - status = internal_setgrent (&intern); - if (status != NSS_STATUS_SUCCESS) - return status; - - struct scratch_buffer tmpbuf; - scratch_buffer_init (&tmpbuf); - - do - { - while ((status = internal_getgrent_r (&intern, tmpbuf.data, tmpbuf.length, - user, group, start, size, - groupsp, limit, errnop)) - == NSS_STATUS_TRYAGAIN && *errnop == ERANGE) - if (!scratch_buffer_grow (&tmpbuf)) - goto done; - } - while (status == NSS_STATUS_SUCCESS); - - status = NSS_STATUS_SUCCESS; - - done: - scratch_buffer_free (&tmpbuf); - - internal_endgrent (&intern); - - return status; -} - - -/* Support routines for remembering -@netgroup and -user entries. - The names are stored in a single string with `|' as separator. */ -static void -blacklist_store_name (const char *name, ent_t *ent) -{ - int namelen = strlen (name); - char *tmp; - - /* First call, setup cache. */ - if (ent->blacklist.size == 0) - { - ent->blacklist.size = MAX (BLACKLIST_INITIAL_SIZE, 2 * namelen); - ent->blacklist.data = malloc (ent->blacklist.size); - if (ent->blacklist.data == NULL) - return; - ent->blacklist.data[0] = '|'; - ent->blacklist.data[1] = '\0'; - ent->blacklist.current = 1; - } - else - { - if (in_blacklist (name, namelen, ent)) - return; /* no duplicates */ - - if (ent->blacklist.current + namelen + 1 >= ent->blacklist.size) - { - ent->blacklist.size += MAX (BLACKLIST_INCREMENT, 2 * namelen); - tmp = realloc (ent->blacklist.data, ent->blacklist.size); - if (tmp == NULL) - { - free (ent->blacklist.data); - ent->blacklist.size = 0; - return; - } - ent->blacklist.data = tmp; - } - } - - tmp = stpcpy (ent->blacklist.data + ent->blacklist.current, name); - *tmp++ = '|'; - *tmp = '\0'; - ent->blacklist.current += namelen + 1; - - return; -} - -/* returns TRUE if ent->blacklist contains name, else FALSE */ -static bool_t -in_blacklist (const char *name, int namelen, ent_t *ent) -{ - char buf[namelen + 3]; - char *cp; - - if (ent->blacklist.data == NULL) - return FALSE; - - buf[0] = '|'; - cp = stpcpy (&buf[1], name); - *cp++ = '|'; - *cp = '\0'; - return strstr (ent->blacklist.data, buf) != NULL; -} Index: glibc-2.26/nis/nss_compat/compat-pwd.c =================================================================== --- glibc-2.26.orig/nis/nss_compat/compat-pwd.c +++ /dev/null @@ -1,1132 +0,0 @@ -/* Copyright (C) 1996-2017 Free Software Foundation, Inc. - This file is part of the GNU C Library. - Contributed by Thorsten Kukuk <kukuk@vt.uni-paderborn.de>, 1996. - - The GNU C Library is free software; you can redistribute it and/or - modify it under the terms of the GNU Lesser General Public - License as published by the Free Software Foundation; either - version 2.1 of the License, or (at your option) any later version. - - The GNU C Library is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - Lesser General Public License for more details. - - You should have received a copy of the GNU Lesser General Public - License along with the GNU C Library; if not, see - <http://www.gnu.org/licenses/>. */ - -#include <ctype.h> -#include <errno.h> -#include <fcntl.h> -#include <netdb.h> -#include <nss.h> -#include <nsswitch.h> -#include <pwd.h> -#include <stdio_ext.h> -#include <string.h> -#include <rpc/types.h> -#include <rpcsvc/ypclnt.h> -#include <libc-lock.h> -#include <kernel-features.h> - -#include "netgroup.h" - -static service_user *ni; -static enum nss_status (*nss_setpwent) (int stayopen); -static enum nss_status (*nss_getpwnam_r) (const char *name, - struct passwd * pwd, char *buffer, - size_t buflen, int *errnop); -static enum nss_status (*nss_getpwuid_r) (uid_t uid, struct passwd * pwd, - char *buffer, size_t buflen, - int *errnop); -static enum nss_status (*nss_getpwent_r) (struct passwd * pwd, char *buffer, - size_t buflen, int *errnop); -static enum nss_status (*nss_endpwent) (void); - -/* Get the declaration of the parser function. */ -#define ENTNAME pwent -#define STRUCTURE passwd -#define EXTERN_PARSER -#include <nss/nss_files/files-parse.c> - -/* Structure for remembering -@netgroup and -user members ... */ -#define BLACKLIST_INITIAL_SIZE 512 -#define BLACKLIST_INCREMENT 256 -struct blacklist_t -{ - char *data; - int current; - int size; -}; - -struct ent_t -{ - bool netgroup; - bool first; - bool files; - enum nss_status setent_status; - FILE *stream; - struct blacklist_t blacklist; - struct passwd pwd; - struct __netgrent netgrdata; -}; -typedef struct ent_t ent_t; - -static ent_t ext_ent = { false, false, true, NSS_STATUS_SUCCESS, NULL, - { NULL, 0, 0 }, - { NULL, NULL, 0, 0, NULL, NULL, NULL }}; - -/* Protect global state against multiple changers. */ -__libc_lock_define_initialized (static, lock) - -/* Prototypes for local functions. */ -static void blacklist_store_name (const char *, ent_t *); -static int in_blacklist (const char *, int, ent_t *); - -/* Initialize the NSS interface/functions. The calling function must - hold the lock. */ -static void -init_nss_interface (void) -{ - if (__nss_database_lookup ("passwd_compat", NULL, "nis", &ni) >= 0) - { - nss_setpwent = __nss_lookup_function (ni, "setpwent"); - nss_getpwnam_r = __nss_lookup_function (ni, "getpwnam_r"); - nss_getpwuid_r = __nss_lookup_function (ni, "getpwuid_r"); - nss_getpwent_r = __nss_lookup_function (ni, "getpwent_r"); - nss_endpwent = __nss_lookup_function (ni, "endpwent"); - } -} - -static void -give_pwd_free (struct passwd *pwd) -{ - free (pwd->pw_name); - free (pwd->pw_passwd); - free (pwd->pw_gecos); - free (pwd->pw_dir); - free (pwd->pw_shell); - - memset (pwd, '\0', sizeof (struct passwd)); -} - -static size_t -pwd_need_buflen (struct passwd *pwd) -{ - size_t len = 0; - - if (pwd->pw_passwd != NULL) - len += strlen (pwd->pw_passwd) + 1; - - if (pwd->pw_gecos != NULL) - len += strlen (pwd->pw_gecos) + 1; - - if (pwd->pw_dir != NULL) - len += strlen (pwd->pw_dir) + 1; - - if (pwd->pw_shell != NULL) - len += strlen (pwd->pw_shell) + 1; - - return len; -} - -static void -copy_pwd_changes (struct passwd *dest, struct passwd *src, - char *buffer, size_t buflen) -{ - if (src->pw_passwd != NULL && strlen (src->pw_passwd)) - { - if (buffer == NULL) - dest->pw_passwd = strdup (src->pw_passwd); - else if (dest->pw_passwd && - strlen (dest->pw_passwd) >= strlen (src->pw_passwd)) - strcpy (dest->pw_passwd, src->pw_passwd); - else - { - dest->pw_passwd = buffer; - strcpy (dest->pw_passwd, src->pw_passwd); - buffer += strlen (dest->pw_passwd) + 1; - buflen = buflen - (strlen (dest->pw_passwd) + 1); - } - } - - if (src->pw_gecos != NULL && strlen (src->pw_gecos)) - { - if (buffer == NULL) - dest->pw_gecos = strdup (src->pw_gecos); - else if (dest->pw_gecos && - strlen (dest->pw_gecos) >= strlen (src->pw_gecos)) - strcpy (dest->pw_gecos, src->pw_gecos); - else - { - dest->pw_gecos = buffer; - strcpy (dest->pw_gecos, src->pw_gecos); - buffer += strlen (dest->pw_gecos) + 1; - buflen = buflen - (strlen (dest->pw_gecos) + 1); - } - } - if (src->pw_dir != NULL && strlen (src->pw_dir)) - { - if (buffer == NULL) - dest->pw_dir = strdup (src->pw_dir); - else if (dest->pw_dir && strlen (dest->pw_dir) >= strlen (src->pw_dir)) - strcpy (dest->pw_dir, src->pw_dir); - else - { - dest->pw_dir = buffer; - strcpy (dest->pw_dir, src->pw_dir); - buffer += strlen (dest->pw_dir) + 1; - buflen = buflen - (strlen (dest->pw_dir) + 1); - } - } - - if (src->pw_shell != NULL && strlen (src->pw_shell)) - { - if (buffer == NULL) - dest->pw_shell = strdup (src->pw_shell); - else if (dest->pw_shell && - strlen (dest->pw_shell) >= strlen (src->pw_shell)) - strcpy (dest->pw_shell, src->pw_shell); - else - { - dest->pw_shell = buffer; - strcpy (dest->pw_shell, src->pw_shell); - buffer += strlen (dest->pw_shell) + 1; - buflen = buflen - (strlen (dest->pw_shell) + 1); - } - } -} - -static enum nss_status -internal_setpwent (ent_t *ent, int stayopen, int needent) -{ - enum nss_status status = NSS_STATUS_SUCCESS; - - ent->first = ent->netgroup = false; - ent->files = true; - ent->setent_status = NSS_STATUS_SUCCESS; - - /* If something was left over free it. */ - if (ent->netgroup) - __internal_endnetgrent (&ent->netgrdata); - - if (ent->blacklist.data != NULL) - { - ent->blacklist.current = 1; - ent->blacklist.data[0] = '|'; - ent->blacklist.data[1] = '\0'; - } - else - ent->blacklist.current = 0; - - if (ent->stream == NULL) - { - ent->stream = fopen ("/etc/passwd", "rme"); - - if (ent->stream == NULL) - status = errno == EAGAIN ? NSS_STATUS_TRYAGAIN : NSS_STATUS_UNAVAIL; - else - /* We take care of locking ourself. */ - __fsetlocking (ent->stream, FSETLOCKING_BYCALLER); - } - else - rewind (ent->stream); - - give_pwd_free (&ent->pwd); - - if (needent && status == NSS_STATUS_SUCCESS && nss_setpwent) - ent->setent_status = nss_setpwent (stayopen); - - return status; -} - - -enum nss_status -_nss_compat_setpwent (int stayopen) -{ - enum nss_status result; - - __libc_lock_lock (lock); - - if (ni == NULL) - init_nss_interface (); - - result = internal_setpwent (&ext_ent, stayopen, 1); - - __libc_lock_unlock (lock); - - return result; -} - - -static enum nss_status -internal_endpwent (ent_t *ent) -{ - if (ent->stream != NULL) - { - fclose (ent->stream); - ent->stream = NULL; - } - - if (ent->netgroup) - __internal_endnetgrent (&ent->netgrdata); - - ent->first = ent->netgroup = false; - - if (ent->blacklist.data != NULL) - { - ent->blacklist.current = 1; - ent->blacklist.data[0] = '|'; - ent->blacklist.data[1] = '\0'; - } - else - ent->blacklist.current = 0; - - give_pwd_free (&ent->pwd); - - return NSS_STATUS_SUCCESS; -} - -enum nss_status -_nss_compat_endpwent (void) -{ - enum nss_status result; - - __libc_lock_lock (lock); - - if (nss_endpwent) - nss_endpwent (); - - result = internal_endpwent (&ext_ent); - - __libc_lock_unlock (lock); - - return result; -} - - -static enum nss_status -getpwent_next_nss_netgr (const char *name, struct passwd *result, ent_t *ent, - char *group, char *buffer, size_t buflen, - int *errnop) -{ - char *curdomain = NULL, *host, *user, *domain, *p2; - int status; - size_t p2len; - - /* Leave function if NSS module does not support getpwnam_r, - we need this function here. */ - if (!nss_getpwnam_r) - return NSS_STATUS_UNAVAIL; - - if (ent->first) - { - memset (&ent->netgrdata, 0, sizeof (struct __netgrent)); - __internal_setnetgrent (group, &ent->netgrdata); - ent->first = false; - } - - while (1) - { - status = __internal_getnetgrent_r (&host, &user, &domain, - &ent->netgrdata, buffer, buflen, - errnop); - if (status != 1) - { - __internal_endnetgrent (&ent->netgrdata); - ent->netgroup = 0; - give_pwd_free (&ent->pwd); - return NSS_STATUS_RETURN; - } - - if (user == NULL || user[0] == '-') - continue; - - if (domain != NULL) - { - if (curdomain == NULL - && yp_get_default_domain (&curdomain) != YPERR_SUCCESS) - { - __internal_endnetgrent (&ent->netgrdata); - ent->netgroup = false; - give_pwd_free (&ent->pwd); - return NSS_STATUS_UNAVAIL; - } - if (strcmp (curdomain, domain) != 0) - continue; - } - - /* If name != NULL, we are called from getpwnam. */ - if (name != NULL) - if (strcmp (user, name) != 0) - continue; - - p2len = pwd_need_buflen (&ent->pwd); - if (p2len > buflen) - { - *errnop = ERANGE; - return NSS_STATUS_TRYAGAIN; - } - p2 = buffer + (buflen - p2len); - buflen -= p2len; - - if (nss_getpwnam_r (user, result, buffer, buflen, errnop) != - NSS_STATUS_SUCCESS) - continue; - - if (!in_blacklist (result->pw_name, strlen (result->pw_name), ent)) - { - /* Store the User in the blacklist for possible the "+" at the - end of /etc/passwd */ - blacklist_store_name (result->pw_name, ent); - copy_pwd_changes (result, &ent->pwd, p2, p2len); - break; - } - } - - return NSS_STATUS_SUCCESS; -} - -/* get the next user from NSS (+ entry) */ -static enum nss_status -getpwent_next_nss (struct passwd *result, ent_t *ent, char *buffer, - size_t buflen, int *errnop) -{ - enum nss_status status; - char *p2; - size_t p2len; - - /* Return if NSS module does not support getpwent_r. */ - if (!nss_getpwent_r) - return NSS_STATUS_UNAVAIL; - - /* If the setpwent call failed, say so. */ - if (ent->setent_status != NSS_STATUS_SUCCESS) - return ent->setent_status; - - p2len = pwd_need_buflen (&ent->pwd); - if (p2len > buflen) - { - *errnop = ERANGE; - return NSS_STATUS_TRYAGAIN; - } - p2 = buffer + (buflen - p2len); - buflen -= p2len; - - if (ent->first) - ent->first = false; - - do - { - if ((status = nss_getpwent_r (result, buffer, buflen, errnop)) != - NSS_STATUS_SUCCESS) - return status; - } - while (in_blacklist (result->pw_name, strlen (result->pw_name), ent)); - - copy_pwd_changes (result, &ent->pwd, p2, p2len); - - return NSS_STATUS_SUCCESS; -} - -/* This function handle the +user entrys in /etc/passwd */ -static enum nss_status -getpwnam_plususer (const char *name, struct passwd *result, ent_t *ent, - char *buffer, size_t buflen, int *errnop) -{ - if (!nss_getpwnam_r) - return NSS_STATUS_UNAVAIL; - - struct passwd pwd; - memset (&pwd, '\0', sizeof (struct passwd)); - - copy_pwd_changes (&pwd, result, NULL, 0); - - size_t plen = pwd_need_buflen (&pwd); - if (plen > buflen) - { - *errnop = ERANGE; - return NSS_STATUS_TRYAGAIN; - } - char *p = buffer + (buflen - plen); - buflen -= plen; - - enum nss_status status = nss_getpwnam_r (name, result, buffer, buflen, - errnop); - if (status != NSS_STATUS_SUCCESS) - return status; - - if (in_blacklist (result->pw_name, strlen (result->pw_name), ent)) - return NSS_STATUS_NOTFOUND; - - copy_pwd_changes (result, &pwd, p, plen); - give_pwd_free (&pwd); - /* We found the entry. */ - return NSS_STATUS_SUCCESS; -} - -static enum nss_status -getpwent_next_file (struct passwd *result, ent_t *ent, - char *buffer, size_t buflen, int *errnop) -{ - struct parser_data *data = (void *) buffer; - while (1) - { - fpos_t pos; - char *p; - int parse_res; - - do - { - /* We need at least 3 characters for one line. */ - if (__glibc_unlikely (buflen < 3)) - { - erange: - *errnop = ERANGE; - return NSS_STATUS_TRYAGAIN; - } - - fgetpos (ent->stream, &pos); - buffer[buflen - 1] = '\xff'; - p = fgets_unlocked (buffer, buflen, ent->stream); - if (p == NULL && feof_unlocked (ent->stream)) - return NSS_STATUS_NOTFOUND; - - if (p == NULL || __builtin_expect (buffer[buflen - 1] != '\xff', 0)) - { - erange_reset: - fsetpos (ent->stream, &pos); - goto erange; - } - - /* Terminate the line for any case. */ - buffer[buflen - 1] = '\0'; - - /* Skip leading blanks. */ - while (isspace (*p)) - ++p; - } - while (*p == '\0' || *p == '#' || /* Ignore empty and comment lines. */ - /* Parse the line. If it is invalid, loop to - get the next line of the file to parse. */ - !