1 This builds off of the recursion checking introduced by -depth to avoid
2 a deadlock if/when we recurse into ourselves while looking up the user's
3 UID to compare it to the configured value. Revision for upstream #341.
5 diff -ur nss_ldap-265/ldap-nss.c nss_ldap-265-2/ldap-nss.c
6 --- nss_ldap-265/ldap-nss.c 2010-08-19 17:16:51.000000000 -0400
7 +++ nss_ldap-265-2/ldap-nss.c 2010-08-19 17:25:09.000000000 -0400
16 @@ -4356,20 +4357,55 @@
18 _nss_ldap_test_initgroups_ignoreuser (const char *user)
23 + struct passwd pwd, *passwd;
25 - if (__config == NULL)
28 - if (__config->ldc_initgroups_ignoreusers == NULL)
31 - for (p = __config->ldc_initgroups_ignoreusers; *p != NULL; p++)
32 + if (__config != NULL)
34 - if (strcmp (*p, user) == 0)
36 + if (__config->ldc_initgroups_ignoreusers != NULL)
37 + for (p = __config->ldc_initgroups_ignoreusers; *p != NULL; p++)
39 + if (strcmp (*p, user) == 0)
42 + if (__config->ldc_initgroups_minimum_uid >= 0)
44 + memset (&pwd, 0, sizeof(pwd));
46 + buf = malloc(buflen);
50 + while ((getpwnam_r(user, &pwd, buf, buflen, &passwd) != 0) &&
58 + if (buflen > 0x100000)
61 + buf = malloc(buflen);
75 + if ((passwd == &pwd) && (passwd->pw_uid < 1000))
83 diff -ur nss_ldap-265/ldap-nss.h nss_ldap-265-2/ldap-nss.h
84 --- nss_ldap-265/ldap-nss.h 2010-08-19 17:16:51.000000000 -0400
85 +++ nss_ldap-265-2/ldap-nss.h 2010-08-19 17:18:47.000000000 -0400
89 char **ldc_initgroups_ignoreusers;
90 + int ldc_initgroups_minimum_uid;
92 /* disable the do-res_init()-on-resolv.conf-changes hack */
93 unsigned int ldc_resolv_conf_res_init_hack;
94 diff -ur nss_ldap-265/ldap-pwd.c nss_ldap-265-2/ldap-pwd.c
95 --- nss_ldap-265/ldap-pwd.c 2010-08-19 17:16:51.000000000 -0400
96 +++ nss_ldap-265-2/ldap-pwd.c 2010-08-19 16:40:43.000000000 -0400
103 #ifdef HAVE_PORT_AFTER_H
104 #include <port_after.h>
106 struct passwd * result,
107 char *buffer, size_t buflen, int *errnop)
109 +#ifdef HAVE_THREAD_LOCAL_STORAGE
110 + if (_nss_ldap_get_depth() > 0)
111 + return NSS_STATUS_UNAVAIL;
113 LOOKUP_NAME (name, result, buffer, buflen, errnop, _nss_ldap_filt_getpwnam,
114 LM_PASSWD, _nss_ldap_parse_pw, LDAP_NSS_BUFLEN_DEFAULT)
115 AND_REQUIRE_MATCH(name, result->pw_name);
117 struct passwd *result,
118 char *buffer, size_t buflen, int *errnop)
120 +#ifdef HAVE_THREAD_LOCAL_STORAGE
121 + if (_nss_ldap_get_depth() > 0)
122 + return NSS_STATUS_UNAVAIL;
124 LOOKUP_NUMBER (uid, result, buffer, buflen, errnop, _nss_ldap_filt_getpwuid,
125 LM_PASSWD, _nss_ldap_parse_pw, LDAP_NSS_BUFLEN_DEFAULT);
127 diff -ur nss_ldap-265/nss_ldap.5 nss_ldap-265-2/nss_ldap.5
128 --- nss_ldap-265/nss_ldap.5 2010-08-19 17:16:51.000000000 -0400
129 +++ nss_ldap-265-2/nss_ldap.5 2010-08-19 17:19:23.000000000 -0400
131 to return NSS_STATUS_NOTFOUND if called with a listed users as
134 +.B nss_initgroups_minimum_uid <uid>
135 +This option directs the
139 +to return NSS_STATUS_NOTFOUND if called with a user whose UID is
140 +below the value given as the argument.
142 .B nss_getgrent_skipmembers <yes|no>
143 Specifies whether or not to populate the members list in
144 the group structure for group lookups. If very large groups
145 diff -ur nss_ldap-265/util.c nss_ldap-265-2/util.c
146 --- nss_ldap-265/util.c 2010-08-19 17:16:51.000000000 -0400
147 +++ nss_ldap-265-2/util.c 2010-08-19 17:18:33.000000000 -0400
149 result->ldc_reconnect_maxsleeptime = LDAP_NSS_MAXSLEEPTIME;
150 result->ldc_reconnect_maxconntries = LDAP_NSS_MAXCONNTRIES;
151 result->ldc_initgroups_ignoreusers = NULL;
152 + result->ldc_initgroups_minimum_uid = -1;
154 for (i = 0; i <= LM_NONE; i++)
156 @@ -1180,6 +1181,10 @@
160 + else if (!strcasecmp (k, NSS_LDAP_KEY_INITGROUPS_MINIMUM_UID))
162 + result->ldc_initgroups_minimum_uid = atoi(v);
164 else if (!strcasecmp (k, NSS_LDAP_KEY_GETGRENT_SKIPMEMBERS))
166 if (!strcasecmp (v, "on") || !strcasecmp (v, "yes")
167 diff -ur nss_ldap-265/util.h nss_ldap-265-2/util.h
168 --- nss_ldap-265/util.h 2009-11-06 05:28:08.000000000 -0500
169 +++ nss_ldap-265-2/util.h 2010-08-19 17:19:46.000000000 -0400
171 #define NSS_LDAP_KEY_PAGESIZE "pagesize"
172 #define NSS_LDAP_KEY_INITGROUPS "nss_initgroups"
173 #define NSS_LDAP_KEY_INITGROUPS_IGNOREUSERS "nss_initgroups_ignoreusers"
174 +#define NSS_LDAP_KEY_INITGROUPS_MINIMUM_UID "nss_initgroups_minimum_uid"
175 #define NSS_LDAP_KEY_GETGRENT_SKIPMEMBERS "nss_getgrent_skipmembers"
177 /* more reconnect policy fine-tuning */
178 --- nss_ldap-265/ldap.conf 2005-08-17 18:35:13.000000000 -0400
179 +++ nss_ldap-265/ldap.conf 2006-02-09 14:14:05.000000000 -0500
181 #nss_base_aliases ou=Aliases,dc=padl,dc=com?one
182 #nss_base_netgroup ou=Netgroup,dc=padl,dc=com?one
184 -# Just assume that there are no supplemental groups for these named users
185 -nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd,gdm,polkituser,rtkit,pulse,rpc,rpcuser,nobody
186 +# Just assume that there are no supplemental groups for system users.
187 +nss_initgroups_minimum_uid 500
189 # attribute/objectclass mapping