]> git.ipfire.org Git - people/arne_f/ipfire-3.x.git/blob - pkgs/nss_ldap/patches/nss_ldap-265-initgroups-minimum_uid.patch
projects / people / arne_f / ipfire-3.x.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Change file layout of the makefiles.
[people/arne_f/ipfire-3.x.git] / pkgs / nss_ldap / patches / nss_ldap-265-initgroups-minimum_uid.patch
1 This builds off of the recursion checking introduced by -depth to avoid
2 a deadlock if/when we recurse into ourselves while looking up the user's
3 UID to compare it to the configured value. Revision for upstream #341.
4
5 diff -ur nss_ldap-265/ldap-nss.c nss_ldap-265-2/ldap-nss.c
6 --- nss_ldap-265/ldap-nss.c 2010-08-19 17:16:51.000000000 -0400
7 +++ nss_ldap-265-2/ldap-nss.c 2010-08-19 17:25:09.000000000 -0400
8 @@ -34,6 +34,7 @@
9 #endif
10
11 #include <assert.h>
12 +#include <pwd.h>
13 #include <stdlib.h>
14 #include <unistd.h>
15 #include <string.h>
16 @@ -4356,20 +4357,55 @@
17 int
18 _nss_ldap_test_initgroups_ignoreuser (const char *user)
19 {
20 - char **p;
21 + char **p, *buf;
22 + size_t buflen;
23 + struct passwd pwd, *passwd;
24
25 - if (__config == NULL)
26 - return 0;
27 -
28 - if (__config->ldc_initgroups_ignoreusers == NULL)
29 - return 0;
30 -
31 - for (p = __config->ldc_initgroups_ignoreusers; *p != NULL; p++)
32 + if (__config != NULL)
33 {
34 - if (strcmp (*p, user) == 0)
35 - return 1;
36 + if (__config->ldc_initgroups_ignoreusers != NULL)
37 + for (p = __config->ldc_initgroups_ignoreusers; *p != NULL; p++)
38 + {
39 + if (strcmp (*p, user) == 0)
40 + return 1;
41 + }
42 + if (__config->ldc_initgroups_minimum_uid >= 0)
43 + {
44 + memset (&pwd, 0, sizeof(pwd));
45 + buflen = 0x100;
46 + buf = malloc(buflen);
47 + if (buf != NULL)
48 + {
49 + passwd = NULL;
50 + while ((getpwnam_r(user, &pwd, buf, buflen, &passwd) != 0) &&
51 + (passwd != &pwd))
52 + {
53 + switch (errno)
54 + {
55 + case ERANGE:
56 + buflen *= 2;
57 + free(buf);
58 + if (buflen > 0x100000)
59 + buf = NULL;
60 + else
61 + buf = malloc(buflen);
62 + break;
63 + case EINTR:
64 + continue;
65 + break;
66 + default:
67 + free(buf);
68 + buf = NULL;
69 + break;
70 + }
71 + if (buf == NULL)
72 + break;
73 + }
74 + }
75 + if ((passwd == &pwd) && (passwd->pw_uid < 1000))
76 + return 1;
77 + }
78 }
79 -
80 return 0;
81 }
82
83 diff -ur nss_ldap-265/ldap-nss.h nss_ldap-265-2/ldap-nss.h
84 --- nss_ldap-265/ldap-nss.h 2010-08-19 17:16:51.000000000 -0400
85 +++ nss_ldap-265-2/ldap-nss.h 2010-08-19 17:18:47.000000000 -0400
86 @@ -400,6 +400,7 @@
87 time_t ldc_mtime;
88
89 char **ldc_initgroups_ignoreusers;
90 + int ldc_initgroups_minimum_uid;
91
92 /* disable the do-res_init()-on-resolv.conf-changes hack */
93 unsigned int ldc_resolv_conf_res_init_hack;
94 diff -ur nss_ldap-265/ldap-pwd.c nss_ldap-265-2/ldap-pwd.c
95 --- nss_ldap-265/ldap-pwd.c 2010-08-19 17:16:51.000000000 -0400
96 +++ nss_ldap-265-2/ldap-pwd.c 2010-08-19 16:40:43.000000000 -0400
97 @@ -49,6 +49,7 @@
98 #include "ldap-nss.h"
99 #include "ldap-pwd.h"
100 #include "util.h"
101 +#include "depth.h"
102
103 #ifdef HAVE_PORT_AFTER_H
104 #include <port_after.h>
105 @@ -242,6 +243,10 @@
106 struct passwd * result,
107 char *buffer, size_t buflen, int *errnop)
108 {
109 +#ifdef HAVE_THREAD_LOCAL_STORAGE
110 + if (_nss_ldap_get_depth() > 0)
111 + return NSS_STATUS_UNAVAIL;
112 +#endif
113 LOOKUP_NAME (name, result, buffer, buflen, errnop, _nss_ldap_filt_getpwnam,
114 LM_PASSWD, _nss_ldap_parse_pw, LDAP_NSS_BUFLEN_DEFAULT)
115 AND_REQUIRE_MATCH(name, result->pw_name);
116 @@ -261,6 +266,10 @@
117 struct passwd *result,
118 char *buffer, size_t buflen, int *errnop)
119 {
120 +#ifdef HAVE_THREAD_LOCAL_STORAGE
121 + if (_nss_ldap_get_depth() > 0)
122 + return NSS_STATUS_UNAVAIL;
123 +#endif
124 LOOKUP_NUMBER (uid, result, buffer, buflen, errnop, _nss_ldap_filt_getpwuid,
125 LM_PASSWD, _nss_ldap_parse_pw, LDAP_NSS_BUFLEN_DEFAULT);
126 }
127 diff -ur nss_ldap-265/nss_ldap.5 nss_ldap-265-2/nss_ldap.5
128 --- nss_ldap-265/nss_ldap.5 2010-08-19 17:16:51.000000000 -0400
129 +++ nss_ldap-265-2/nss_ldap.5 2010-08-19 17:19:23.000000000 -0400
130 @@ -445,6 +445,14 @@
131 to return NSS_STATUS_NOTFOUND if called with a listed users as
132 its argument.