(parse_res = _nss_files_parse_pwent (p, result, data, buflen, - errnop))); - - if (__glibc_unlikely (parse_res == -1)) - /* The parser ran out of space. */ - goto erange_reset; - - if (result->pw_name[0] != '+' && result->pw_name[0] != '-') - /* This is a real entry. */ - break; - - /* -@netgroup */ - if (result->pw_name[0] == '-' && result->pw_name[1] == '@' - && result->pw_name[2] != '\0') - { - /* XXX Do not use fixed length buffer. */ - char buf2[1024]; - char *user, *host, *domain; - struct __netgrent netgrdata; - - memset (&netgrdata, 0, sizeof (struct __netgrent)); - __internal_setnetgrent (&result->pw_name[2], &netgrdata); - while (__internal_getnetgrent_r (&host, &user, &domain, &netgrdata, - buf2, sizeof (buf2), errnop)) - { - if (user != NULL && user[0] != '-') - blacklist_store_name (user, ent); - } - __internal_endnetgrent (&netgrdata); - continue; - } - - /* +@netgroup */ - if (result->pw_name[0] == '+' && result->pw_name[1] == '@' - && result->pw_name[2] != '\0') - { - enum nss_status status; - - ent->netgroup = true; - ent->first = true; - copy_pwd_changes (&ent->pwd, result, NULL, 0); - - status = getpwent_next_nss_netgr (NULL, result, ent, - &result->pw_name[2], - buffer, buflen, errnop); - if (status == NSS_STATUS_RETURN) - continue; - else - return status; - } - - /* -user */ - if (result->pw_name[0] == '-' && result->pw_name[1] != '\0' - && result->pw_name[1] != '@') - { - blacklist_store_name (&result->pw_name[1], ent); - continue; - } - - /* +user */ - if (result->pw_name[0] == '+' && result->pw_name[1] != '\0' - && result->pw_name[1] != '@') - { - size_t len = strlen (result->pw_name); - char buf[len]; - enum nss_status status; - - /* Store the User in the blacklist for the "+" at the end of - /etc/passwd */ - memcpy (buf, &result->pw_name[1], len); - status = getpwnam_plususer (&result->pw_name[1], result, ent, - buffer, buflen, errnop); - blacklist_store_name (buf, ent); - - if (status == NSS_STATUS_SUCCESS) /* We found the entry. */ - break; - else if (status == NSS_STATUS_RETURN /* We couldn't parse the entry */ - || status == NSS_STATUS_NOTFOUND) /* entry doesn't exist */ - continue; - else - { - if (status == NSS_STATUS_TRYAGAIN) - { - /* The parser ran out of space */ - fsetpos (ent->stream, &pos); - *errnop = ERANGE; - } - return status; - } - } - - /* +:... */ - if (result->pw_name[0] == '+' && result->pw_name[1] == '\0') - { - ent->files = false; - ent->first = true; - copy_pwd_changes (&ent->pwd, result, NULL, 0); - - return getpwent_next_nss (result, ent, buffer, buflen, errnop); - } - } - - return NSS_STATUS_SUCCESS; -} - - -static enum nss_status -internal_getpwent_r (struct passwd *pw, ent_t *ent, char *buffer, - size_t buflen, int *errnop) -{ - if (ent->netgroup) - { - enum nss_status status; - - /* We are searching members in a netgroup */ - /* Since this is not the first call, we don't need the group name */ - status = getpwent_next_nss_netgr (NULL, pw, ent, NULL, buffer, buflen, - errnop); - if (status == NSS_STATUS_RETURN) - return getpwent_next_file (pw, ent, buffer, buflen, errnop); - else - return status; - } - else if (ent->files) - return getpwent_next_file (pw, ent, buffer, buflen, errnop); - else - return getpwent_next_nss (pw, ent, buffer, buflen, errnop); - -} - -enum nss_status -_nss_compat_getpwent_r (struct passwd *pwd, char *buffer, size_t buflen, - int *errnop) -{ - enum nss_status result = NSS_STATUS_SUCCESS; - - __libc_lock_lock (lock); - - /* Be prepared that the setpwent function was not called before. */ - if (ni == NULL) - init_nss_interface (); - - if (ext_ent.stream == NULL) - result = internal_setpwent (&ext_ent, 1, 1); - - if (result == NSS_STATUS_SUCCESS) - result = internal_getpwent_r (pwd, &ext_ent, buffer, buflen, errnop); - - __libc_lock_unlock (lock); - - return result; -} - -/* Searches in /etc/passwd and the NIS/NIS+ map for a special user */ -static enum nss_status -internal_getpwnam_r (const char *name, struct passwd *result, ent_t *ent, - char *buffer, size_t buflen, int *errnop) -{ - struct parser_data *data = (void *) buffer; - - while (1) - { - fpos_t pos; - char *p; - int parse_res; - - do - { - /* We need at least 3 characters for one line. */ - if (__glibc_unlikely (buflen < 3)) - { - erange: - *errnop = ERANGE; - return NSS_STATUS_TRYAGAIN; - } - - fgetpos (ent->stream, &pos); - buffer[buflen - 1] = '\xff'; - p = fgets_unlocked (buffer, buflen, ent->stream); - if (p == NULL && feof_unlocked (ent->stream)) - { - return NSS_STATUS_NOTFOUND; - } - if (p == NULL || __builtin_expect (buffer[buflen - 1] != '\xff', 0)) - { - erange_reset: - fsetpos (ent->stream, &pos); - goto erange; - } - - /* Terminate the line for any case. */ - buffer[buflen - 1] = '\0'; - - /* Skip leading blanks. */ - while (isspace (*p)) - ++p; - } - while (*p == '\0' || *p == '#' || /* Ignore empty and comment lines. */ - /* Parse the line. If it is invalid, loop to - get the next line of the file to parse. */ - !(parse_res = _nss_files_parse_pwent (p, result, data, buflen, - errnop))); - - if (__glibc_unlikely (parse_res == -1)) - /* The parser ran out of space. */ - goto erange_reset; - - /* This is a real entry. */ - if (result->pw_name[0] != '+' && result->pw_name[0] != '-') - { - if (strcmp (result->pw_name, name) == 0) - return NSS_STATUS_SUCCESS; - else - continue; - } - - /* -@netgroup */ - if (result->pw_name[0] == '-' && result->pw_name[1] == '@' - && result->pw_name[2] != '\0') - { - if (innetgr (&result->pw_name[2], NULL, name, NULL)) - return NSS_STATUS_NOTFOUND; - continue; - } - - /* +@netgroup */ - if (result->pw_name[0] == '+' && result->pw_name[1] == '@' - && result->pw_name[2] != '\0') - { - enum nss_status status; - - if (innetgr (&result->pw_name[2], NULL, name, NULL)) - { - status = getpwnam_plususer (name, result, ent, buffer, - buflen, errnop); - - if (status == NSS_STATUS_RETURN) - continue; - - return status; - } - continue; - } - - /* -user */ - if (result->pw_name[0] == '-' && result->pw_name[1] != '\0' - && result->pw_name[1] != '@') - { - if (strcmp (&result->pw_name[1], name) == 0) - return NSS_STATUS_NOTFOUND; - else - continue; - } - - /* +user */ - if (result->pw_name[0] == '+' && result->pw_name[1] != '\0' - && result->pw_name[1] != '@') - { - if (strcmp (name, &result->pw_name[1]) == 0) - { - enum nss_status status; - - status = getpwnam_plususer (name, result, ent, buffer, buflen, - errnop); - if (status == NSS_STATUS_RETURN) - /* We couldn't parse the entry */ - return NSS_STATUS_NOTFOUND; - else - return status; - } - } - - /* +:... */ - if (result->pw_name[0] == '+' && result->pw_name[1] == '\0') - { - enum nss_status status; - - status = getpwnam_plususer (name, result, ent, - buffer, buflen, errnop); - if (status == NSS_STATUS_SUCCESS) /* We found the entry. */ - break; - else if (status == NSS_STATUS_RETURN) /* We couldn't parse the entry */ - return NSS_STATUS_NOTFOUND; - else - return status; - } - } - return NSS_STATUS_SUCCESS; -} - -enum nss_status -_nss_compat_getpwnam_r (const char *name, struct passwd *pwd, - char *buffer, size_t buflen, int *errnop) -{ - enum nss_status result; - ent_t ent = { false, false, true, NSS_STATUS_SUCCESS, NULL, { NULL, 0, 0 }, - { NULL, NULL, 0, 0, NULL, NULL, NULL }}; - - if (name[0] == '-' || name[0] == '+') - return NSS_STATUS_NOTFOUND; - - __libc_lock_lock (lock); - - if (ni == NULL) - init_nss_interface (); - - __libc_lock_unlock (lock); - - result = internal_setpwent (&ent, 0, 0); - - if (result == NSS_STATUS_SUCCESS) - result = internal_getpwnam_r (name, pwd, &ent, buffer, buflen, errnop); - - internal_endpwent (&ent); - - return result; -} - -/* This function handle the + entry in /etc/passwd for getpwuid */ -static enum nss_status -getpwuid_plususer (uid_t uid, struct passwd *result, char *buffer, - size_t buflen, int *errnop) -{ - struct passwd pwd; - char *p; - size_t plen; - - if (!nss_getpwuid_r) - return NSS_STATUS_UNAVAIL; - - memset (&pwd, '\0', sizeof (struct passwd)); - - copy_pwd_changes (&pwd, result, NULL, 0); - - plen = pwd_need_buflen (&pwd); - if (plen > buflen) - { - *errnop = ERANGE; - return NSS_STATUS_TRYAGAIN; - } - p = buffer + (buflen - plen); - buflen -= plen; - - if (nss_getpwuid_r (uid, result, buffer, buflen, errnop) == - NSS_STATUS_SUCCESS) - { - copy_pwd_changes (result, &pwd, p, plen); - give_pwd_free (&pwd); - /* We found the entry. */ - return NSS_STATUS_SUCCESS; - } - else - { - /* Give buffer the old len back */ - buflen += plen; - give_pwd_free (&pwd); - } - return NSS_STATUS_RETURN; -} - -/* Searches in /etc/passwd and the NSS subsystem for a special user id */ -static enum nss_status -internal_getpwuid_r (uid_t uid, struct passwd *result, ent_t *ent, - char *buffer, size_t buflen, int *errnop) -{ - struct parser_data *data = (void *) buffer; - - while (1) - { - fpos_t pos; - char *p; - int parse_res; - - do - { - /* We need at least 3 characters for one line. */ - if (__glibc_unlikely (buflen < 3)) - { - erange: - *errnop = ERANGE; - return NSS_STATUS_TRYAGAIN; - } - - fgetpos (ent->stream, &pos); - buffer[buflen - 1] = '\xff'; - p = fgets_unlocked (buffer, buflen, ent->stream); - if (p == NULL && feof_unlocked (ent->stream)) - return NSS_STATUS_NOTFOUND; - - if (p == NULL || __builtin_expect (buffer[buflen - 1] != '\xff', 0)) - { - erange_reset: - fsetpos (ent->stream, &pos); - goto erange; - } - - /* Terminate the line for any case. */ - buffer[buflen - 1] = '\0'; - - /* Skip leading blanks. */ - while (isspace (*p)) - ++p; - } - while (*p == '\0' || *p == '#' || /* Ignore empty and comment lines. */ - /* Parse the line. If it is invalid, loop to - get the next line of the file to parse. */ - !(parse_res = _nss_files_parse_pwent (p, result, data, buflen, - errnop))); - - if (__glibc_unlikely (parse_res == -1)) - /* The parser ran out of space. */ - goto erange_reset; - - /* This is a real entry. */ - if (result->pw_name[0] != '+' && result->pw_name[0] != '-') - { - if (result->pw_uid == uid) - return NSS_STATUS_SUCCESS; - else - continue; - } - - /* -@netgroup */ - if (result->pw_name[0] == '-' && result->pw_name[1] == '@' - && result->pw_name[2] != '\0') - { - /* -1, because we remove first two character of pw_name. */ - size_t len = strlen (result->pw_name) - 1; - char buf[len]; - enum nss_status status; - - memcpy (buf, &result->pw_name[2], len); - - status = getpwuid_plususer (uid, result, buffer, buflen, errnop); - if (status == NSS_STATUS_SUCCESS && - innetgr (buf, NULL, result->pw_name, NULL)) - return NSS_STATUS_NOTFOUND; - - continue; - } - - /* +@netgroup */ - if (result->pw_name[0] == '+' && result->pw_name[1] == '@' - && result->pw_name[2] != '\0') - { - /* -1, because we remove first two characters of pw_name. */ - size_t len = strlen (result->pw_name) - 1; - char buf[len]; - enum nss_status status; - - memcpy (buf, &result->pw_name[2], len); - - status = getpwuid_plususer (uid, result, buffer, buflen, errnop); - - if (status == NSS_STATUS_RETURN) - continue; - - if (status == NSS_STATUS_SUCCESS) - { - if (innetgr (buf, NULL, result->pw_name, NULL)) - return NSS_STATUS_SUCCESS; - } - else if (status == NSS_STATUS_RETURN) /* We couldn't parse the entry */ - return NSS_STATUS_NOTFOUND; - else - return status; - - continue; - } - - /* -user */ - if (result->pw_name[0] == '-' && result->pw_name[1] != '\0' - && result->pw_name[1] != '@') - { - size_t len = strlen (result->pw_name); - char buf[len]; - enum nss_status status; - - memcpy (buf, &result->pw_name[1], len); - - status = getpwuid_plususer (uid, result, buffer, buflen, errnop); - if (status == NSS_STATUS_SUCCESS && - innetgr (buf, NULL, result->pw_name, NULL)) - return NSS_STATUS_NOTFOUND; - continue; - } - - /* +user */ - if (result->pw_name[0] == '+' && result->pw_name[1] != '\0' - && result->pw_name[1] != '@') - { - size_t len = strlen (result->pw_name); - char buf[len]; - enum nss_status status; - - memcpy (buf, &result->pw_name[1], len); - - status = getpwuid_plususer (uid, result, buffer, buflen, errnop); - - if (status == NSS_STATUS_RETURN) - continue; - - if (status == NSS_STATUS_SUCCESS) - { - if (strcmp (buf, result->pw_name) == 0) - return NSS_STATUS_SUCCESS; - } - else if (status == NSS_STATUS_RETURN) /* We couldn't parse the entry */ - return NSS_STATUS_NOTFOUND; - else - return status; - - continue; - } - - /* +:... */ - if (result->pw_name[0] == '+' && result->pw_name[1] == '\0') - { - enum nss_status status; - - status = getpwuid_plususer (uid, result, buffer, buflen, errnop); - if (status == NSS_STATUS_SUCCESS) /* We found the entry. */ - break; - else if (status == NSS_STATUS_RETURN) /* We couldn't parse the entry */ - return NSS_STATUS_NOTFOUND; - else - return status; - } - } - return NSS_STATUS_SUCCESS; -} - -enum nss_status -_nss_compat_getpwuid_r (uid_t uid, struct passwd *pwd, - char *buffer, size_t buflen, int *errnop) -{ - enum nss_status result; - ent_t ent = { false, false, true, NSS_STATUS_SUCCESS, NULL, { NULL, 0, 0 }, - { NULL, NULL, 0, 0, NULL, NULL, NULL }}; - - __libc_lock_lock (lock); - - if (ni == NULL) - init_nss_interface (); - - __libc_lock_unlock (lock); - - result = internal_setpwent (&ent, 0, 0); - - if (result == NSS_STATUS_SUCCESS) - result = internal_getpwuid_r (uid, pwd, &ent, buffer, buflen, errnop); - - internal_endpwent (&ent); - - return result; -} - - -/* Support routines for remembering -@netgroup and -user entries. - The names are stored in a single string with `|' as separator. */ -static void -blacklist_store_name (const char *name, ent_t *ent) -{ - int namelen = strlen (name); - char *tmp; - - /* first call, setup cache */ - if (ent->blacklist.size == 0) - { - ent->blacklist.size = MAX (BLACKLIST_INITIAL_SIZE, 2 * namelen); - ent->blacklist.data = malloc (ent->blacklist.size); - if (ent->blacklist.data == NULL) - return; - ent->blacklist.data[0] = '|'; - ent->blacklist.data[1] = '\0'; - ent->blacklist.current = 1; - } - else - { - if (in_blacklist (name, namelen, ent)) - return; /* no duplicates */ - - if (ent->blacklist.current + namelen + 1 >= ent->blacklist.size) - { - ent->blacklist.size += MAX (BLACKLIST_INCREMENT, 2 * namelen); - tmp = realloc (ent->blacklist.data, ent->blacklist.size); - if (tmp == NULL) - { - free (ent->blacklist.data); - ent->blacklist.size = 0; - return; - } - ent->blacklist.data = tmp; - } - } - - tmp = stpcpy (ent->blacklist.data + ent->blacklist.current, name); - *tmp++ = '|'; - *tmp = '\0'; - ent->blacklist.current += namelen + 1; - - return; -} - -/* Returns TRUE if ent->blacklist contains name, else FALSE. */ -static bool_t -in_blacklist (const char *name, int namelen, ent_t *ent) -{ - char buf[namelen + 3]; - char *cp; - - if (ent->blacklist.data == NULL) - return FALSE; - - buf[0] = '|'; - cp = stpcpy (&buf[1], name); - *cp++ = '|'; - *cp = '\0'; - return strstr (ent->blacklist.data, buf) != NULL; -} Index: glibc-2.26/nis/nss_compat/compat-spwd.c =================================================================== --- glibc-2.26.orig/nis/nss_compat/compat-spwd.c +++ /dev/null @@ -1,858 +0,0 @@ -/* Copyright (C) 1996-2017 Free Software Foundation, Inc. - This file is part of the GNU C Library. - Contributed by Thorsten Kukuk <kukuk@vt.uni-paderborn.de>, 1996. - - The GNU C Library is free software; you can redistribute it and/or - modify it under the terms of the GNU Lesser General Public - License as published by the Free Software Foundation; either - version 2.1 of the License, or (at your option) any later version. - - The GNU C Library is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - Lesser General Public License for more details. - - You should have received a copy of the GNU Lesser General Public - License along with the GNU C Library; if not, see - <http://www.gnu.org/licenses/>. */ - -#include <ctype.h> -#include <errno.h> -#include <fcntl.h> -#include <netdb.h> -#include <nss.h> -#include <nsswitch.h> -#include <shadow.h> -#include <stdio_ext.h> -#include <string.h> -#include <rpc/types.h> -#include <rpcsvc/ypclnt.h> -#include <libc-lock.h> -#include <kernel-features.h> - -#include "netgroup.h" - -static service_user *ni; -static enum nss_status (*nss_setspent) (int stayopen); -static enum nss_status (*nss_getspnam_r) (const char *name, struct spwd * sp, - char *buffer, size_t buflen, - int *errnop); -static enum nss_status (*nss_getspent_r) (struct spwd * sp, char *buffer, - size_t buflen, int *errnop); -static enum nss_status (*nss_endspent) (void); - -/* Get the declaration of the parser function. */ -#define ENTNAME spent -#define STRUCTURE spwd -#define EXTERN_PARSER -#include <nss/nss_files/files-parse.c> - -/* Structure for remembering -@netgroup and -user members ... */ -#define BLACKLIST_INITIAL_SIZE 512 -#define BLACKLIST_INCREMENT 256 -struct blacklist_t -{ - char *data; - int current; - int size; -}; - -struct ent_t -{ - bool netgroup; - bool files; - bool first; - enum nss_status setent_status; - FILE *stream; - struct blacklist_t blacklist; - struct spwd pwd; - struct __netgrent netgrdata; -}; -typedef struct ent_t ent_t; - -static ent_t ext_ent = { false, true, false, NSS_STATUS_SUCCESS, NULL, - { NULL, 0, 0}, - { NULL, NULL, 0, 0, 0, 0, 0, 0, 0}}; - -/* Protect global state against multiple changers. */ -__libc_lock_define_initialized (static, lock) - -/* Prototypes for local functions. */ -static void blacklist_store_name (const char *, ent_t *); -static int in_blacklist (const char *, int, ent_t *); - -/* Initialize the NSS interface/functions. The calling function must - hold the lock. */ -static void -init_nss_interface (void) -{ - if (__nss_database_lookup ("shadow_compat", "passwd_compat", - "nis", &ni) >= 0) - { - nss_setspent = __nss_lookup_function (ni, "setspent"); - nss_getspnam_r = __nss_lookup_function (ni, "getspnam_r"); - nss_getspent_r = __nss_lookup_function (ni, "getspent_r"); - nss_endspent = __nss_lookup_function (ni, "endspent"); - } -} - -static void -give_spwd_free (struct spwd *pwd) -{ - free (pwd->sp_namp); - free (pwd->sp_pwdp); - - memset (pwd, '\0', sizeof (struct spwd)); - pwd->sp_warn = -1; - pwd->sp_inact = -1; - pwd->sp_expire = -1; - pwd->sp_flag = ~0ul; -} - -static int -spwd_need_buflen (struct spwd *pwd) -{ - int len = 0; - - if (pwd->sp_pwdp != NULL) - len += strlen (pwd->sp_pwdp) + 1; - - return len; -} - -static void -copy_spwd_changes (struct spwd *dest, struct spwd *src, - char *buffer, size_t buflen) -{ - if (src->sp_pwdp != NULL && strlen (src->sp_pwdp)) - { - if (buffer == NULL) - dest->sp_pwdp = strdup (src->sp_pwdp); - else if (dest->sp_pwdp && - strlen (dest->sp_pwdp) >= strlen (src->sp_pwdp)) - strcpy (dest->sp_pwdp, src->sp_pwdp); - else - { - dest->sp_pwdp = buffer; - strcpy (dest->sp_pwdp, src->sp_pwdp); - buffer += strlen (dest->sp_pwdp) + 1; - buflen = buflen - (strlen (dest->sp_pwdp) + 1); - } - } - if (src->sp_lstchg != 0) - dest->sp_lstchg = src->sp_lstchg; - if (src->sp_min != 0) - dest->sp_min = src->sp_min; - if (src->sp_max != 0) - dest->sp_max = src->sp_max; - if (src->sp_warn != -1) - dest->sp_warn = src->sp_warn; - if (src->sp_inact != -1) - dest->sp_inact = src->sp_inact; - if (src->sp_expire != -1) - dest->sp_expire = src->sp_expire; - if (src->sp_flag != ~0ul) - dest->sp_flag = src->sp_flag; -} - -static enum nss_status -internal_setspent (ent_t *ent, int stayopen, int needent) -{ - enum nss_status status = NSS_STATUS_SUCCESS; - - ent->first = ent->netgroup = 0; - ent->files = true; - - /* If something was left over free it. */ - if (ent->netgroup) - __internal_endnetgrent (&ent->netgrdata); - - if (ent->blacklist.data != NULL) - { - ent->blacklist.current = 1; - ent->blacklist.data[0] = '|'; - ent->blacklist.data[1] = '\0'; - } - else - ent->blacklist.current = 0; - - if (ent->stream == NULL) - { - ent->stream = fopen ("/etc/shadow", "rme"); - - if (ent->stream == NULL) - status = errno == EAGAIN ? NSS_STATUS_TRYAGAIN : NSS_STATUS_UNAVAIL; - else - /* We take care of locking ourself. */ - __fsetlocking (ent->stream, FSETLOCKING_BYCALLER); - } - else - rewind (ent->stream); - - give_spwd_free (&ent->pwd); - - if (needent && status == NSS_STATUS_SUCCESS && nss_setspent) - ent->setent_status = nss_setspent (stayopen); - - return status; -} - - -enum nss_status -_nss_compat_setspent (int stayopen) -{ - enum nss_status result; - - __libc_lock_lock (lock); - - if (ni == NULL) - init_nss_interface (); - - result = internal_setspent (&ext_ent, stayopen, 1); - - __libc_lock_unlock (lock); - - return result; -} - - -static enum nss_status -internal_endspent (ent_t *ent) -{ - if (ent->stream != NULL) - { - fclose (ent->stream); - ent->stream = NULL; - } - - if (ent->netgroup) - __internal_endnetgrent (&ent->netgrdata); - - ent->first = ent->netgroup = false; - ent->files = true; - - if (ent->blacklist.data != NULL) - { - ent->blacklist.current = 1; - ent->blacklist.data[0] = '|'; - ent->blacklist.data[1] = '\0'; - } - else - ent->blacklist.current = 0; - - give_spwd_free (&ent->pwd); - - return NSS_STATUS_SUCCESS; -} - -enum nss_status -_nss_compat_endspent (void) -{ - enum nss_status result; - - __libc_lock_lock (lock); - - if (nss_endspent) - nss_endspent (); - - result = internal_endspent (&ext_ent); - - __libc_lock_unlock (lock); - - return result; -} - - -static enum nss_status -getspent_next_nss_netgr (const char *name, struct spwd *result, ent_t *ent, - char *group, char *buffer, size_t buflen, - int *errnop) -{ - char *curdomain = NULL, *host, *user, *domain, *p2; - size_t p2len; - - if (!nss_getspnam_r) - return NSS_STATUS_UNAVAIL; - - /* If the setpwent call failed, say so. */ - if (ent->setent_status != NSS_STATUS_SUCCESS) - return ent->setent_status; - - if (ent->first) - { - memset (&ent->netgrdata, 0, sizeof (struct __netgrent)); - __internal_setnetgrent (group, &ent->netgrdata); - ent->first = false; - } - - while (1) - { - enum nss_status status; - - status = __internal_getnetgrent_r (&host, &user, &domain, - &ent->netgrdata, buffer, buflen, - errnop); - if (status != 1) - { - __internal_endnetgrent (&ent->netgrdata); - ent->netgroup = false; - give_spwd_free (&ent->pwd); - return NSS_STATUS_RETURN; - } - - if (user == NULL || user[0] == '-') - continue; - - if (domain != NULL) - { - if (curdomain == NULL - && yp_get_default_domain (&curdomain) != YPERR_SUCCESS) - { - __internal_endnetgrent (&ent->netgrdata); - ent->netgroup = false; - give_spwd_free (&ent->pwd); - return NSS_STATUS_UNAVAIL; - } - if (strcmp (curdomain, domain) != 0) - continue; - } - - /* If name != NULL, we are called from getpwnam */ - if (name != NULL) - if (strcmp (user, name) != 0) - continue; - - p2len = spwd_need_buflen (&ent->pwd); - if (p2len > buflen) - { - *errnop = ERANGE; - return NSS_STATUS_TRYAGAIN; - } - p2 = buffer + (buflen - p2len); - buflen -= p2len; - - if (nss_getspnam_r (user, result, buffer, buflen, errnop) != - NSS_STATUS_SUCCESS) - continue; - - if (!in_blacklist (result->sp_namp, strlen (result->sp_namp), ent)) - { - /* Store the User in the blacklist for possible the "+" at the - end of /etc/passwd */ - blacklist_store_name (result->sp_namp, ent); - copy_spwd_changes (result, &ent->pwd, p2, p2len); - break; - } - } - - return NSS_STATUS_SUCCESS; -} - - -static enum nss_status -getspent_next_nss (struct spwd *result, ent_t *ent, - char *buffer, size_t buflen, int *errnop) -{ - enum nss_status status; - char *p2; - size_t p2len; - - if (!nss_getspent_r) - return NSS_STATUS_UNAVAIL; - - p2len = spwd_need_buflen (&ent->pwd); - if (p2len > buflen) - { - *errnop = ERANGE; - return NSS_STATUS_TRYAGAIN; - } - p2 = buffer + (buflen - p2len); - buflen -= p2len; - do - { - if ((status = nss_getspent_r (result, buffer, buflen, errnop)) != - NSS_STATUS_SUCCESS) - return status; - } - while (in_blacklist (result->sp_namp, strlen (result->sp_namp), ent)); - - copy_spwd_changes (result, &ent->pwd, p2, p2len); - - return NSS_STATUS_SUCCESS; -} - - -/* This function handle the +user entrys in /etc/shadow */ -static enum nss_status -getspnam_plususer (const char *name, struct spwd *result, ent_t *ent, - char *buffer, size_t buflen, int *errnop) -{ - if (!nss_getspnam_r) - return NSS_STATUS_UNAVAIL; - - struct spwd pwd; - memset (&pwd, '\0', sizeof (struct spwd)); - pwd.sp_warn = -1; - pwd.sp_inact = -1; - pwd.sp_expire = -1; - pwd.sp_flag = ~0ul; - - copy_spwd_changes (&pwd, result, NULL, 0); - - size_t plen = spwd_need_buflen (&pwd); - if (plen > buflen) - { - *errnop = ERANGE; - return NSS_STATUS_TRYAGAIN; - } - char *p = buffer + (buflen - plen); - buflen -= plen; - - enum nss_status status = nss_getspnam_r (name, result, buffer, buflen, - errnop); - if (status != NSS_STATUS_SUCCESS) - return status; - - if (in_blacklist (result->sp_namp, strlen (result->sp_namp), ent)) - return NSS_STATUS_NOTFOUND; - - copy_spwd_changes (result, &pwd, p, plen); - give_spwd_free (&pwd); - /* We found the entry. */ - return NSS_STATUS_SUCCESS; -} - - -static enum nss_status -getspent_next_file (struct spwd *result, ent_t *ent, - char *buffer, size_t buflen, int *errnop) -{ - struct parser_data *data = (void *) buffer; - while (1) - { - fpos_t pos; - int parse_res = 0; - char *p; - - do - { - /* We need at least 3 characters for one line. */ - if (__glibc_unlikely (buflen < 3)) - { - erange: - *errnop = ERANGE; - return NSS_STATUS_TRYAGAIN; - } - - fgetpos (ent->stream, &pos); - buffer[buflen - 1] = '\xff'; - p = fgets_unlocked (buffer, buflen, ent->stream); - if (p == NULL && feof_unlocked (ent->stream)) - return NSS_STATUS_NOTFOUND; - - if (p == NULL || __builtin_expect (buffer[buflen - 1] != '\xff', 0)) - { - erange_reset: - fsetpos (ent->stream, &pos); - goto erange; - } - - /* Skip leading blanks. */ - while (isspace (*p)) - ++p; - } - while (*p == '\0' || *p == '#' /* Ignore empty and comment lines. */ - /* Parse the line. If it is invalid, loop to - get the next line of the file to parse. */ - || !(parse_res = _nss_files_parse_spent (p, result, data, - buflen, errnop))); - - if (__glibc_unlikely (parse_res == -1)) - /* The parser ran out of space. */ - goto erange_reset; - - if (result->sp_namp[0] != '+' && result->sp_namp[0] != '-') - /* This is a real entry. */ - break; - - /* -@netgroup */ - if (result->sp_namp[0] == '-' && result->sp_namp[1] == '@' - && result->sp_namp[2] != '\0') - { - /* XXX Do not use fixed length buffers. */ - char buf2[1024]; - char *user, *host, *domain; - struct __netgrent netgrdata; - - memset (&netgrdata, 0, sizeof (struct __netgrent)); - __internal_setnetgrent (&result->sp_namp[2], &netgrdata); - while (__internal_getnetgrent_r (&host, &user, &domain, - &netgrdata, buf2, sizeof (buf2), - errnop)) - { - if (user != NULL && user[0] != '-') - blacklist_store_name (user, ent); - } - __internal_endnetgrent (&netgrdata); - continue; - } - - /* +@netgroup */ - if (result->sp_namp[0] == '+' && result->sp_namp[1] == '@' - && result->sp_namp[2] != '\0') - { - int status; - - ent->netgroup = true; - ent->first = true; - copy_spwd_changes (&ent->pwd, result, NULL, 0); - - status = getspent_next_nss_netgr (NULL, result, ent, - &result->sp_namp[2], - buffer, buflen, errnop); - if (status == NSS_STATUS_RETURN) - continue; - else - return status; - } - - /* -user */ - if (result->sp_namp[0] == '-' && result->sp_namp[1] != '\0' - && result->sp_namp[1] != '@') - { - blacklist_store_name (&result->sp_namp[1], ent); - continue; - } - - /* +user */ - if (result->sp_namp[0] == '+' && result->sp_namp[1] != '\0' - && result->sp_namp[1] != '@') - { - size_t len = strlen (result->sp_namp); - char buf[len]; - enum nss_status status; - - /* Store the User in the blacklist for the "+" at the end of - /etc/passwd */ - memcpy (buf, &result->sp_namp[1], len); - status = getspnam_plususer (&result->sp_namp[1], result, ent, - buffer, buflen, errnop); - blacklist_store_name (buf, ent); - - if (status == NSS_STATUS_SUCCESS) /* We found the entry. */ - break; - /* We couldn't parse the entry */ - else if (status == NSS_STATUS_RETURN - /* entry doesn't exist */ - || status == NSS_STATUS_NOTFOUND) - continue; - else - { - if (status == NSS_STATUS_TRYAGAIN) - { - fsetpos (ent->stream, &pos); - *errnop = ERANGE; - } - return status; - } - } - - /* +:... */ - if (result->sp_namp[0] == '+' && result->sp_namp[1] == '\0') - { - ent->files = false; - ent->first = true; - copy_spwd_changes (&ent->pwd, result, NULL, 0); - - return getspent_next_nss (result, ent, buffer, buflen, errnop); - } - } - - return NSS_STATUS_SUCCESS; -} - - -static enum nss_status -internal_getspent_r (struct spwd *pw, ent_t *ent, - char *buffer, size_t buflen, int *errnop) -{ - if (ent->netgroup) - { - enum nss_status status; - - /* We are searching members in a netgroup */ - /* Since this is not the first call, we don't need the group name */ - status = getspent_next_nss_netgr (NULL, pw, ent, NULL, buffer, - buflen, errnop); - - if (status == NSS_STATUS_RETURN) - return getspent_next_file (pw, ent, buffer, buflen, errnop); - else - return status; - } - else if (ent->files) - return getspent_next_file (pw, ent, buffer, buflen, errnop); - else - return getspent_next_nss (pw, ent, buffer, buflen, errnop); -} - - -enum nss_status -_nss_compat_getspent_r (struct spwd *pwd, char *buffer, size_t buflen, - int *errnop) -{ - enum nss_status result = NSS_STATUS_SUCCESS; - - __libc_lock_lock (lock); - - /* Be prepared that the setpwent function was not called before. */ - if (ni == NULL) - init_nss_interface (); - - if (ext_ent.stream == NULL) - result = internal_setspent (&ext_ent, 1, 1); - - if (result == NSS_STATUS_SUCCESS) - result = internal_getspent_r (pwd, &ext_ent, buffer, buflen, errnop); - - __libc_lock_unlock (lock); - - return result; -} - - -/* Searches in /etc/passwd and the NIS/NIS+ map for a special user */ -static enum nss_status -internal_getspnam_r (const char *name, struct spwd *result, ent_t *ent, - char *buffer, size_t buflen, int *errnop) -{ - struct parser_data *data = (void *) buffer; - - while (1) - { - fpos_t pos; - char *p; - int parse_res; - - do - { - /* We need at least 3 characters for one line. */ - if (__glibc_unlikely (buflen < 3)) - { - erange: - *errnop = ERANGE; - return NSS_STATUS_TRYAGAIN; - } - - fgetpos (ent->stream, &pos); - buffer[buflen - 1] = '\xff'; - p = fgets_unlocked (buffer, buflen, ent->stream); - if (p == NULL && feof_unlocked (ent->stream)) - return NSS_STATUS_NOTFOUND; - - if (p == NULL || buffer[buflen - 1] != '\xff') - { - erange_reset: - fsetpos (ent->stream, &pos); - goto erange; - } - - /* Terminate the line for any case. */ - buffer[buflen - 1] = '\0'; - - /* Skip leading blanks. */ - while (isspace (*p)) - ++p; - } - while (*p == '\0' || *p == '#' || /* Ignore empty and comment lines. */ - /* Parse the line. If it is invalid, loop to - get the next line of the file to parse. */ - !(parse_res = _nss_files_parse_spent (p, result, data, buflen, - errnop))); - - if (__glibc_unlikely (parse_res == -1)) - /* The parser ran out of space. */ - goto erange_reset; - - /* This is a real entry. */ - if (result->sp_namp[0] != '+' && result->sp_namp[0] != '-') - { - if (strcmp (result->sp_namp, name) == 0) - return NSS_STATUS_SUCCESS; - else - continue; - } - - /* -@netgroup */ - /* If the loaded NSS module does not support this service, add - all users from a +@netgroup entry to the blacklist, too. */ - if (result->sp_namp[0] == '-' && result->sp_namp[1] == '@' - && result->sp_namp[2] != '\0') - { - if (innetgr (&result->sp_namp[2], NULL, name, NULL)) - return NSS_STATUS_NOTFOUND; - continue; - } - - /* +@netgroup */ - if (result->sp_namp[0] == '+' && result->sp_namp[1] == '@' - && result->sp_namp[2] != '\0') - { - enum nss_status status; - - if (innetgr (&result->sp_namp[2], NULL, name, NULL)) - { - status = getspnam_plususer (name, result, ent, buffer, - buflen, errnop); - - if (status == NSS_STATUS_RETURN) - continue; - - return status; - } - continue; - } - - /* -user */ - if (result->sp_namp[0] == '-' && result->sp_namp[1] != '\0' - && result->sp_namp[1] != '@') - { - if (strcmp (&result->sp_namp[1], name) == 0) - return NSS_STATUS_NOTFOUND; - else - continue; - } - - /* +user */ - if (result->sp_namp[0] == '+' && result->sp_namp[1] != '\0' - && result->sp_namp[1] != '@') - { - if (strcmp (name, &result->sp_namp[1]) == 0) - { - enum nss_status status; - - status = getspnam_plususer (name, result, ent, - buffer, buflen, errnop); - - if (status == NSS_STATUS_RETURN) - /* We couldn't parse the entry */ - return NSS_STATUS_NOTFOUND; - else - return status; - } - } - - /* +:... */ - if (result->sp_namp[0] == '+' && result->sp_namp[1] == '\0') - { - enum nss_status status; - - status = getspnam_plususer (name, result, ent, - buffer, buflen, errnop); - - if (status == NSS_STATUS_SUCCESS) - /* We found the entry. */ - break; - else if (status == NSS_STATUS_RETURN) - /* We couldn't parse the entry */ - return NSS_STATUS_NOTFOUND; - else - return status; - } - } - return NSS_STATUS_SUCCESS; -} - - -enum nss_status -_nss_compat_getspnam_r (const char *name, struct spwd *pwd, - char *buffer, size_t buflen, int *errnop) -{ - enum nss_status result; - ent_t ent = { false, true, false, NSS_STATUS_SUCCESS, NULL, { NULL, 0, 0}, - { NULL, NULL, 0, 0, 0, 0, 0, 0, 0}}; - - if (name[0] == '-' || name[0] == '+') - return NSS_STATUS_NOTFOUND; - - __libc_lock_lock (lock); - - if (ni == NULL) - init_nss_interface (); - - __libc_lock_unlock (lock); - - result = internal_setspent (&ent, 0, 0); - - if (result == NSS_STATUS_SUCCESS) - result = internal_getspnam_r (name, pwd, &ent, buffer, buflen, errnop); - - internal_endspent (&ent); - - return result; -} - - -/* Support routines for remembering -@netgroup and -user entries. - The names are stored in a single string with `|' as separator. */ -static void -blacklist_store_name (const char *name, ent_t *ent) -{ - int namelen = strlen (name); - char *tmp; - - /* first call, setup cache */ - if (ent->blacklist.size == 0) - { - ent->blacklist.size = MAX (BLACKLIST_INITIAL_SIZE, 2 * namelen); - ent->blacklist.data = malloc (ent->blacklist.size); - if (ent->blacklist.data == NULL) - return; - ent->blacklist.data[0] = '|'; - ent->blacklist.data[1] = '\0'; - ent->blacklist.current = 1; - } - else - { - if (in_blacklist (name, namelen, ent)) - return; /* no duplicates */ - - if (ent->blacklist.current + namelen + 1 >= ent->blacklist.size) - { - ent->blacklist.size += MAX (BLACKLIST_INCREMENT, 2 * namelen); - tmp = realloc (ent->blacklist.data, ent->blacklist.size); - if (tmp == NULL) - { - free (ent->blacklist.data); - ent->blacklist.size = 0; - return; - } - ent->blacklist.data = tmp; - } - } - - tmp = stpcpy (ent->blacklist.data + ent->blacklist.current, name); - *tmp++ = '|'; - *tmp = '\0'; - ent->blacklist.current += namelen + 1; - - return; -} - - -/* Returns TRUE if ent->blacklist contains name, else FALSE. */ -static bool_t -in_blacklist (const char *name, int namelen, ent_t *ent) -{ - char buf[namelen + 3]; - char *cp; - - if (ent->blacklist.data == NULL) - return false; - - buf[0] = '|'; - cp = stpcpy (&buf[1], name); - *cp++ = '|'; - *cp = '\0'; - return strstr (ent->blacklist.data, buf) != NULL; -} Index: glibc-2.26/nss/Makefile =================================================================== --- glibc-2.26.orig/nss/Makefile +++ glibc-2.26/nss/Makefile @@ -70,7 +70,7 @@ tests += tst-cancel-getpwuid_r endif # Specify rules for the nss_* modules. We have some services. -services := files db +services := files db compat extra-libs = $(services:%=libnss_%) # These libraries will be built in the `others' pass rather than @@ -93,11 +93,15 @@ libnss_db-routines := $(libnss_db-dbs) d generated += $(filter-out db-alias.c db-netgrp.c, \ $(addsuffix .c,$(libnss_db-dbs))) +libnss_compat-routines := $(addprefix compat-,grp pwd spwd initgroups) \ + nisdomain + install-others += $(inst_vardbdir)/Makefile # Build static module into libc if requested libnss_files-inhibit-o = $(filter-out .os,$(object-suffixes)) libnss_db-inhibit-o = $(filter-out .os,$(object-suffixes)) +libnss_compat-inhibit-o = $(filter-out .os,$(object-suffixes)) ifeq ($(build-static-nss),yes) routines += $(libnss_files-routines) static-only-routines += $(libnss_files-routines) Index: glibc-2.26/nss/Versions =================================================================== --- glibc-2.26.orig/nss/Versions +++ glibc-2.26/nss/Versions @@ -160,3 +160,14 @@ libnss_db { _nss_db_init; } } + +libnss_compat { + GLIBC_PRIVATE { + _nss_compat_endgrent; _nss_compat_endpwent; _nss_compat_endspent; + _nss_compat_getgrent_r; _nss_compat_getgrgid_r; _nss_compat_getgrnam_r; + _nss_compat_getpwent_r; _nss_compat_getpwnam_r; _nss_compat_getpwuid_r; + _nss_compat_getspent_r; _nss_compat_getspnam_r; + _nss_compat_setgrent; _nss_compat_setpwent; _nss_compat_setspent; + _nss_compat_initgroups_dyn; + } +} Index: glibc-2.26/nss/nss_compat/compat-grp.c =================================================================== --- /dev/null +++ glibc-2.26/nss/nss_compat/compat-grp.c @@ -0,0 +1,682 @@ +/* Copyright (C) 1996-2017 Free Software Foundation, Inc. + This file is part of the GNU C Library. + Contributed by Thorsten Kukuk <kukuk@suse.de>, 1996. + + The GNU C Library is free software; you can redistribute it and/or + modify it under the terms of the GNU Lesser General Public + License as published by the Free Software Foundation; either + version 2.1 of the License, or (at your option) any later version. + + The GNU C Library is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Lesser General Public License for more details. + + You should have received a copy of the GNU Lesser General Public + License along with the GNU C Library; if not, see + <http://www.gnu.org/licenses/>. */ + +#include <ctype.h> +#include <errno.h> +#include <fcntl.h> +#include <grp.h> +#include <nss.h> +#include <nsswitch.h> +#include <stdio_ext.h> +#include <string.h> +#include <libc-lock.h> +#include <kernel-features.h> + +static service_user *ni; +static enum nss_status (*nss_setgrent) (int stayopen); +static enum nss_status (*nss_getgrnam_r) (const char *name, + struct group * grp, char *buffer, + size_t buflen, int *errnop); +static enum nss_status (*nss_getgrgid_r) (gid_t gid, struct group * grp, + char *buffer, size_t buflen, + int *errnop); +static enum nss_status (*nss_getgrent_r) (struct group * grp, char *buffer, + size_t buflen, int *errnop); +static enum nss_status (*nss_endgrent) (void); + +/* Get the declaration of the parser function. */ +#define ENTNAME grent +#define STRUCTURE group +#define EXTERN_PARSER +#include <nss/nss_files/files-parse.c> + +/* Structure for remembering -group members ... */ +#define BLACKLIST_INITIAL_SIZE 512 +#define BLACKLIST_INCREMENT 256 +struct blacklist_t +{ + char *data; + int current; + int size; +}; + +struct ent_t +{ + bool files; + enum nss_status setent_status; + FILE *stream; + struct blacklist_t blacklist; +}; +typedef struct ent_t ent_t; + +static ent_t ext_ent = { true, NSS_STATUS_SUCCESS, NULL, { NULL, 0, 0 }}; + +/* Protect global state against multiple changers. */ +__libc_lock_define_initialized (static, lock) + +/* Prototypes for local functions. */ +static void blacklist_store_name (const char *, ent_t *); +static bool in_blacklist (const char *, int, ent_t *); + +/* Initialize the NSS interface/functions. The calling function must + hold the lock. */ +static void +init_nss_interface (void) +{ + if (__nss_database_lookup ("group_compat", NULL, "nis", &ni) >= 0) + { + nss_setgrent = __nss_lookup_function (ni, "setgrent"); + nss_getgrnam_r = __nss_lookup_function (ni, "getgrnam_r"); + nss_getgrgid_r = __nss_lookup_function (ni, "getgrgid_r"); + nss_getgrent_r = __nss_lookup_function (ni, "getgrent_r"); + nss_endgrent = __nss_lookup_function (ni, "endgrent"); + } +} + +static enum nss_status +internal_setgrent (ent_t *ent, int stayopen, int needent) +{ + enum nss_status status = NSS_STATUS_SUCCESS; + + ent->files = true; + + if (ent->blacklist.data != NULL) + { + ent->blacklist.current = 1; + ent->blacklist.data[0] = '|'; + ent->blacklist.data[1] = '\0'; + } + else + ent->blacklist.current = 0; + + if (ent->stream == NULL) + { + ent->stream = fopen ("/etc/group", "rme"); + + if (ent->stream == NULL) + status = errno == EAGAIN ? NSS_STATUS_TRYAGAIN : NSS_STATUS_UNAVAIL; + else + /* We take care of locking ourself. */ + __fsetlocking (ent->stream, FSETLOCKING_BYCALLER); + } + else + rewind (ent->stream); + + if (needent && status == NSS_STATUS_SUCCESS && nss_setgrent) + ent->setent_status = nss_setgrent (stayopen); + + return status; +} + + +enum nss_status +_nss_compat_setgrent (int stayopen) +{ + enum nss_status result; + + __libc_lock_lock (lock); + + if (ni == NULL) + init_nss_interface (); + + result = internal_setgrent (&ext_ent, stayopen, 1); + + __libc_lock_unlock (lock); + + return result; +} + + +static enum nss_status +internal_endgrent (ent_t *ent) +{ + if (ent->stream != NULL) + { + fclose (ent->stream); + ent->stream = NULL; + } + + if (ent->blacklist.data != NULL) + { + ent->blacklist.current = 1; + ent->blacklist.data[0] = '|'; + ent->blacklist.data[1] = '\0'; + } + else + ent->blacklist.current = 0; + + return NSS_STATUS_SUCCESS; +} + +enum nss_status +_nss_compat_endgrent (void) +{ + enum nss_status result; + + __libc_lock_lock (lock); + + if (nss_endgrent) + nss_endgrent (); + + result = internal_endgrent (&ext_ent); + + __libc_lock_unlock (lock); + + return result; +} + +/* get the next group from NSS (+ entry) */ +static enum nss_status +getgrent_next_nss (struct group *result, ent_t *ent, char *buffer, + size_t buflen, int *errnop) +{ + if (!nss_getgrent_r) + return NSS_STATUS_UNAVAIL; + + /* If the setgrent call failed, say so. */ + if (ent->setent_status != NSS_STATUS_SUCCESS) + return ent->setent_status; + + do + { + enum nss_status status; + + if ((status = nss_getgrent_r (result, buffer, buflen, errnop)) != + NSS_STATUS_SUCCESS) + return status; + } + while (in_blacklist (result->gr_name, strlen (result->gr_name), ent)); + + return NSS_STATUS_SUCCESS; +} + +/* This function handle the +group entrys in /etc/group */ +static enum nss_status +getgrnam_plusgroup (const char *name, struct group *result, ent_t *ent, + char *buffer, size_t buflen, int *errnop) +{ + if (!nss_getgrnam_r) + return NSS_STATUS_UNAVAIL; + + enum nss_status status = nss_getgrnam_r (name, result, buffer, buflen, + errnop); + if (status != NSS_STATUS_SUCCESS) + return status; + + if (in_blacklist (result->gr_name, strlen (result->gr_name), ent)) + return NSS_STATUS_NOTFOUND; + + /* We found the entry. */ + return NSS_STATUS_SUCCESS; +} + +static enum nss_status +getgrent_next_file (struct group *result, ent_t *ent, + char *buffer, size_t buflen, int *errnop) +{ + struct parser_data *data = (void *) buffer; + while (1) + { + fpos_t pos; + int parse_res = 0; + char *p; + + do + { + /* We need at least 3 characters for one line. */ + if (__glibc_unlikely (buflen < 3)) + { + erange: + *errnop = ERANGE; + return NSS_STATUS_TRYAGAIN; + } + + fgetpos (ent->stream, &pos); + buffer[buflen - 1] = '\xff'; + p = fgets_unlocked (buffer, buflen, ent->stream); + if (p == NULL && feof_unlocked (ent->stream)) + return NSS_STATUS_NOTFOUND; + + if (p == NULL || __builtin_expect (buffer[buflen - 1] != '\xff', 0)) + { + erange_reset: + fsetpos (ent->stream, &pos); + goto erange; + } + + /* Terminate the line for any case. */ + buffer[buflen - 1] = '\0'; + + /* Skip leading blanks. */ + while (isspace (*p)) + ++p; + } + while (*p == '\0' || *p == '#' || /* Ignore empty and comment lines. */ + /* Parse the line. If it is invalid, loop to + get the next line of the file to parse. */ + !(parse_res = _nss_files_parse_grent (p, result, data, buflen, + errnop))); + + if (__glibc_unlikely (parse_res == -1)) + /* The parser ran out of space. */ + goto erange_reset; + + if (result->gr_name[0] != '+' && result->gr_name[0] != '-') + /* This is a real entry. */ + break; + + /* -group */ + if (result->gr_name[0] == '-' && result->gr_name[1] != '\0' + && result->gr_name[1] != '@') + { + blacklist_store_name (&result->gr_name[1], ent); + continue; + } + + /* +group */ + if (result->gr_name[0] == '+' && result->gr_name[1] != '\0' + && result->gr_name[1] != '@') + { + size_t len = strlen (result->gr_name); + char buf[len]; + enum nss_status status; + + /* Store the group in the blacklist for the "+" at the end of + /etc/group */ + memcpy (buf, &result->gr_name[1], len); + status = getgrnam_plusgroup (&result->gr_name[1], result, ent, + buffer, buflen, errnop); + blacklist_store_name (buf, ent); + if (status == NSS_STATUS_SUCCESS) /* We found the entry. */ + break; + else if (status == NSS_STATUS_RETURN /* We couldn't parse the entry*/ + || status == NSS_STATUS_NOTFOUND) /* No group in NIS */ + continue; + else + { + if (status == NSS_STATUS_TRYAGAIN) + /* The parser ran out of space. */ + goto erange_reset; + + return status; + } + } + + /* +:... */ + if (result->gr_name[0] == '+' && result->gr_name[1] == '\0') + { + ent->files = false; + + return getgrent_next_nss (result, ent, buffer, buflen, errnop); + } + } + + return NSS_STATUS_SUCCESS; +} + + +enum nss_status +_nss_compat_getgrent_r (struct group *grp, char *buffer, size_t buflen, + int *errnop) +{ + enum nss_status result = NSS_STATUS_SUCCESS; + + __libc_lock_lock (lock); + + /* Be prepared that the setgrent function was not called before. */ + if (ni == NULL) + init_nss_interface (); + + if (ext_ent.stream == NULL) + result = internal_setgrent (&ext_ent, 1, 1); + + if (result == NSS_STATUS_SUCCESS) + { + if (ext_ent.files) + result = getgrent_next_file (grp, &ext_ent, buffer, buflen, errnop); + else + result = getgrent_next_nss (grp, &ext_ent, buffer, buflen, errnop); + } + __libc_lock_unlock (lock); + + return result; +} + +/* Searches in /etc/group and the NIS/NIS+ map for a special group */ +static enum nss_status +internal_getgrnam_r (const char *name, struct group *result, ent_t *ent, + char *buffer, size_t buflen, int *errnop) +{ + struct parser_data *data = (void *) buffer; + while (1) + { + fpos_t pos; + int parse_res = 0; + char *p; + + do + { + /* We need at least 3 characters for one line. */ + if (__glibc_unlikely (buflen < 3)) + { + erange: + *errnop = ERANGE; + return NSS_STATUS_TRYAGAIN; + } + + fgetpos (ent->stream, &pos); + buffer[buflen - 1] = '\xff'; + p = fgets_unlocked (buffer, buflen, ent->stream); + if (p == NULL && feof_unlocked (ent->stream)) + return NSS_STATUS_NOTFOUND; + + if (p == NULL || __builtin_expect (buffer[buflen - 1] != '\xff', 0)) + { + erange_reset: + fsetpos (ent->stream, &pos); + goto erange; + } + + /* Terminate the line for any case. */ + buffer[buflen - 1] = '\0'; + + /* Skip leading blanks. */ + while (isspace (*p)) + ++p; + } + while (*p == '\0' || *p == '#' || /* Ignore empty and comment lines. */ + /* Parse the line. If it is invalid, loop to + get the next line of the file to parse. */ + !(parse_res = _nss_files_parse_grent (p, result, data, buflen, + errnop))); + + if (__glibc_unlikely (parse_res == -1)) + /* The parser ran out of space. */ + goto erange_reset; + + /* This is a real entry. */ + if (result->gr_name[0] != '+' && result->gr_name[0] != '-') + { + if (strcmp (result->gr_name, name) == 0) + return NSS_STATUS_SUCCESS; + else + continue; + } + + /* -group */ + if (result->gr_name[0] == '-' && result->gr_name[1] != '\0') + { + if (strcmp (&result->gr_name[1], name) == 0) + return NSS_STATUS_NOTFOUND; + else + continue; + } + + /* +group */ + if (result->gr_name[0] == '+' && result->gr_name[1] != '\0') + { + if (strcmp (name, &result->gr_name[1]) == 0) + { + enum nss_status status; + + status = getgrnam_plusgroup (name, result, ent, + buffer, buflen, errnop); + if (status == NSS_STATUS_RETURN) + /* We couldn't parse the entry */ + continue; + else + return status; + } + } + /* +:... */ + if (result->gr_name[0] == '+' && result->gr_name[1] == '\0') + { + enum nss_status status; + + status = getgrnam_plusgroup (name, result, ent, + buffer, buflen, errnop); + if (status == NSS_STATUS_RETURN) + /* We couldn't parse the entry */ + continue; + else + return status; + } + } + + return NSS_STATUS_SUCCESS; +} + +enum nss_status +_nss_compat_getgrnam_r (const char *name, struct group *grp, + char *buffer, size_t buflen, int *errnop) +{ + ent_t ent = { true, NSS_STATUS_SUCCESS, NULL, { NULL, 0, 0 }}; + enum nss_status result; + + if (name[0] == '-' || name[0] == '+') + return NSS_STATUS_NOTFOUND; + + __libc_lock_lock (lock); + + if (ni == NULL) + init_nss_interface (); + + __libc_lock_unlock (lock); + + result = internal_setgrent (&ent, 0, 0); + + if (result == NSS_STATUS_SUCCESS) + result = internal_getgrnam_r (name, grp, &ent, buffer, buflen, errnop); + + internal_endgrent (&ent); + + return result; +} + +/* Searches in /etc/group and the NIS/NIS+ map for a special group id */ +static enum nss_status +internal_getgrgid_r (gid_t gid, struct group *result, ent_t *ent, + char *buffer, size_t buflen, int *errnop) +{ + struct parser_data *data = (void *) buffer; + while (1) + { + fpos_t pos; + int parse_res = 0; + char *p; + + do + { + /* We need at least 3 characters for one line. */ + if (__glibc_unlikely (buflen < 3)) + { + erange: + *errnop = ERANGE; + return NSS_STATUS_TRYAGAIN; + } + + fgetpos (ent->stream, &pos); + buffer[buflen - 1] = '\xff'; + p = fgets_unlocked (buffer, buflen, ent->stream); + if (p == NULL && feof_unlocked (ent->stream)) + return NSS_STATUS_NOTFOUND; + + if (p == NULL || __builtin_expect (buffer[buflen - 1] != '\xff', 0)) + { + erange_reset: + fsetpos (ent->stream, &pos); + goto erange; + } + + /* Terminate the line for any case. */ + buffer[buflen - 1] = '\0'; + + /* Skip leading blanks. */ + while (isspace (*p)) + ++p; + } + while (*p == '\0' || *p == '#' || /* Ignore empty and comment lines. */ + /* Parse the line. If it is invalid, loop to + get the next line of the file to parse. */ + !