133 .TP
134 +.B nss_initgroups_minimum_uid <uid>
135 +This option directs the
136 +.B nss_ldap
137 +implementation of
138 +.BR initgroups(3)
139 +to return NSS_STATUS_NOTFOUND if called with a user whose UID is
140 +below the value given as the argument.
141 +.TP
142 .B nss_getgrent_skipmembers <yes|no>
143 Specifies whether or not to populate the members list in
144 the group structure for group lookups. If very large groups
145 diff -ur nss_ldap-265/util.c nss_ldap-265-2/util.c
146 --- nss_ldap-265/util.c 2010-08-19 17:16:51.000000000 -0400
147 +++ nss_ldap-265-2/util.c 2010-08-19 17:18:33.000000000 -0400
148 @@ -669,6 +669,7 @@
149 result->ldc_reconnect_maxsleeptime = LDAP_NSS_MAXSLEEPTIME;
150 result->ldc_reconnect_maxconntries = LDAP_NSS_MAXCONNTRIES;
151 result->ldc_initgroups_ignoreusers = NULL;
152 + result->ldc_initgroups_minimum_uid = -1;
153
154 for (i = 0; i <= LM_NONE; i++)
155 {
156 @@ -1180,6 +1181,10 @@
157 break;
158 }
159 }
160 + else if (!strcasecmp (k, NSS_LDAP_KEY_INITGROUPS_MINIMUM_UID))
161 + {
162 + result->ldc_initgroups_minimum_uid = atoi(v);
163 + }
164 else if (!strcasecmp (k, NSS_LDAP_KEY_GETGRENT_SKIPMEMBERS))
165 {
166 if (!strcasecmp (v, "on") || !strcasecmp (v, "yes")
167 diff -ur nss_ldap-265/util.h nss_ldap-265-2/util.h
168 --- nss_ldap-265/util.h 2009-11-06 05:28:08.000000000 -0500
169 +++ nss_ldap-265-2/util.h 2010-08-19 17:19:46.000000000 -0400
170 @@ -92,6 +92,7 @@
171 #define NSS_LDAP_KEY_PAGESIZE "pagesize"
172 #define NSS_LDAP_KEY_INITGROUPS "nss_initgroups"
173 #define NSS_LDAP_KEY_INITGROUPS_IGNOREUSERS "nss_initgroups_ignoreusers"
174 +#define NSS_LDAP_KEY_INITGROUPS_MINIMUM_UID "nss_initgroups_minimum_uid"
175 #define NSS_LDAP_KEY_GETGRENT_SKIPMEMBERS "nss_getgrent_skipmembers"
176
177 /* more reconnect policy fine-tuning */
178 --- nss_ldap-265/ldap.conf 2005-08-17 18:35:13.000000000 -0400
179 +++ nss_ldap-265/ldap.conf 2006-02-09 14:14:05.000000000 -0500
180 @@ -177,8 +177,8 @@
181 #nss_base_aliases ou=Aliases,dc=padl,dc=com?one
182 #nss_base_netgroup ou=Netgroup,dc=padl,dc=com?one
183
184 -# Just assume that there are no supplemental groups for these named users
185 -nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd,gdm,polkituser,rtkit,pulse,rpc,rpcuser,nobody
186 +# Just assume that there are no supplemental groups for system users.
187 +nss_initgroups_minimum_uid 500
188
189 # attribute/objectclass mapping
190 # Syntax:
Arne's tree of IPFire 3.x.