(parse_res = _nss_files_parse_grent (p, result, data, buflen, + errnop))); + + if (__glibc_unlikely (parse_res == -1)) + /* The parser ran out of space. */ + goto erange_reset; + + /* This is a real entry. */ + if (result->gr_name[0] != '+' && result->gr_name[0] != '-') + { + if (result->gr_gid == gid) + return NSS_STATUS_SUCCESS; + else + continue; + } + + /* -group */ + if (result->gr_name[0] == '-' && result->gr_name[1] != '\0') + { + blacklist_store_name (&result->gr_name[1], ent); + continue; + } + + /* +group */ + if (result->gr_name[0] == '+' && result->gr_name[1] != '\0') + { + /* Yes, no +1, see the memcpy call below. */ + size_t len = strlen (result->gr_name); + char buf[len]; + enum nss_status status; + + /* Store the group in the blacklist for the "+" at the end of + /etc/group */ + memcpy (buf, &result->gr_name[1], len); + status = getgrnam_plusgroup (&result->gr_name[1], result, ent, + buffer, buflen, errnop); + blacklist_store_name (buf, ent); + if (status == NSS_STATUS_SUCCESS && result->gr_gid == gid) + break; + else + continue; + } + /* +:... */ + if (result->gr_name[0] == '+' && result->gr_name[1] == '\0') + { + if (!nss_getgrgid_r) + return NSS_STATUS_UNAVAIL; + + enum nss_status status = nss_getgrgid_r (gid, result, buffer, buflen, + errnop); + if (status == NSS_STATUS_RETURN) /* We couldn't parse the entry */ + return NSS_STATUS_NOTFOUND; + else + return status; + } + } + + return NSS_STATUS_SUCCESS; +} + +enum nss_status +_nss_compat_getgrgid_r (gid_t gid, struct group *grp, + char *buffer, size_t buflen, int *errnop) +{ + ent_t ent = { true, NSS_STATUS_SUCCESS, NULL, { NULL, 0, 0 }}; + enum nss_status result; + + __libc_lock_lock (lock); + + if (ni == NULL) + init_nss_interface (); + + __libc_lock_unlock (lock); + + result = internal_setgrent (&ent, 0, 0); + + if (result == NSS_STATUS_SUCCESS) + result = internal_getgrgid_r (gid, grp, &ent, buffer, buflen, errnop); + + internal_endgrent (&ent); + + return result; +} + + +/* Support routines for remembering -@netgroup and -user entries. + The names are stored in a single string with `|' as separator. */ +static void +blacklist_store_name (const char *name, ent_t *ent) +{ + int namelen = strlen (name); + char *tmp; + + /* first call, setup cache */ + if (ent->blacklist.size == 0) + { + ent->blacklist.size = MAX (BLACKLIST_INITIAL_SIZE, 2 * namelen); + ent->blacklist.data = malloc (ent->blacklist.size); + if (ent->blacklist.data == NULL) + return; + ent->blacklist.data[0] = '|'; + ent->blacklist.data[1] = '\0'; + ent->blacklist.current = 1; + } + else + { + if (in_blacklist (name, namelen, ent)) + return; /* no duplicates */ + + if (ent->blacklist.current + namelen + 1 >= ent->blacklist.size) + { + ent->blacklist.size += MAX (BLACKLIST_INCREMENT, 2 * namelen); + tmp = realloc (ent->blacklist.data, ent->blacklist.size); + if (tmp == NULL) + { + free (ent->blacklist.data); + ent->blacklist.size = 0; + return; + } + ent->blacklist.data = tmp; + } + } + + tmp = stpcpy (ent->blacklist.data + ent->blacklist.current, name); + *tmp++ = '|'; + *tmp = '\0'; + ent->blacklist.current += namelen + 1; + + return; +} + +/* Return whether ent->blacklist contains name. */ +static bool +in_blacklist (const char *name, int namelen, ent_t *ent) +{ + char buf[namelen + 3]; + char *cp; + + if (ent->blacklist.data == NULL) + return false; + + buf[0] = '|'; + cp = stpcpy (&buf[1], name); + *cp++ = '|'; + *cp = '\0'; + return strstr (ent->blacklist.data, buf) != NULL; +} Index: glibc-2.26/nss/nss_compat/compat-initgroups.c =================================================================== --- /dev/null +++ glibc-2.26/nss/nss_compat/compat-initgroups.c @@ -0,0 +1,575 @@ +/* Copyright (C) 1998-2017 Free Software Foundation, Inc. + This file is part of the GNU C Library. + Contributed by Thorsten Kukuk <kukuk@suse.de>, 1998. + + The GNU C Library is free software; you can redistribute it and/or + modify it under the terms of the GNU Lesser General Public + License as published by the Free Software Foundation; either + version 2.1 of the License, or (at your option) any later version. + + The GNU C Library is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Lesser General Public License for more details. + + You should have received a copy of the GNU Lesser General Public + License along with the GNU C Library; if not, see + <http://www.gnu.org/licenses/>. */ + +#include <ctype.h> +#include <errno.h> +#include <fcntl.h> +#include <grp.h> +#include <nss.h> +#include <stdio_ext.h> +#include <string.h> +#include <unistd.h> +#include <sys/param.h> +#include <nsswitch.h> +#include <libc-lock.h> +#include <kernel-features.h> +#include <scratch_buffer.h> + +static service_user *ni; +/* Type of the lookup function. */ +static enum nss_status (*nss_initgroups_dyn) (const char *, gid_t, + long int *, long int *, + gid_t **, long int, int *); +static enum nss_status (*nss_getgrnam_r) (const char *name, + struct group * grp, char *buffer, + size_t buflen, int *errnop); +static enum nss_status (*nss_getgrgid_r) (gid_t gid, struct group * grp, + char *buffer, size_t buflen, + int *errnop); +static enum nss_status (*nss_setgrent) (int stayopen); +static enum nss_status (*nss_getgrent_r) (struct group * grp, char *buffer, + size_t buflen, int *errnop); +static enum nss_status (*nss_endgrent) (void); + +/* Protect global state against multiple changers. */ +__libc_lock_define_initialized (static, lock) + + +/* Get the declaration of the parser function. */ +#define ENTNAME grent +#define STRUCTURE group +#define EXTERN_PARSER +#include <nss/nss_files/files-parse.c> + +/* Structure for remembering -group members ... */ +#define BLACKLIST_INITIAL_SIZE 512 +#define BLACKLIST_INCREMENT 256 +struct blacklist_t +{ + char *data; + int current; + int size; +}; + +struct ent_t +{ + bool files; + bool need_endgrent; + bool skip_initgroups_dyn; + FILE *stream; + struct blacklist_t blacklist; +}; +typedef struct ent_t ent_t; + +/* Prototypes for local functions. */ +static void blacklist_store_name (const char *, ent_t *); +static bool in_blacklist (const char *, int, ent_t *); + +/* Initialize the NSS interface/functions. The calling function must + hold the lock. */ +static void +init_nss_interface (void) +{ + __libc_lock_lock (lock); + + /* Retest. */ + if (ni == NULL + && __nss_database_lookup ("group_compat", NULL, "nis", &ni) >= 0) + { + nss_initgroups_dyn = __nss_lookup_function (ni, "initgroups_dyn"); + nss_getgrnam_r = __nss_lookup_function (ni, "getgrnam_r"); + nss_getgrgid_r = __nss_lookup_function (ni, "getgrgid_r"); + nss_setgrent = __nss_lookup_function (ni, "setgrent"); + nss_getgrent_r = __nss_lookup_function (ni, "getgrent_r"); + nss_endgrent = __nss_lookup_function (ni, "endgrent"); + } + + __libc_lock_unlock (lock); +} + +static enum nss_status +internal_setgrent (ent_t *ent) +{ + enum nss_status status = NSS_STATUS_SUCCESS; + + ent->files = true; + + if (ni == NULL) + init_nss_interface (); + + if (ent->blacklist.data != NULL) + { + ent->blacklist.current = 1; + ent->blacklist.data[0] = '|'; + ent->blacklist.data[1] = '\0'; + } + else + ent->blacklist.current = 0; + + ent->stream = fopen ("/etc/group", "rme"); + + if (ent->stream == NULL) + status = errno == EAGAIN ? NSS_STATUS_TRYAGAIN : NSS_STATUS_UNAVAIL; + else + /* We take care of locking ourself. */ + __fsetlocking (ent->stream, FSETLOCKING_BYCALLER); + + return status; +} + + +static enum nss_status +internal_endgrent (ent_t *ent) +{ + if (ent->stream != NULL) + { + fclose (ent->stream); + ent->stream = NULL; + } + + if (ent->blacklist.data != NULL) + { + ent->blacklist.current = 1; + ent->blacklist.data[0] = '|'; + ent->blacklist.data[1] = '\0'; + } + else + ent->blacklist.current = 0; + + if (ent->need_endgrent && nss_endgrent != NULL) + nss_endgrent (); + + return NSS_STATUS_SUCCESS; +} + +/* Add new group record. */ +static void +add_group (long int *start, long int *size, gid_t **groupsp, long int limit, + gid_t gid) +{ + gid_t *groups = *groupsp; + + /* Matches user. Insert this group. */ + if (__glibc_unlikely (*start == *size)) + { + /* Need a bigger buffer. */ + gid_t *newgroups; + long int newsize; + + if (limit > 0 && *size == limit) + /* We reached the maximum. */ + return; + + if (limit <= 0) + newsize = 2 * *size; + else + newsize = MIN (limit, 2 * *size); + + newgroups = realloc (groups, newsize * sizeof (*groups)); + if (newgroups == NULL) + return; + *groupsp = groups = newgroups; + *size = newsize; + } + + groups[*start] = gid; + *start += 1; +} + +/* This function checks, if the user is a member of this group and if + yes, add the group id to the list. Return nonzero is we couldn't + handle the group because the user is not in the member list. */ +static int +check_and_add_group (const char *user, gid_t group, long int *start, + long int *size, gid_t **groupsp, long int limit, + struct group *grp) +{ + char **member; + + /* Don't add main group to list of groups. */ + if (grp->gr_gid == group) + return 0; + + for (member = grp->gr_mem; *member != NULL; ++member) + if (strcmp (*member, user) == 0) + { + add_group (start, size, groupsp, limit, grp->gr_gid); + return 0; + } + + return 1; +} + +/* Get the next group from NSS (+ entry). If the NSS module supports + initgroups_dyn, get all entries at once. */ +static enum nss_status +getgrent_next_nss (ent_t *ent, char *buffer, size_t buflen, const char *user, + gid_t group, long int *start, long int *size, + gid_t **groupsp, long int limit, int *errnop) +{ + enum nss_status status; + struct group grpbuf; + + /* Try nss_initgroups_dyn if supported. We also need getgrgid_r. + If this function is not supported, step through the whole group + database with getgrent_r. */ + if (! ent->skip_initgroups_dyn) + { + long int mystart = 0; + long int mysize = limit <= 0 ? *size : limit; + gid_t *mygroups = malloc (mysize * sizeof (gid_t)); + + if (mygroups == NULL) + return NSS_STATUS_TRYAGAIN; + + /* For every gid in the list we get from the NSS module, + get the whole group entry. We need to do this, since we + need the group name to check if it is in the blacklist. + In worst case, this is as twice as slow as stepping with + getgrent_r through the whole group database. But for large + group databases this is faster, since the user can only be + in a limited number of groups. */ + if (nss_initgroups_dyn (user, group, &mystart, &mysize, &mygroups, + limit, errnop) == NSS_STATUS_SUCCESS) + { + status = NSS_STATUS_NOTFOUND; + + /* If there is no blacklist we can trust the underlying + initgroups implementation. */ + if (ent->blacklist.current <= 1) + for (int i = 0; i < mystart; i++) + add_group (start, size, groupsp, limit, mygroups[i]); + else + { + /* A temporary buffer. We use the normal buffer, until we find + an entry, for which this buffer is to small. In this case, we + overwrite the pointer with one to a bigger buffer. */ + char *tmpbuf = buffer; + size_t tmplen = buflen; + bool use_malloc = false; + + for (int i = 0; i < mystart; i++) + { + while ((status = nss_getgrgid_r (mygroups[i], &grpbuf, + tmpbuf, tmplen, errnop)) + == NSS_STATUS_TRYAGAIN + && *errnop == ERANGE) + { + if (__libc_use_alloca (tmplen * 2)) + { + if (tmpbuf == buffer) + { + tmplen *= 2; + tmpbuf = __alloca (tmplen); + } + else + tmpbuf = extend_alloca (tmpbuf, tmplen, tmplen * 2); + } + else + { + tmplen *= 2; + char *newbuf = realloc (use_malloc ? tmpbuf : NULL, tmplen); + + if (newbuf == NULL) + { + status = NSS_STATUS_TRYAGAIN; + goto done; + } + use_malloc = true; + tmpbuf = newbuf; + } + } + + if (__builtin_expect (status != NSS_STATUS_NOTFOUND, 1)) + { + if (__builtin_expect (status != NSS_STATUS_SUCCESS, 0)) + goto done; + + if (!in_blacklist (grpbuf.gr_name, + strlen (grpbuf.gr_name), ent) + && check_and_add_group (user, group, start, size, + groupsp, limit, &grpbuf)) + { + if (nss_setgrent != NULL) + { + nss_setgrent (1); + ent->need_endgrent = true; + } + ent->skip_initgroups_dyn = true; + + goto iter; + } + } + } + + status = NSS_STATUS_NOTFOUND; + + done: + if (use_malloc) + free (tmpbuf); + } + + free (mygroups); + + return status; + } + + free (mygroups); + } + + /* If we come here, the NSS module does not support initgroups_dyn + or we were confronted with a split group. In these cases we have + to step through the whole list ourself. */ + iter: + do + { + if ((status = nss_getgrent_r (&grpbuf, buffer, buflen, errnop)) != + NSS_STATUS_SUCCESS) + break; + } + while (in_blacklist (grpbuf.gr_name, strlen (grpbuf.gr_name), ent)); + + if (status == NSS_STATUS_SUCCESS) + check_and_add_group (user, group, start, size, groupsp, limit, &grpbuf); + + return status; +} + +static enum nss_status +internal_getgrent_r (ent_t *ent, char *buffer, size_t buflen, const char *user, + gid_t group, long int *start, long int *size, + gid_t **groupsp, long int limit, int *errnop) +{ + struct parser_data *data = (void *) buffer; + struct group grpbuf; + + if (!ent->files) + return getgrent_next_nss (ent, buffer, buflen, user, group, + start, size, groupsp, limit, errnop); + + while (1) + { + fpos_t pos; + int parse_res = 0; + char *p; + + do + { + /* We need at least 3 characters for one line. */ + if (__glibc_unlikely (buflen < 3)) + { + erange: + *errnop = ERANGE; + return NSS_STATUS_TRYAGAIN; + } + + fgetpos (ent->stream, &pos); + buffer[buflen - 1] = '\xff'; + p = fgets_unlocked (buffer, buflen, ent->stream); + if (p == NULL && feof_unlocked (ent->stream)) + return NSS_STATUS_NOTFOUND; + + if (p == NULL || __builtin_expect (buffer[buflen - 1] != '\xff', 0)) + { + erange_reset: + fsetpos (ent->stream, &pos); + goto erange; + } + + /* Terminate the line for any case. */ + buffer[buflen - 1] = '\0'; + + /* Skip leading blanks. */ + while (isspace (*p)) + ++p; + } + while (*p == '\0' || *p == '#' || /* Ignore empty and comment lines. */ + /* Parse the line. If it is invalid, loop to + get the next line of the file to parse. */ + !(parse_res = _nss_files_parse_grent (p, &grpbuf, data, buflen, + errnop))); + + if (__glibc_unlikely (parse_res == -1)) + /* The parser ran out of space. */ + goto erange_reset; + + if (grpbuf.gr_name[0] != '+' && grpbuf.gr_name[0] != '-') + /* This is a real entry. */ + break; + + /* -group */ + if (grpbuf.gr_name[0] == '-' && grpbuf.gr_name[1] != '\0' + && grpbuf.gr_name[1] != '@') + { + blacklist_store_name (&grpbuf.gr_name[1], ent); + continue; + } + + /* +group */ + if (grpbuf.gr_name[0] == '+' && grpbuf.gr_name[1] != '\0' + && grpbuf.gr_name[1] != '@') + { + if (in_blacklist (&grpbuf.gr_name[1], + strlen (&grpbuf.gr_name[1]), ent)) + continue; + /* Store the group in the blacklist for the "+" at the end of + /etc/group */ + blacklist_store_name (&grpbuf.gr_name[1], ent); + if (nss_getgrnam_r == NULL) + return NSS_STATUS_UNAVAIL; + else if (nss_getgrnam_r (&grpbuf.gr_name[1], &grpbuf, buffer, + buflen, errnop) != NSS_STATUS_SUCCESS) + continue; + + check_and_add_group (user, group, start, size, groupsp, + limit, &grpbuf); + + return NSS_STATUS_SUCCESS; + } + + /* +:... */ + if (grpbuf.gr_name[0] == '+' && grpbuf.gr_name[1] == '\0') + { + /* If the selected module does not support getgrent_r or + initgroups_dyn, abort. We cannot find the needed group + entries. */ + if (nss_initgroups_dyn == NULL || nss_getgrgid_r == NULL) + { + if (nss_setgrent != NULL) + { + nss_setgrent (1); + ent->need_endgrent = true; + } + ent->skip_initgroups_dyn = true; + + if (nss_getgrent_r == NULL) + return NSS_STATUS_UNAVAIL; + } + + ent->files = false; + + return getgrent_next_nss (ent, buffer, buflen, user, group, + start, size, groupsp, limit, errnop); + } + } + + check_and_add_group (user, group, start, size, groupsp, limit, &grpbuf); + + return NSS_STATUS_SUCCESS; +} + + +enum nss_status +_nss_compat_initgroups_dyn (const char *user, gid_t group, long int *start, + long int *size, gid_t **groupsp, long int limit, + int *errnop) +{ + enum nss_status status; + ent_t intern = { true, false, false, NULL, {NULL, 0, 0} }; + + status = internal_setgrent (&intern); + if (status != NSS_STATUS_SUCCESS) + return status; + + struct scratch_buffer tmpbuf; + scratch_buffer_init (&tmpbuf); + + do + { + while ((status = internal_getgrent_r (&intern, tmpbuf.data, tmpbuf.length, + user, group, start, size, + groupsp, limit, errnop)) + == NSS_STATUS_TRYAGAIN && *errnop == ERANGE) + if (!scratch_buffer_grow (&tmpbuf)) + goto done; + } + while (status == NSS_STATUS_SUCCESS); + + status = NSS_STATUS_SUCCESS; + + done: + scratch_buffer_free (&tmpbuf); + + internal_endgrent (&intern); + + return status; +} + + +/* Support routines for remembering -@netgroup and -user entries. + The names are stored in a single string with `|' as separator. */ +static void +blacklist_store_name (const char *name, ent_t *ent) +{ + int namelen = strlen (name); + char *tmp; + + /* First call, setup cache. */ + if (ent->blacklist.size == 0) + { + ent->blacklist.size = MAX (BLACKLIST_INITIAL_SIZE, 2 * namelen); + ent->blacklist.data = malloc (ent->blacklist.size); + if (ent->blacklist.data == NULL) + return; + ent->blacklist.data[0] = '|'; + ent->blacklist.data[1] = '\0'; + ent->blacklist.current = 1; + } + else + { + if (in_blacklist (name, namelen, ent)) + return; /* no duplicates */ + + if (ent->blacklist.current + namelen + 1 >= ent->blacklist.size) + { + ent->blacklist.size += MAX (BLACKLIST_INCREMENT, 2 * namelen); + tmp = realloc (ent->blacklist.data, ent->blacklist.size); + if (tmp == NULL) + { + free (ent->blacklist.data); + ent->blacklist.size = 0; + return; + } + ent->blacklist.data = tmp; + } + } + + tmp = stpcpy (ent->blacklist.data + ent->blacklist.current, name); + *tmp++ = '|'; + *tmp = '\0'; + ent->blacklist.current += namelen + 1; + + return; +} + +/* Return whether ent->blacklist contains name. */ +static bool +in_blacklist (const char *name, int namelen, ent_t *ent) +{ + char buf[namelen + 3]; + char *cp; + + if (ent->blacklist.data == NULL) + return false; + + buf[0] = '|'; + cp = stpcpy (&buf[1], name); + *cp++ = '|'; + *cp = '\0'; + return strstr (ent->blacklist.data, buf) != NULL; +} Index: glibc-2.26/nss/nss_compat/compat-pwd.c =================================================================== --- /dev/null +++ glibc-2.26/nss/nss_compat/compat-pwd.c @@ -0,0 +1,1131 @@ +/* Copyright (C) 1996-2017 Free Software Foundation, Inc. + This file is part of the GNU C Library. + Contributed by Thorsten Kukuk <kukuk@vt.uni-paderborn.de>, 1996. + + The GNU C Library is free software; you can redistribute it and/or + modify it under the terms of the GNU Lesser General Public + License as published by the Free Software Foundation; either + version 2.1 of the License, or (at your option) any later version. + + The GNU C Library is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Lesser General Public License for more details. + + You should have received a copy of the GNU Lesser General Public + License along with the GNU C Library; if not, see + <http://www.gnu.org/licenses/>. */ + +#include <ctype.h> +#include <errno.h> +#include <fcntl.h> +#include <netdb.h> +#include <nss.h> +#include <nsswitch.h> +#include <pwd.h> +#include <stdio_ext.h> +#include <string.h> +#include <libc-lock.h> +#include <kernel-features.h> + +#include "netgroup.h" +#include "nisdomain.h" + +static service_user *ni; +static enum nss_status (*nss_setpwent) (int stayopen); +static enum nss_status (*nss_getpwnam_r) (const char *name, + struct passwd * pwd, char *buffer, + size_t buflen, int *errnop); +static enum nss_status (*nss_getpwuid_r) (uid_t uid, struct passwd * pwd, + char *buffer, size_t buflen, + int *errnop); +static enum nss_status (*nss_getpwent_r) (struct passwd * pwd, char *buffer, + size_t buflen, int *errnop); +static enum nss_status (*nss_endpwent) (void); + +/* Get the declaration of the parser function. */ +#define ENTNAME pwent +#define STRUCTURE passwd +#define EXTERN_PARSER +#include <nss/nss_files/files-parse.c> + +/* Structure for remembering -@netgroup and -user members ... */ +#define BLACKLIST_INITIAL_SIZE 512 +#define BLACKLIST_INCREMENT 256 +struct blacklist_t +{ + char *data; + int current; + int size; +}; + +struct ent_t +{ + bool netgroup; + bool first; + bool files; + enum nss_status setent_status; + FILE *stream; + struct blacklist_t blacklist; + struct passwd pwd; + struct __netgrent netgrdata; +}; +typedef struct ent_t ent_t; + +static ent_t ext_ent = { false, false, true, NSS_STATUS_SUCCESS, NULL, + { NULL, 0, 0 }, + { NULL, NULL, 0, 0, NULL, NULL, NULL }}; + +/* Protect global state against multiple changers. */ +__libc_lock_define_initialized (static, lock) + +/* Prototypes for local functions. */ +static void blacklist_store_name (const char *, ent_t *); +static bool in_blacklist (const char *, int, ent_t *); + +/* Initialize the NSS interface/functions. The calling function must + hold the lock. */ +static void +init_nss_interface (void) +{ + if (__nss_database_lookup ("passwd_compat", NULL, "nis", &ni) >= 0) + { + nss_setpwent = __nss_lookup_function (ni, "setpwent"); + nss_getpwnam_r = __nss_lookup_function (ni, "getpwnam_r"); + nss_getpwuid_r = __nss_lookup_function (ni, "getpwuid_r"); + nss_getpwent_r = __nss_lookup_function (ni, "getpwent_r"); + nss_endpwent = __nss_lookup_function (ni, "endpwent"); + } +} + +static void +give_pwd_free (struct passwd *pwd) +{ + free (pwd->pw_name); + free (pwd->pw_passwd); + free (pwd->pw_gecos); + free (pwd->pw_dir); + free (pwd->pw_shell); + + memset (pwd, '\0', sizeof (struct passwd)); +} + +static size_t +pwd_need_buflen (struct passwd *pwd) +{ + size_t len = 0; + + if (pwd->pw_passwd != NULL) + len += strlen (pwd->pw_passwd) + 1; + + if (pwd->pw_gecos != NULL) + len += strlen (pwd->pw_gecos) + 1; + + if (pwd->pw_dir != NULL) + len += strlen (pwd->pw_dir) + 1; + + if (pwd->pw_shell != NULL) + len += strlen (pwd->pw_shell) + 1; + + return len; +} + +static void +copy_pwd_changes (struct passwd *dest, struct passwd *src, + char *buffer, size_t buflen) +{ + if (src->pw_passwd != NULL && strlen (src->pw_passwd)) + { + if (buffer == NULL) + dest->pw_passwd = strdup (src->pw_passwd); + else if (dest->pw_passwd && + strlen (dest->pw_passwd) >= strlen (src->pw_passwd)) + strcpy (dest->pw_passwd, src->pw_passwd); + else + { + dest->pw_passwd = buffer; + strcpy (dest->pw_passwd, src->pw_passwd); + buffer += strlen (dest->pw_passwd) + 1; + buflen = buflen - (strlen (dest->pw_passwd) + 1); + } + } + + if (src->pw_gecos != NULL && strlen (src->pw_gecos)) + { + if (buffer == NULL) + dest->pw_gecos = strdup (src->pw_gecos); + else if (dest->pw_gecos && + strlen (dest->pw_gecos) >= strlen (src->pw_gecos)) + strcpy (dest->pw_gecos, src->pw_gecos); + else + { + dest->pw_gecos = buffer; + strcpy (dest->pw_gecos, src->pw_gecos); + buffer += strlen (dest->pw_gecos) + 1; + buflen = buflen - (strlen (dest->pw_gecos) + 1); + } + } + if (src->pw_dir != NULL && strlen (src->pw_dir)) + { + if (buffer == NULL) + dest->pw_dir = strdup (src->pw_dir); + else if (dest->pw_dir && strlen (dest->pw_dir) >= strlen (src->pw_dir)) + strcpy (dest->pw_dir, src->pw_dir); + else + { + dest->pw_dir = buffer; + strcpy (dest->pw_dir, src->pw_dir); + buffer += strlen (dest->pw_dir) + 1; + buflen = buflen - (strlen (dest->pw_dir) + 1); + } + } + + if (src->pw_shell != NULL && strlen (src->pw_shell)) + { + if (buffer == NULL) + dest->pw_shell = strdup (src->pw_shell); + else if (dest->pw_shell && + strlen (dest->pw_shell) >= strlen (src->pw_shell)) + strcpy (dest->pw_shell, src->pw_shell); + else + { + dest->pw_shell = buffer; + strcpy (dest->pw_shell, src->pw_shell); + buffer += strlen (dest->pw_shell) + 1; + buflen = buflen - (strlen (dest->pw_shell) + 1); + } + } +} + +static enum nss_status +internal_setpwent (ent_t *ent, int stayopen, int needent) +{ + enum nss_status status = NSS_STATUS_SUCCESS; + + ent->first = ent->netgroup = false; + ent->files = true; + ent->setent_status = NSS_STATUS_SUCCESS; + + /* If something was left over free it. */ + if (ent->netgroup) + __internal_endnetgrent (&ent->netgrdata); + + if (ent->blacklist.data != NULL) + { + ent->blacklist.current = 1; + ent->blacklist.data[0] = '|'; + ent->blacklist.data[1] = '\0'; + } + else + ent->blacklist.current = 0; + + if (ent->stream == NULL) + { + ent->stream = fopen ("/etc/passwd", "rme"); + + if (ent->stream == NULL) + status = errno == EAGAIN ? NSS_STATUS_TRYAGAIN : NSS_STATUS_UNAVAIL; + else + /* We take care of locking ourself. */ + __fsetlocking (ent->stream, FSETLOCKING_BYCALLER); + } + else + rewind (ent->stream); + + give_pwd_free (&ent->pwd); + + if (needent && status == NSS_STATUS_SUCCESS && nss_setpwent) + ent->setent_status = nss_setpwent (stayopen); + + return status; +} + + +enum nss_status +_nss_compat_setpwent (int stayopen) +{ + enum nss_status result; + + __libc_lock_lock (lock); + + if (ni == NULL) + init_nss_interface (); + + result = internal_setpwent (&ext_ent, stayopen, 1); + + __libc_lock_unlock (lock); + + return result; +} + + +static enum nss_status +internal_endpwent (ent_t *ent) +{ + if (ent->stream != NULL) + { + fclose (ent->stream); + ent->stream = NULL; + } + + if (ent->netgroup) + __internal_endnetgrent (&ent->netgrdata); + + ent->first = ent->netgroup = false; + + if (ent->blacklist.data != NULL) + { + ent->blacklist.current = 1; + ent->blacklist.data[0] = '|'; + ent->blacklist.data[1] = '\0'; + } + else + ent->blacklist.current = 0; + + give_pwd_free (&ent->pwd); + + return NSS_STATUS_SUCCESS; +} + +enum nss_status +_nss_compat_endpwent (void) +{ + enum nss_status result; + + __libc_lock_lock (lock); + + if (nss_endpwent) + nss_endpwent (); + + result = internal_endpwent (&ext_ent); + + __libc_lock_unlock (lock); + + return result; +} + + +static enum nss_status +getpwent_next_nss_netgr (const char *name, struct passwd *result, ent_t *ent, + char *group, char *buffer, size_t buflen, + int *errnop) +{ + char *curdomain = NULL, *host, *user, *domain, *p2; + int status; + size_t p2len; + + /* Leave function if NSS module does not support getpwnam_r, + we need this function here. */ + if (!nss_getpwnam_r) + return NSS_STATUS_UNAVAIL; + + if (ent->first) + { + memset (&ent->netgrdata, 0, sizeof (struct __netgrent)); + __internal_setnetgrent (group, &ent->netgrdata); + ent->first = false; + } + + while (1) + { + status = __internal_getnetgrent_r (&host, &user, &domain, + &ent->netgrdata, buffer, buflen, + errnop); + if (status != 1) + { + __internal_endnetgrent (&ent->netgrdata); + ent->netgroup = 0; + give_pwd_free (&ent->pwd); + return NSS_STATUS_RETURN; + } + + if (user == NULL || user[0] == '-') + continue; + + if (domain != NULL) + { + if (curdomain == NULL + && __nss_get_default_domain (&curdomain) != 0) + { + __internal_endnetgrent (&ent->netgrdata); + ent->netgroup = false; + give_pwd_free (&ent->pwd); + return NSS_STATUS_UNAVAIL; + } + if (strcmp (curdomain, domain) != 0) + continue; + } + + /* If name != NULL, we are called from getpwnam. */ + if (name != NULL) + if (strcmp (user, name) != 0) + continue; + + p2len = pwd_need_buflen (&ent->pwd); + if (p2len > buflen) + { + *errnop = ERANGE; + return NSS_STATUS_TRYAGAIN; + } + p2 = buffer + (buflen - p2len); + buflen -= p2len; + + if (nss_getpwnam_r (user, result, buffer, buflen, errnop) != + NSS_STATUS_SUCCESS) + continue; + + if (!in_blacklist (result->pw_name, strlen (result->pw_name), ent)) + { + /* Store the User in the blacklist for possible the "+" at the + end of /etc/passwd */ + blacklist_store_name (result->pw_name, ent); + copy_pwd_changes (result, &ent->pwd, p2, p2len); + break; + } + } + + return NSS_STATUS_SUCCESS; +} + +/* get the next user from NSS (+ entry) */ +static enum nss_status +getpwent_next_nss (struct passwd *result, ent_t *ent, char *buffer, + size_t buflen, int *errnop) +{ + enum nss_status status; + char *p2; + size_t p2len; + + /* Return if NSS module does not support getpwent_r. */ + if (!nss_getpwent_r) + return NSS_STATUS_UNAVAIL; + + /* If the setpwent call failed, say so. */ + if (ent->setent_status != NSS_STATUS_SUCCESS) + return ent->setent_status; + + p2len = pwd_need_buflen (&ent->pwd); + if (p2len > buflen) + { + *errnop = ERANGE; + return NSS_STATUS_TRYAGAIN; + } + p2 = buffer + (buflen - p2len); + buflen -= p2len; + + if (ent->first) + ent->first = false; + + do + { + if ((status = nss_getpwent_r (result, buffer, buflen, errnop)) != + NSS_STATUS_SUCCESS) + return status; + } + while (in_blacklist (result->pw_name, strlen (result->pw_name), ent)); + + copy_pwd_changes (result, &ent->pwd, p2, p2len); + + return NSS_STATUS_SUCCESS; +} + +/* This function handle the +user entrys in /etc/passwd */ +static enum nss_status +getpwnam_plususer (const char *name, struct passwd *result, ent_t *ent, + char *buffer, size_t buflen, int *errnop) +{ + if (!nss_getpwnam_r) + return NSS_STATUS_UNAVAIL; + + struct passwd pwd; + memset (&pwd, '\0', sizeof (struct passwd)); + + copy_pwd_changes (&pwd, result, NULL, 0); + + size_t plen = pwd_need_buflen (&pwd); + if (plen > buflen) + { + *errnop = ERANGE; + return NSS_STATUS_TRYAGAIN; + } + char *p = buffer + (buflen - plen); + buflen -= plen; + + enum nss_status status = nss_getpwnam_r (name, result, buffer, buflen, + errnop); + if (status != NSS_STATUS_SUCCESS) + return status; + + if (in_blacklist (result->pw_name, strlen (result->pw_name), ent)) + return NSS_STATUS_NOTFOUND; + + copy_pwd_changes (result, &pwd, p, plen); + give_pwd_free (&pwd); + /* We found the entry. */ + return NSS_STATUS_SUCCESS; +} + +static enum nss_status +getpwent_next_file (struct passwd *result, ent_t *ent, + char *buffer, size_t buflen, int *errnop) +{ + struct parser_data *data = (void *) buffer; + while (1) + { + fpos_t pos; + char *p; + int parse_res; + + do + { + /* We need at least 3 characters for one line. */ + if (__glibc_unlikely (buflen < 3)) + { + erange: + *errnop = ERANGE; + return NSS_STATUS_TRYAGAIN; + } + + fgetpos (ent->stream, &pos); + buffer[buflen - 1] = '\xff'; + p = fgets_unlocked (buffer, buflen, ent->stream); + if (p == NULL && feof_unlocked (ent->stream)) + return NSS_STATUS_NOTFOUND; + + if (p == NULL || __builtin_expect (buffer[buflen - 1] != '\xff', 0)) + { + erange_reset: + fsetpos (ent->stream, &pos); + goto erange; + } + + /* Terminate the line for any case. */ + buffer[buflen - 1] = '\0'; + + /* Skip leading blanks. */ + while (isspace (*p)) + ++p; + } + while (*p == '\0' || *p == '#' || /* Ignore empty and comment lines. */ + /* Parse the line. If it is invalid, loop to + get the next line of the file to parse. */ + !(parse_res = _nss_files_parse_pwent (p, result, data, buflen, + errnop))); + + if (__glibc_unlikely (parse_res == -1)) + /* The parser ran out of space. */ + goto erange_reset; + + if (result->pw_name[0] != '+' && result->pw_name[0] != '-') + /* This is a real entry. */ + break; + + /* -@netgroup */ + if (result->pw_name[0] == '-' && result->pw_name[1] == '@' + && result->pw_name[2] != '\0') + { + /* XXX Do not use fixed length buffer. */ + char buf2[1024]; + char *user, *host, *domain; + struct __netgrent netgrdata; + + memset (&netgrdata, 0, sizeof (struct __netgrent)); + __internal_setnetgrent (&result->pw_name[2], &netgrdata); + while (__internal_getnetgrent_r (&host, &user, &domain, &netgrdata, + buf2, sizeof (buf2), errnop)) + { + if (user != NULL && user[0] != '-') + blacklist_store_name (user, ent); + } + __internal_endnetgrent (&netgrdata); + continue; + } + + /* +@netgroup */ + if (result->pw_name[0] == '+' && result->pw_name[1] == '@' + && result->pw_name[2] != '\0') + { + enum nss_status status; + + ent->netgroup = true; + ent->first = true; + copy_pwd_changes (&ent->pwd, result, NULL, 0); + + status = getpwent_next_nss_netgr (NULL, result, ent, + &result->pw_name[2], + buffer, buflen, errnop); + if (status == NSS_STATUS_RETURN) + continue; + else + return status; + } + + /* -user */ + if (result->pw_name[0] == '-' && result->pw_name[1] != '\0' + && result->pw_name[1] != '@') + { + blacklist_store_name (&result->pw_name[1], ent); + continue; + } + + /* +user */ + if (result->pw_name[0] == '+' && result->pw_name[1] != '\0' + && result->pw_name[1] != '@') + { + size_t len = strlen (result->pw_name); + char buf[len]; + enum nss_status status; + + /* Store the User in the blacklist for the "+" at the end of + /etc/passwd */ + memcpy (buf, &result->pw_name[1], len); + status = getpwnam_plususer (&result->pw_name[1], result, ent, + buffer, buflen, errnop); + blacklist_store_name (buf, ent); + + if (status == NSS_STATUS_SUCCESS) /* We found the entry. */ + break; + else if (status == NSS_STATUS_RETURN /* We couldn't parse the entry */ + || status == NSS_STATUS_NOTFOUND) /* entry doesn't exist */ + continue; + else + { + if (status == NSS_STATUS_TRYAGAIN) + { + /* The parser ran out of space */ + fsetpos (ent->stream, &pos); + *errnop = ERANGE; + } + return status; + } + } + + /* +:... */ + if (result->pw_name[0] == '+' && result->pw_name[1] == '\0') + { + ent->files = false; + ent->first = true; + copy_pwd_changes (&ent->pwd, result, NULL, 0); + + return getpwent_next_nss (result, ent, buffer, buflen, errnop); + } + } + + return NSS_STATUS_SUCCESS; +} + + +static enum nss_status +internal_getpwent_r (struct passwd *pw, ent_t *ent, char *buffer, + size_t buflen, int *errnop) +{ + if (ent->netgroup) + { + enum nss_status status; + + /* We are searching members in a netgroup */ + /* Since this is not the first call, we don't need the group name */ + status = getpwent_next_nss_netgr (NULL, pw, ent, NULL, buffer, buflen, + errnop); + if (status == NSS_STATUS_RETURN) + return getpwent_next_file (pw, ent, buffer, buflen, errnop); + else + return status; + } + else if (ent->files) + return getpwent_next_file (pw, ent, buffer, buflen, errnop); + else + return getpwent_next_nss (pw, ent, buffer, buflen, errnop); + +} + +enum nss_status +_nss_compat_getpwent_r (struct passwd *pwd, char *buffer, size_t buflen, + int *errnop) +{ + enum nss_status result = NSS_STATUS_SUCCESS; + + __libc_lock_lock (lock); + + /* Be prepared that the setpwent function was not called before. */ + if (ni == NULL) + init_nss_interface (); + + if (ext_ent.stream == NULL) + result = internal_setpwent (&ext_ent, 1, 1); + + if (result == NSS_STATUS_SUCCESS) + result = internal_getpwent_r (pwd, &ext_ent, buffer, buflen, errnop); + + __libc_lock_unlock (lock); + + return result; +} + +/* Searches in /etc/passwd and the NIS/NIS+ map for a special user */ +static enum nss_status +internal_getpwnam_r (const char *name, struct passwd *result, ent_t *ent, + char *buffer, size_t buflen, int *errnop) +{ + struct parser_data *data = (void *) buffer; + + while (1) + { + fpos_t pos; + char *p; + int parse_res; + + do + { + /* We need at least 3 characters for one line. */ + if (__glibc_unlikely (buflen < 3)) + { + erange: + *errnop = ERANGE; + return NSS_STATUS_TRYAGAIN; + } + + fgetpos (ent->stream, &pos); + buffer[buflen - 1] = '\xff'; + p = fgets_unlocked (buffer, buflen, ent->stream); + if (p == NULL && feof_unlocked (ent->stream)) + { + return NSS_STATUS_NOTFOUND; + } + if (p == NULL || __builtin_expect (buffer[buflen - 1] != '\xff', 0)) + { + erange_reset: + fsetpos (ent->stream, &pos); + goto erange; + } + + /* Terminate the line for any case. */ + buffer[buflen - 1] = '\0'; + + /* Skip leading blanks. */ + while (isspace (*p)) + ++p; + } + while (*p == '\0' || *p == '#' || /* Ignore empty and comment lines. */ + /* Parse the line. If it is invalid, loop to + get the next line of the file to parse. */ + !(parse_res = _nss_files_parse_pwent (p, result, data, buflen, + errnop))); + + if (__glibc_unlikely (parse_res == -1)) + /* The parser ran out of space. */ + goto erange_reset; + + /* This is a real entry. */ + if (result->pw_name[0] != '+' && result->pw_name[0] != '-') + { + if (strcmp (result->pw_name, name) == 0) + return NSS_STATUS_SUCCESS; + else + continue; + } + + /* -@netgroup */ + if (result->pw_name[0] == '-' && result->pw_name[1] == '@' + && result->pw_name[2] != '\0') + { + if (innetgr (&result->pw_name[2], NULL, name, NULL)) + return NSS_STATUS_NOTFOUND; + continue; + } + + /* +@netgroup */ + if (result->pw_name[0] == '+' && result->pw_name[1] == '@' + && result->pw_name[2] != '\0') + { + enum nss_status status; + + if (innetgr (&result->pw_name[2], NULL, name, NULL)) + { + status = getpwnam_plususer (name, result, ent, buffer, + buflen, errnop); + + if (status == NSS_STATUS_RETURN) + continue; + + return status; + } + continue; + } + + /* -user */ + if (result->pw_name[0] == '-' && result->pw_name[1] != '\0' + && result->pw_name[1] != '@') + { + if (strcmp (&result->pw_name[1], name) == 0) + return NSS_STATUS_NOTFOUND; + else + continue; + } + + /* +user */ + if (result->pw_name[0] == '+' && result->pw_name[1] != '\0' + && result->pw_name[1] != '@') + { + if (strcmp (name, &result->pw_name[1]) == 0) + { + enum nss_status status; + + status = getpwnam_plususer (name, result, ent, buffer, buflen, + errnop); + if (status == NSS_STATUS_RETURN) + /* We couldn't parse the entry */ + return NSS_STATUS_NOTFOUND; + else + return status; + } + } + + /* +:... */ + if (result->pw_name[0] == '+' && result->pw_name[1] == '\0') + { + enum nss_status status; + + status = getpwnam_plususer (name, result, ent, + buffer, buflen, errnop); + if (status == NSS_STATUS_SUCCESS) /* We found the entry. */ + break; + else if (status == NSS_STATUS_RETURN) /* We couldn't parse the entry */ + return NSS_STATUS_NOTFOUND; + else + return status; + } + } + return NSS_STATUS_SUCCESS; +} + +enum nss_status +_nss_compat_getpwnam_r (const char *name, struct passwd *pwd, + char *buffer, size_t buflen, int *errnop) +{ + enum nss_status result; + ent_t ent = { false, false, true, NSS_STATUS_SUCCESS, NULL, { NULL, 0, 0 }, + { NULL, NULL, 0, 0, NULL, NULL, NULL }}; + + if (name[0] == '-' || name[0] == '+') + return NSS_STATUS_NOTFOUND; + + __libc_lock_lock (lock); + + if (ni == NULL) + init_nss_interface (); + + __libc_lock_unlock (lock); + + result = internal_setpwent (&ent, 0, 0); + + if (result == NSS_STATUS_SUCCESS) + result = internal_getpwnam_r (name, pwd, &ent, buffer, buflen, errnop); + + internal_endpwent (&ent); + + return result; +} + +/* This function handle the + entry in /etc/passwd for getpwuid */ +static enum nss_status +getpwuid_plususer (uid_t uid, struct passwd *result, char *buffer, + size_t buflen, int *errnop) +{ + struct passwd pwd; + char *p; + size_t plen; + + if (!nss_getpwuid_r) + return NSS_STATUS_UNAVAIL; + + memset (&pwd, '\0', sizeof (struct passwd)); + + copy_pwd_changes (&pwd, result, NULL, 0); + + plen = pwd_need_buflen (&pwd); + if (plen > buflen) + { + *errnop = ERANGE; + return NSS_STATUS_TRYAGAIN; + } + p = buffer + (buflen - plen); + buflen -= plen; + + if (nss_getpwuid_r (uid, result, buffer, buflen, errnop) == + NSS_STATUS_SUCCESS) + { + copy_pwd_changes (result, &pwd, p, plen); + give_pwd_free (&pwd); + /* We found the entry. */ + return NSS_STATUS_SUCCESS; + } + else + { + /* Give buffer the old len back */ + buflen += plen; + give_pwd_free (&pwd); + } + return NSS_STATUS_RETURN; +} + +/* Searches in /etc/passwd and the NSS subsystem for a special user id */ +static enum nss_status +internal_getpwuid_r (uid_t uid, struct passwd *result, ent_t *ent, + char *buffer, size_t buflen, int *errnop) +{ + struct parser_data *data = (void *) buffer; + + while (1) + { + fpos_t pos; + char *p; + int parse_res; + + do + { + /* We need at least 3 characters for one line. */ + if (__glibc_unlikely (buflen < 3)) + { + erange: + *errnop = ERANGE; + return NSS_STATUS_TRYAGAIN; + } + + fgetpos (ent->stream, &pos); + buffer[buflen - 1] = '\xff'; + p = fgets_unlocked (buffer, buflen, ent->stream); + if (p == NULL && feof_unlocked (ent->stream)) + return NSS_STATUS_NOTFOUND; + + if (p == NULL || __builtin_expect (buffer[buflen - 1] != '\xff', 0)) + { + erange_reset: + fsetpos (ent->stream, &pos); + goto erange; + } + + /* Terminate the line for any case. */ + buffer[buflen - 1] = '\0'; + + /* Skip leading blanks. */ + while (isspace (*p)) + ++p; + } + while (*p == '\0' || *p == '#' || /* Ignore empty and comment lines. */ + /* Parse the line. If it is invalid, loop to + get the next line of the file to parse. */ + !(parse_res = _nss_files_parse_pwent (p, result, data, buflen, + errnop))); + + if (__glibc_unlikely (parse_res == -1)) + /* The parser ran out of space. */ + goto erange_reset; + + /* This is a real entry. */ + if (result->pw_name[0] != '+' && result->pw_name[0] != '-') + { + if (result->pw_uid == uid) + return NSS_STATUS_SUCCESS; + else + continue; + } + + /* -@netgroup */ + if (result->pw_name[0] == '-' && result->pw_name[1] == '@' + && result->pw_name[2] != '\0') + { + /* -1, because we remove first two character of pw_name. */ + size_t len = strlen (result->pw_name) - 1; + char buf[len]; + enum nss_status status; + + memcpy (buf, &result->pw_name[2], len); + + status = getpwuid_plususer (uid, result, buffer, buflen, errnop); + if (status == NSS_STATUS_SUCCESS && + innetgr (buf, NULL, result->pw_name, NULL)) + return NSS_STATUS_NOTFOUND; + + continue; + } + + /* +@netgroup */ + if (result->pw_name[0] == '+' && result->pw_name[1] == '@' + && result->pw_name[2] != '\0') + { + /* -1, because we remove first two characters of pw_name. */ + size_t len = strlen (result->pw_name) - 1; + char buf[len]; + enum nss_status status; + + memcpy (buf, &result->pw_name[2], len); + + status = getpwuid_plususer (uid, result, buffer, buflen, errnop); + + if (status == NSS_STATUS_RETURN) + continue; + + if (status == NSS_STATUS_SUCCESS) + { + if (innetgr (buf, NULL, result->pw_name, NULL)) + return NSS_STATUS_SUCCESS; + } + else if (status == NSS_STATUS_RETURN) /* We couldn't parse the entry */ + return NSS_STATUS_NOTFOUND; + else + return status; + + continue; + } + + /* -user */ + if (result->pw_name[0] == '-' && result->pw_name[1] != '\0' + && result->pw_name[1] != '@') + { + size_t len = strlen (result->pw_name); + char buf[len]; + enum nss_status status; + + memcpy (buf, &result->pw_name[1], len); + + status = getpwuid_plususer (uid, result, buffer, buflen, errnop); + if (status == NSS_STATUS_SUCCESS && + innetgr (buf, NULL, result->pw_name, NULL)) + return NSS_STATUS_NOTFOUND; + continue; + } + + /* +user */ + if (result->pw_name[0] == '+' && result->pw_name[1] != '\0' + && result->pw_name[1] != '@') + { + size_t len = strlen (result->pw_name); + char buf[len]; + enum nss_status status; + + memcpy (buf, &result->pw_name[1], len); + + status = getpwuid_plususer (uid, result, buffer, buflen, errnop); + + if (status == NSS_STATUS_RETURN) + continue; + + if (status == NSS_STATUS_SUCCESS) + { + if (strcmp (buf, result->pw_name) == 0) + return NSS_STATUS_SUCCESS; + } + else if (status == NSS_STATUS_RETURN) /* We couldn't parse the entry */ + return NSS_STATUS_NOTFOUND; + else + return status; + + continue; + } + + /* +:... */ + if (result->pw_name[0] == '+' && result->pw_name[1] == '\0') + { + enum nss_status status; + + status = getpwuid_plususer (uid, result, buffer, buflen, errnop); + if (status == NSS_STATUS_SUCCESS) /* We found the entry. */ + break; + else if (status == NSS_STATUS_RETURN) /* We couldn't parse the entry */ + return NSS_STATUS_NOTFOUND; + else + return status; + } + } + return NSS_STATUS_SUCCESS; +} + +enum nss_status +_nss_compat_getpwuid_r (uid_t uid, struct passwd *pwd, + char *buffer, size_t buflen, int *errnop) +{ + enum nss_status result; + ent_t ent = { false, false, true, NSS_STATUS_SUCCESS, NULL, { NULL, 0, 0 }, + { NULL, NULL, 0, 0, NULL, NULL, NULL }}; + + __libc_lock_lock (lock); + + if (ni == NULL) + init_nss_interface (); + + __libc_lock_unlock (lock); + + result = internal_setpwent (&ent, 0, 0); + + if (result == NSS_STATUS_SUCCESS) + result = internal_getpwuid_r (uid, pwd, &ent, buffer, buflen, errnop); + + internal_endpwent (&ent); + + return result; +} + + +/* Support routines for remembering -@netgroup and -user entries. + The names are stored in a single string with `|' as separator. */ +static void +blacklist_store_name (const char *name, ent_t *ent) +{ + int namelen = strlen (name); + char *tmp; + + /* first call, setup cache */ + if (ent->blacklist.size == 0) + { + ent->blacklist.size = MAX (BLACKLIST_INITIAL_SIZE, 2 * namelen); + ent->blacklist.data = malloc (ent->blacklist.size); + if (ent->blacklist.data == NULL) + return; + ent->blacklist.data[0] = '|'; + ent->blacklist.data[1] = '\0'; + ent->blacklist.current = 1; + } + else + { + if (in_blacklist (name, namelen, ent)) + return; /* no duplicates */ + + if (ent->blacklist.current + namelen + 1 >= ent->blacklist.size) + { + ent->blacklist.size += MAX (BLACKLIST_INCREMENT, 2 * namelen); + tmp = realloc (ent->blacklist.data, ent->blacklist.size); + if (tmp == NULL) + { + free (ent->blacklist.data); + ent->blacklist.size = 0; + return; + } + ent->blacklist.data = tmp; + } + } + + tmp = stpcpy (ent->blacklist.data + ent->blacklist.current, name); + *tmp++ = '|'; + *tmp = '\0'; + ent->blacklist.current += namelen + 1; + + return; +} + +/* Returns whether ent->blacklist contains name. */ +static bool +in_blacklist (const char *name, int namelen, ent_t *ent) +{ + char buf[namelen + 3]; + char *cp; + + if (ent->blacklist.data == NULL) + return false; + + buf[0] = '|'; + cp = stpcpy (&buf[1], name); + *cp++ = '|'; + *cp = '\0'; + return strstr (ent->blacklist.data, buf) != NULL; +} Index: glibc-2.26/nss/nss_compat/compat-spwd.c =================================================================== --- /dev/null +++ glibc-2.26/nss/nss_compat/compat-spwd.c @@ -0,0 +1,857 @@ +/* Copyright (C) 1996-2017 Free Software Foundation, Inc. + This file is part of the GNU C Library. + Contributed by Thorsten Kukuk <kukuk@vt.uni-paderborn.de>, 1996. + + The GNU C Library is free software; you can redistribute it and/or + modify it under the terms of the GNU Lesser General Public + License as published by the Free Software Foundation; either + version 2.1 of the License, or (at your option) any later version. + + The GNU C Library is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Lesser General Public License for more details. + + You should have received a copy of the GNU Lesser General Public + License along with the GNU C Library; if not, see + <http://www.gnu.org/licenses/>. */ + +#include <ctype.h> +#include <errno.h> +#include <fcntl.h> +#include <netdb.h> +#include <nss.h> +#include <nsswitch.h> +#include <shadow.h> +#include <stdio_ext.h> +#include <string.h> +#include <libc-lock.h> +#include <kernel-features.h> + +#include "netgroup.h" +#include "nisdomain.h" + +static service_user *ni; +static enum nss_status (*nss_setspent) (int stayopen); +static enum nss_status (*nss_getspnam_r) (const char *name, struct spwd * sp, + char *buffer, size_t buflen, + int *errnop); +static enum nss_status (*nss_getspent_r) (struct spwd * sp, char *buffer, + size_t buflen, int *errnop); +static enum nss_status (*nss_endspent) (void); + +/* Get the declaration of the parser function. */ +#define ENTNAME spent +#define STRUCTURE spwd +#define EXTERN_PARSER +#include <nss/nss_files/files-parse.c> + +/* Structure for remembering -@netgroup and -user members ... */ +#define BLACKLIST_INITIAL_SIZE 512 +#define BLACKLIST_INCREMENT 256 +struct blacklist_t +{ + char *data; + int current; + int size; +}; + +struct ent_t +{ + bool netgroup; + bool files; + bool first; + enum nss_status setent_status; + FILE *stream; + struct blacklist_t blacklist; + struct spwd pwd; + struct __netgrent netgrdata; +}; +typedef struct ent_t ent_t; + +static ent_t ext_ent = { false, true, false, NSS_STATUS_SUCCESS, NULL, + { NULL, 0, 0}, + { NULL, NULL, 0, 0, 0, 0, 0, 0, 0}}; + +/* Protect global state against multiple changers. */ +__libc_lock_define_initialized (static, lock) + +/* Prototypes for local functions. */ +static void blacklist_store_name (const char *, ent_t *); +static bool in_blacklist (const char *, int, ent_t *); + +/* Initialize the NSS interface/functions. The calling function must + hold the lock. */ +static void +init_nss_interface (void) +{ + if (__nss_database_lookup ("shadow_compat", "passwd_compat", + "nis", &ni) >= 0) + { + nss_setspent = __nss_lookup_function (ni, "setspent"); + nss_getspnam_r = __nss_lookup_function (ni, "getspnam_r"); + nss_getspent_r = __nss_lookup_function (ni, "getspent_r"); + nss_endspent = __nss_lookup_function (ni, "endspent"); + } +} + +static void +give_spwd_free (struct spwd *pwd) +{ + free (pwd->sp_namp); + free (pwd->sp_pwdp); + + memset (pwd, '\0', sizeof (struct spwd)); + pwd->sp_warn = -1; + pwd->sp_inact = -1; + pwd->sp_expire = -1; + pwd->sp_flag = ~0ul; +} + +static int +spwd_need_buflen (struct spwd *pwd) +{ + int len = 0; + + if (pwd->sp_pwdp != NULL) + len += strlen (pwd->sp_pwdp) + 1; + + return len; +} + +static void +copy_spwd_changes (struct spwd *dest, struct spwd *src, + char *buffer, size_t buflen) +{ + if (src->sp_pwdp != NULL && strlen (src->sp_pwdp)) + { + if (buffer == NULL) + dest->sp_pwdp = strdup (src->sp_pwdp); + else if (dest->sp_pwdp && + strlen (dest->sp_pwdp) >= strlen (src->sp_pwdp)) + strcpy (dest->sp_pwdp, src->sp_pwdp); + else + { + dest->sp_pwdp = buffer; + strcpy (dest->sp_pwdp, src->sp_pwdp); + buffer += strlen (dest->sp_pwdp) + 1; + buflen = buflen - (strlen (dest->sp_pwdp) + 1); + } + } + if (src->sp_lstchg != 0) + dest->sp_lstchg = src->sp_lstchg; + if (src->sp_min != 0) + dest->sp_min = src->sp_min; + if (src->sp_max != 0) + dest->sp_max = src->sp_max; + if (src->sp_warn != -1) + dest->sp_warn = src->sp_warn; + if (src->sp_inact != -1) + dest->sp_inact = src->sp_inact; + if (src->sp_expire != -1) + dest->sp_expire = src->sp_expire; + if (src->sp_flag != ~0ul) + dest->sp_flag = src->sp_flag; +} + +static enum nss_status +internal_setspent (ent_t *ent, int stayopen, int needent) +{ + enum nss_status status = NSS_STATUS_SUCCESS; + + ent->first = ent->netgroup = 0; + ent->files = true; + + /* If something was left over free it. */ + if (ent->netgroup) + __internal_endnetgrent (&ent->netgrdata); + + if (ent->blacklist.data != NULL) + { + ent->blacklist.current = 1; + ent->blacklist.data[0] = '|'; + ent->blacklist.data[1] = '\0'; + } + else + ent->blacklist.current = 0; + + if (ent->stream == NULL) + { + ent->stream = fopen ("/etc/shadow", "rme"); + + if (ent->stream == NULL) + status = errno == EAGAIN ? NSS_STATUS_TRYAGAIN : NSS_STATUS_UNAVAIL; + else + /* We take care of locking ourself. */ + __fsetlocking (ent->stream, FSETLOCKING_BYCALLER); + } + else + rewind (ent->stream); + + give_spwd_free (&ent->pwd); + + if (needent && status == NSS_STATUS_SUCCESS && nss_setspent) + ent->setent_status = nss_setspent (stayopen); + + return status; +} + + +enum nss_status +_nss_compat_setspent (int stayopen) +{ + enum nss_status result; + + __libc_lock_lock (lock); + + if (ni == NULL) + init_nss_interface (); + + result = internal_setspent (&ext_ent, stayopen, 1); + + __libc_lock_unlock (lock); + + return result; +} + + +static enum nss_status +internal_endspent (ent_t *ent) +{ + if (ent->stream != NULL) + { + fclose (ent->stream); + ent->stream = NULL; + } + + if (ent->netgroup) + __internal_endnetgrent (&ent->netgrdata); + + ent->first = ent->netgroup = false; + ent->files = true; + + if (ent->blacklist.data != NULL) + { + ent->blacklist.current = 1; + ent->blacklist.data[0] = '|'; + ent->blacklist.data[1] = '\0'; + } + else + ent->blacklist.current = 0; + + give_spwd_free (&ent->pwd); + + return NSS_STATUS_SUCCESS; +} + +enum nss_status +_nss_compat_endspent (void) +{ + enum nss_status result; + + __libc_lock_lock (lock); + + if (nss_endspent) + nss_endspent (); + + result = internal_endspent (&ext_ent); + + __libc_lock_unlock (lock); + + return result; +} + + +static enum nss_status +getspent_next_nss_netgr (const char *name, struct spwd *result, ent_t *ent, + char *group, char *buffer, size_t buflen, + int *errnop) +{ + char *curdomain = NULL, *host, *user, *domain, *p2; + size_t p2len; + + if (!nss_getspnam_r) + return NSS_STATUS_UNAVAIL; + + /* If the setpwent call failed, say so. */ + if (ent->setent_status != NSS_STATUS_SUCCESS) + return ent->setent_status; + + if (ent->first) + { + memset (&ent->netgrdata, 0, sizeof (struct __netgrent)); + __internal_setnetgrent (group, &ent->netgrdata); + ent->first = false; + } + + while (1) + { + enum nss_status status; + + status = __internal_getnetgrent_r (&host, &user, &domain, + &ent->netgrdata, buffer, buflen, + errnop); + if (status != 1) + { + __internal_endnetgrent (&ent->netgrdata); + ent->netgroup = false; + give_spwd_free (&ent->pwd); + return NSS_STATUS_RETURN; + } + + if (user == NULL || user[0] == '-') + continue; + + if (domain != NULL) + { + if (curdomain == NULL + && __nss_get_default_domain (&curdomain) != 0) + { + __internal_endnetgrent (&ent->netgrdata); + ent->netgroup = false; + give_spwd_free (&ent->pwd); + return NSS_STATUS_UNAVAIL; + } + if (strcmp (curdomain, domain) != 0) + continue; + } + + /* If name != NULL, we are called from getpwnam */ + if (name != NULL) + if (strcmp (user, name) != 0) + continue; + + p2len = spwd_need_buflen (&ent->pwd); + if (p2len > buflen) + { + *errnop = ERANGE; + return NSS_STATUS_TRYAGAIN; + } + p2 = buffer + (buflen - p2len); + buflen -= p2len; + + if (nss_getspnam_r (user, result, buffer, buflen, errnop) != + NSS_STATUS_SUCCESS) + continue; + + if (!in_blacklist (result->sp_namp, strlen (result->sp_namp), ent)) + { + /* Store the User in the blacklist for possible the "+" at the + end of /etc/passwd */ + blacklist_store_name (result->sp_namp, ent); + copy_spwd_changes (result, &ent->pwd, p2, p2len); + break; + } + } + + return NSS_STATUS_SUCCESS; +} + + +static enum nss_status +getspent_next_nss (struct spwd *result, ent_t *ent, + char *buffer, size_t buflen, int *errnop) +{ + enum nss_status status; + char *p2; + size_t p2len; + + if (!nss_getspent_r) + return NSS_STATUS_UNAVAIL; + + p2len = spwd_need_buflen (&ent->pwd); + if (p2len > buflen) + { + *errnop = ERANGE; + return NSS_STATUS_TRYAGAIN; + } + p2 = buffer + (buflen - p2len); + buflen -= p2len; + do + { + if ((status = nss_getspent_r (result, buffer, buflen, errnop)) != + NSS_STATUS_SUCCESS) + return status; + } + while (in_blacklist (result->sp_namp, strlen (result->sp_namp), ent)); + + copy_spwd_changes (result, &ent->pwd, p2, p2len); + + return NSS_STATUS_SUCCESS; +} + + +/* This function handle the +user entrys in /etc/shadow */ +static enum nss_status +getspnam_plususer (const char *name, struct spwd *result, ent_t *ent, + char *buffer, size_t buflen, int *errnop) +{ + if (!nss_getspnam_r) + return NSS_STATUS_UNAVAIL; + + struct spwd pwd; + memset (&pwd, '\0', sizeof (struct spwd)); + pwd.sp_warn = -1; + pwd.sp_inact = -1; + pwd.sp_expire = -1; + pwd.sp_flag = ~0ul; + + copy_spwd_changes (&pwd, result, NULL, 0); + + size_t plen = spwd_need_buflen (&pwd); + if (plen > buflen) + { + *errnop = ERANGE; + return NSS_STATUS_TRYAGAIN; + } + char *p = buffer + (buflen - plen); + buflen -= plen; + + enum nss_status status = nss_getspnam_r (name, result, buffer, buflen, + errnop); + if (status != NSS_STATUS_SUCCESS) + return status; + + if (in_blacklist (result->sp_namp, strlen (result->sp_namp), ent)) + return NSS_STATUS_NOTFOUND; + + copy_spwd_changes (result, &pwd, p, plen); + give_spwd_free (&pwd); + /* We found the entry. */ + return NSS_STATUS_SUCCESS; +} + + +static enum nss_status +getspent_next_file (struct spwd *result, ent_t *ent, + char *buffer, size_t buflen, int *errnop) +{ + struct parser_data *data = (void *) buffer; + while (1) + { + fpos_t pos; + int parse_res = 0; + char *p; + + do + { + /* We need at least 3 characters for one line. */ + if (__glibc_unlikely (buflen < 3)) + { + erange: + *errnop = ERANGE; + return NSS_STATUS_TRYAGAIN; + } + + fgetpos (ent->stream, &pos); + buffer[buflen - 1] = '\xff'; + p = fgets_unlocked (buffer, buflen, ent->stream); + if (p == NULL && feof_unlocked (ent->stream)) + return NSS_STATUS_NOTFOUND; + + if (p == NULL || __builtin_expect (buffer[buflen - 1] != '\xff', 0)) + { + erange_reset: + fsetpos (ent->stream, &pos); + goto erange; + } + + /* Skip leading blanks. */ + while (isspace (*p)) + ++p; + } + while (*p == '\0' || *p == '#' /* Ignore empty and comment lines. */ + /* Parse the line. If it is invalid, loop to + get the next line of the file to parse. */ + || !(parse_res = _nss_files_parse_spent (p, result, data, + buflen, errnop))); + + if (__glibc_unlikely (parse_res == -1)) + /* The parser ran out of space. */ + goto erange_reset; + + if (result->sp_namp[0] != '+' && result->sp_namp[0] != '-') + /* This is a real entry. */ + break; + + /* -@netgroup */ + if (result->sp_namp[0] == '-' && result->sp_namp[1] == '@' + && result->sp_namp[2] != '\0') + { + /* XXX Do not use fixed length buffers. */ + char buf2[1024]; + char *user, *host, *domain; + struct __netgrent netgrdata; + + memset (&netgrdata, 0, sizeof (struct __netgrent)); + __internal_setnetgrent (&result->sp_namp[2], &netgrdata); + while (__internal_getnetgrent_r (&host, &user, &domain, + &netgrdata, buf2, sizeof (buf2), + errnop)) + { + if (user != NULL && user[0] != '-') + blacklist_store_name (user, ent); + } + __internal_endnetgrent (&netgrdata); + continue; + } + + /* +@netgroup */ + if (result->sp_namp[0] == '+' && result->sp_namp[1] == '@' + && result->sp_namp[2] != '\0') + { + int status; + + ent->netgroup = true; + ent->first = true; + copy_spwd_changes (&ent->pwd, result, NULL, 0); + + status = getspent_next_nss_netgr (NULL, result, ent, + &result->sp_namp[2], + buffer, buflen, errnop); + if (status == NSS_STATUS_RETURN) + continue; + else + return status; + } + + /* -user */ + if (result->sp_namp[0] == '-' && result->sp_namp[1] != '\0' + && result->sp_namp[1] != '@') + { + blacklist_store_name (&result->sp_namp[1], ent); + continue; + } + + /* +user */ + if (result->sp_namp[0] == '+' && result->sp_namp[1] != '\0' + && result->sp_namp[1] != '@') + { + size_t len = strlen (result->sp_namp); + char buf[len]; + enum nss_status status; + + /* Store the User in the blacklist for the "+" at the end of + /etc/passwd */ + memcpy (buf, &result->sp_namp[1], len); + status = getspnam_plususer (&result->sp_namp[1], result, ent, + buffer, buflen, errnop); + blacklist_store_name (buf, ent); + + if (status == NSS_STATUS_SUCCESS) /* We found the entry. */ + break; + /* We couldn't parse the entry */ + else if (status == NSS_STATUS_RETURN + /* entry doesn't exist */ + || status == NSS_STATUS_NOTFOUND) + continue; + else + { + if (status == NSS_STATUS_TRYAGAIN) + { + fsetpos (ent->stream, &pos); + *errnop = ERANGE; + } + return status; + } + } + + /* +:... */ + if (result->sp_namp[0] == '+' && result->sp_namp[1] == '\0') + { + ent->files = false; + ent->first = true; + copy_spwd_changes (&ent->pwd, result, NULL, 0); + + return getspent_next_nss (result, ent, buffer, buflen, errnop); + } + } + + return NSS_STATUS_SUCCESS; +} + + +static enum nss_status +internal_getspent_r (struct spwd *pw, ent_t *ent, + char *buffer, size_t buflen, int *errnop) +{ + if (ent->netgroup) + { + enum nss_status status; + + /* We are searching members in a netgroup */ + /* Since this is not the first call, we don't need the group name */ + status = getspent_next_nss_netgr (NULL, pw, ent, NULL, buffer, + buflen, errnop); + + if (status == NSS_STATUS_RETURN) + return getspent_next_file (pw, ent, buffer, buflen, errnop); + else + return status; + } + else if (ent->files) + return getspent_next_file (pw, ent, buffer, buflen, errnop); + else + return getspent_next_nss (pw, ent, buffer, buflen, errnop); +} + + +enum nss_status +_nss_compat_getspent_r (struct spwd *pwd, char *buffer, size_t buflen, + int *errnop) +{ + enum nss_status result = NSS_STATUS_SUCCESS; + + __libc_lock_lock (lock); + + /* Be prepared that the setpwent function was not called before. */ + if (ni == NULL) + init_nss_interface (); + + if (ext_ent.stream == NULL) + result = internal_setspent (&ext_ent, 1, 1); + + if (result == NSS_STATUS_SUCCESS) + result = internal_getspent_r (pwd, &ext_ent, buffer, buflen, errnop); + + __libc_lock_unlock (lock); + + return result; +} + + +/* Searches in /etc/passwd and the NIS/NIS+ map for a special user */ +static enum nss_status +internal_getspnam_r (const char *name, struct spwd *result, ent_t *ent, + char *buffer, size_t buflen, int *errnop) +{ + struct parser_data *data = (void *) buffer; + + while (1) + { + fpos_t pos; + char *p; + int parse_res; + + do + { + /* We need at least 3 characters for one line. */ + if (__glibc_unlikely (buflen < 3)) + { + erange: + *errnop = ERANGE; + return NSS_STATUS_TRYAGAIN; + } + + fgetpos (ent->stream, &pos); + buffer[buflen - 1] = '\xff'; + p = fgets_unlocked (buffer, buflen, ent->stream); + if (p == NULL && feof_unlocked (ent->stream)) + return NSS_STATUS_NOTFOUND; + + if (p == NULL || buffer[buflen - 1] != '\xff') + { + erange_reset: + fsetpos (ent->stream, &pos); + goto erange; + } + + /* Terminate the line for any case. */ + buffer[buflen - 1] = '\0'; + + /* Skip leading blanks. */ + while (isspace (*p)) + ++p; + } + while (*p == '\0' || *p == '#' || /* Ignore empty and comment lines. */ + /* Parse the line. If it is invalid, loop to + get the next line of the file to parse. */ + !(parse_res = _nss_files_parse_spent (p, result, data, buflen, + errnop))); + + if (__glibc_unlikely (parse_res == -1)) + /* The parser ran out of space. */ + goto erange_reset; + + /* This is a real entry. */ + if (result->sp_namp[0] != '+' && result->sp_namp[0] != '-') + { + if (strcmp (result->sp_namp, name) == 0) + return NSS_STATUS_SUCCESS; + else + continue; + } + + /* -@netgroup */ + /* If the loaded NSS module does not support this service, add + all users from a +@netgroup entry to the blacklist, too. */ + if (result->sp_namp[0] == '-' && result->sp_namp[1] == '@' + && result->sp_namp[2] != '\0') + { + if (innetgr (&result->sp_namp[2], NULL, name, NULL)) + return NSS_STATUS_NOTFOUND; + continue; + } + + /* +@netgroup */ + if (result->sp_namp[0] == '+' && result->sp_namp[1] == '@' + && result->sp_namp[2] != '\0') + { + enum nss_status status; + + if (innetgr (&result->sp_namp[2], NULL, name, NULL)) + { + status = getspnam_plususer (name, result, ent, buffer, + buflen, errnop); + + if (status == NSS_STATUS_RETURN) + continue; + + return status; + } + continue; + } + + /* -user */ + if (result->sp_namp[0] == '-' && result->sp_namp[1] != '\0' + && result->sp_namp[1] != '@') + { + if (strcmp (&result->sp_namp[1], name) == 0) + return NSS_STATUS_NOTFOUND; + else + continue; + } + + /* +user */ + if (result->sp_namp[0] == '+' && result->sp_namp[1] != '\0' + && result->sp_namp[1] != '@') + { + if (strcmp (name, &result->sp_namp[1]) == 0) + { + enum nss_status status; + + status = getspnam_plususer (name, result, ent, + buffer, buflen, errnop); + + if (status == NSS_STATUS_RETURN) + /* We couldn't parse the entry */ + return NSS_STATUS_NOTFOUND; + else + return status; + } + } + + /* +:... */ + if (result->sp_namp[0] == '+' && result->sp_namp[1] == '\0') + { + enum nss_status status; + + status = getspnam_plususer (name, result, ent, + buffer, buflen, errnop); + + if (status == NSS_STATUS_SUCCESS) + /* We found the entry. */ + break; + else if (status == NSS_STATUS_RETURN) + /* We couldn't parse the entry */ + return NSS_STATUS_NOTFOUND; + else + return status; + } + } + return NSS_STATUS_SUCCESS; +} + + +enum nss_status +_nss_compat_getspnam_r (const char *name, struct spwd *pwd, + char *buffer, size_t buflen, int *errnop) +{ + enum nss_status result; + ent_t ent = { false, true, false, NSS_STATUS_SUCCESS, NULL, { NULL, 0, 0}, + { NULL, NULL, 0, 0, 0, 0, 0, 0, 0}}; + + if (name[0] == '-' || name[0] == '+') + return NSS_STATUS_NOTFOUND; + + __libc_lock_lock (lock); + + if (ni == NULL) + init_nss_interface (); + + __libc_lock_unlock (lock); + + result = internal_setspent (&ent, 0, 0); + + if (result == NSS_STATUS_SUCCESS) + result = internal_getspnam_r (name, pwd, &ent, buffer, buflen, errnop); + + internal_endspent (&ent); + + return result; +} + + +/* Support routines for remembering -@netgroup and -user entries. + The names are stored in a single string with `|' as separator. */ +static void +blacklist_store_name (const char *name, ent_t *ent) +{ + int namelen = strlen (name); + char *tmp; + + /* first call, setup cache */ + if (ent->blacklist.size == 0) + { + ent->blacklist.size = MAX (BLACKLIST_INITIAL_SIZE, 2 * namelen); + ent->blacklist.data = malloc (ent->blacklist.size); + if (ent->blacklist.data == NULL) + return; + ent->blacklist.data[0] = '|'; + ent->blacklist.data[1] = '\0'; + ent->blacklist.current = 1; + } + else + { + if (in_blacklist (name, namelen, ent)) + return; /* no duplicates */ + + if (ent->blacklist.current + namelen + 1 >= ent->blacklist.size) + { + ent->blacklist.size += MAX (BLACKLIST_INCREMENT, 2 * namelen); + tmp = realloc (ent->blacklist.data, ent->blacklist.size); + if (tmp == NULL) + { + free (ent->blacklist.data); + ent->blacklist.size = 0; + return; + } + ent->blacklist.data = tmp; + } + } + + tmp = stpcpy (ent->blacklist.data + ent->blacklist.current, name); + *tmp++ = '|'; + *tmp = '\0'; + ent->blacklist.current += namelen + 1; + + return; +} + + +/* Returns whether ent->blacklist contains name. */ +static bool +in_blacklist (const char *name, int namelen, ent_t *ent) +{ + char buf[namelen + 3]; + char *cp; + + if (ent->blacklist.data == NULL) + return false; + + buf[0] = '|'; + cp = stpcpy (&buf[1], name); + *cp++ = '|'; + *cp = '\0'; + return strstr (ent->blacklist.data, buf) != NULL; +} Index: glibc-2.26/nss/nss_compat/nisdomain.c =================================================================== --- /dev/null +++ glibc-2.26/nss/nss_compat/nisdomain.c @@ -0,0 +1,58 @@ +/* Copyright (C) 2017 Free Software Foundation, Inc. + This file is part of the GNU C Library. + + The GNU C Library is free software; you can redistribute it and/or + modify it under the terms of the GNU Lesser General Public + License as published by the Free Software Foundation; either + version 2.1 of the License, or (at your option) any later version. + + The GNU C Library is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Lesser General Public License for more details. + + You should have received a copy of the GNU Lesser General Public + License along with the GNU C Library; if not, see + <http://www.gnu.org/licenses/>. */ + +#include <stdlib.h> +#include <string.h> +#include <errno.h> +#include <unistd.h> +#include <libc-lock.h> +#include "nisdomain.h" + +#define MAXDOMAINNAMELEN 1024 + +static char domainname[MAXDOMAINNAMELEN]; + +__libc_lock_define_initialized (static, domainname_lock) + +int +__nss_get_default_domain (char **outdomain) +{ + int result = 0; + *outdomain = NULL; + + __libc_lock_lock (domainname_lock); + + if (domainname[0] != '\0') + { + if (getdomainname (domainname, MAXDOMAINNAMELEN) < 0) + result = errno; + else if (strcmp (domainname, "(none)") == 0) + { + /* If domainname is not set, some systems will return "(none)" */ + domainname[0] = '\0'; + result = ENOENT; + } + else + *outdomain = domainname; + } + else + *outdomain = domainname; + + __libc_lock_unlock (domainname_lock); + + return result; +} Index: glibc-2.26/nss/nss_compat/nisdomain.h =================================================================== --- /dev/null +++ glibc-2.26/nss/nss_compat/nisdomain.h @@ -0,0 +1,20 @@ +/* Copyright (C) 2017 Free Software Foundation, Inc. + This file is part of the GNU C Library. + + The GNU C Library is free software; you can redistribute it and/or + modify it under the terms of the GNU Lesser General Public + License as published by the Free Software Foundation; either + version 2.1 of the License, or (at your option) any later version. + + The GNU C Library is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Lesser General Public License for more details. + + You should have received a copy of the GNU Lesser General Public + License along with the GNU C Library; if not, see + <http://www.gnu.org/licenses/>. */ + +/* Set OUTDOMAIN to a pointer to the current NIS domain name, or NULL if + not set. Return zero on success, an error number on failure. */ +extern int __nss_get_default_domain (char **outdomain);
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor