nss-mymachines: drop support for UID/GID resolving

author Lennart Poettering <lennart@poettering.net>

Tue, 7 Jul 2020 19:58:12 +0000 (21:58 +0200)

committer Lennart Poettering <lennart@poettering.net>

Tue, 14 Jul 2020 15:08:12 +0000 (17:08 +0200)
author Lennart Poettering <lennart@poettering.net>
Tue, 7 Jul 2020 19:58:12 +0000 (21:58 +0200)
committer Lennart Poettering <lennart@poettering.net>
Tue, 14 Jul 2020 15:08:12 +0000 (17:08 +0200)
diff --git a/README b/README

index 4269f0c73df1c2937902d4ab89e744ba48dcae19..558b8d9195dbac1ca64f75ef7e0be99b4b12cbc3 100644 (file)
--- a/README
+++ b/README
@@ -262,19 +262,19 @@ USERS AND GROUPS:
  NSS:
          systemd ships with four glibc NSS modules:
  
-        nss-myhostname resolves the local hostname to locally
-        configured IP addresses, as well as "localhost" to
-        127.0.0.1/::1.
+        nss-myhostname resolves the local hostname to locally configured IP
+        addresses, as well as "localhost" to 127.0.0.1/::1.
  
-        nss-resolve enables DNS resolution via the systemd-resolved
-        DNS/LLMNR caching stub resolver "systemd-resolved".
+        nss-resolve enables DNS resolution via the systemd-resolved DNS/LLMNR
+        caching stub resolver "systemd-resolved".
  
          nss-mymachines enables resolution of all local containers registered
-        with machined to their respective IP addresses. It also maps UID/GIDs
-        ranges used by containers to useful names.
+        with machined to their respective IP addresses.
  
-        nss-systemd enables resolution of all dynamically allocated service
-        users. (See the DynamicUser= setting in unit files.)
+        nss-systemd enables resolution of users/group registered via the
+        User/Group Record Lookup API (https://systemd.io/USER_GROUP_API/),
+        including all dynamically allocated service users. (See the
+        DynamicUser= setting in unit files.)
  
          To make use of these NSS modules, please add them to the "hosts:",
          "passwd:" and "group:" lines in /etc/nsswitch.conf. The "resolve"
@@ -283,8 +283,8 @@ NSS:
  
          The four modules should be used in the following order:
  
-                passwd: compat mymachines systemd
-                group: compat mymachines systemd
+                passwd: compat systemd
+                group: compat systemd
                  hosts: files mymachines resolve [!UNAVAIL=return] dns myhostname
  
  SYSV INIT.D SCRIPTS:
diff --git a/docs/UIDS-GIDS.md b/docs/UIDS-GIDS.md

index c41c4d7eec7a75a5bed03509e7c6a6eb96a184ff..67e6d083ff74aa1423aa330003addf766244803c 100644 (file)
--- a/docs/UIDS-GIDS.md
+++ b/docs/UIDS-GIDS.md
@@ -132,7 +132,7 @@ but downstreams are strongly advised against doing that.)
     range is above the 16bit boundary. Moreover it's below the 31bit boundary,
     as some broken code (specifically: the kernel's `devpts` file system)
     erroneously considers UIDs signed integers, and hence can't deal with values
-   above 2^31. The `nss-mymachines` glibc NSS module will synthesize user
+   above 2^31. The `systemd-machined.service` service will synthesize user
     database records for all UIDs assigned to a running container from this
     range.
  
@@ -240,14 +240,14 @@ the artifacts the container manager persistently leaves in the system.
  |                     5 | `tty` group           | `systemd`     | `/etc/passwd`                 |
  |                 6…999 | System users          | Distributions | `/etc/passwd`                 |
  |            1000…60000 | Regular users         | Distributions | `/etc/passwd` + LDAP/NIS/…    |
-|           60001…60513 | Human Users (homed)   | `systemd`     | `nss-systemd`
+|           60001…60513 | Human Users (homed)   | `systemd`     | `nss-systemd`                 |
  |           60514…61183 | Unused                |               |                               |
  |           61184…65519 | Dynamic service users | `systemd`     | `nss-systemd`                 |
  |           65520…65533 | Unused                |               |                               |
  |                 65534 | `nobody` user         | Linux         | `/etc/passwd` + `nss-systemd` |
  |                 65535 | 16bit `(uid_t) -1`    | Linux         |                               |
  |          65536…524287 | Unused                |               |                               |
-|     524288…1879048191 | Container UID ranges  | `systemd`     | `nss-mymachines`              |
+|     524288…1879048191 | Container UID ranges  | `systemd`     | `nss-systemd`                 |
  | 1879048192…2147483647 | Unused                |               |                               |
  | 2147483648…4294967294 | HIC SVNT LEONES       |               |                               |
  |            4294967295 | 32bit `(uid_t) -1`    | Linux         |                               |
diff --git a/factory/etc/nsswitch.conf b/factory/etc/nsswitch.conf

index e7365cd1426505ee330a1f4a492b56a0660a1ad6..da74b19d9095f54bea3de1e4dffe97faf2c9101e 100644 (file)
--- a/factory/etc/nsswitch.conf
+++ b/factory/etc/nsswitch.conf
@@ -1,7 +1,7 @@
  # This file is part of systemd.
  
-passwd:         compat mymachines systemd
-group:          compat [SUCCESS=merge] mymachines [SUCCESS=merge] systemd
+passwd:         compat systemd
+group:          compat [SUCCESS=merge] systemd
  shadow:         compat
  
  hosts:          files mymachines resolve [!UNAVAIL=return] dns myhostname
diff --git a/man/nss-myhostname.xml b/man/nss-myhostname.xml

index 8bb21f2621b5b2533b40427f4316fd0b33abb6a4..a41c383bb33ba2de455f84cfe4fb48500e90d5ad 100644 (file)
--- a/man/nss-myhostname.xml
+++ b/man/nss-myhostname.xml
@@ -82,8 +82,8 @@
      <command>nss-myhostname</command> correctly:</para>
  
      <!-- synchronize with other nss-* man pages and factory/etc/nsswitch.conf -->
-<programlisting>passwd:         compat mymachines systemd
-group:          compat mymachines systemd
+<programlisting>passwd:         compat systemd
+group:          compat systemd
  shadow:         compat
  
  # Either (untrusted network):
diff --git a/man/nss-mymachines.xml b/man/nss-mymachines.xml

index 6e4883555047ecd207a737ba2ece387860d8967f..e0e6989c40c292d6242406257f692cde2f07b922 100644 (file)
--- a/man/nss-mymachines.xml
+++ b/man/nss-mymachines.xml
@@ -39,22 +39,13 @@
      Note that the name that is resolved is the one registered with <command>systemd-machined</command>, which
      may be different than the hostname configured inside of the container.</para>
  
-    <para>The module also provides name resolution for user and group identifiers mapped to containers. All names from
-    the range allocated to a given container <replaceable>container</replaceable> are exposed on the host as
-    <literal>vu-<replaceable>container</replaceable>-<replaceable>uid</replaceable></literal> and
-    <literal>vg-<replaceable>container</replaceable>-<replaceable>gid</replaceable></literal> (see example below). This
-    functionality only applies to containers using user namespacing (see the description of
-    <option>--private-users</option> in
-    <citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry>).</para>
-
-    <para>To activate the NSS module, add <literal>mymachines</literal> to the lines starting with
-    <literal>hosts:</literal>, <literal>passwd:</literal> and <literal>group:</literal> in
-    <filename>/etc/nsswitch.conf</filename>.</para>
+    <para>To activate the NSS module, add <literal>mymachines</literal> to the line starting with
+    <literal>hosts:</literal> in <filename>/etc/nsswitch.conf</filename>.</para>
  
      <para>It is recommended to place <literal>mymachines</literal> after the <literal>files</literal> or
-    <literal>compat</literal> entry of the <filename>/etc/nsswitch.conf</filename> lines to make sure that its mappings
-    are preferred over other resolvers such as DNS, but so that <filename>/etc/hosts</filename>,
-    <filename>/etc/passwd</filename> and <filename>/etc/group</filename> based mappings take precedence.</para>
+    <literal>compat</literal> entry of the <filename>/etc/nsswitch.conf</filename> line to make sure that its
+    mappings are preferred over other resolvers such as DNS, but so that <filename>/etc/hosts</filename>
+    based mappings take precedence.</para>
    </refsect1>
  
    <refsect1>
@@ -64,8 +55,8 @@
      <command>nss-mymachines</command> correctly:</para>
  
      <!-- synchronize with other nss-* man pages and factory/etc/nsswitch.conf -->
-    <programlisting>passwd:         compat <command>mymachines</command> systemd
-group:          compat <command>mymachines</command> systemd
+    <programlisting>passwd:         compat systemd
+group:          compat systemd
  shadow:         compat
  
  hosts:          <command>mymachines</command> resolve [!UNAVAIL=return] myhostname files dns
@@ -81,7 +72,7 @@ netgroup:       nis</programlisting>
    </refsect1>
  
    <refsect1>
-    <title>Mappings provided by <filename>nss-mymachines</filename></title>
+    <title>Example: Mappings provided by <filename>nss-mymachines</filename></title>
  
      <para>The container <literal>rawhide</literal> is spawned using
      <citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry>:
@@ -96,29 +87,6 @@ $ machinectl --max-addresses=3
  MACHINE CLASS     SERVICE        OS     VERSION ADDRESSES
  rawhide container systemd-nspawn fedora 30      169.254.40.164 fe80::94aa:3aff:fe7b:d4b9
  
-$ getent passwd vu-rawhide-0 vu-rawhide-81
-vu-rawhide-0:*:20119552:65534:vu-rawhide-0:/:/usr/sbin/nologin
-vu-rawhide-81:*:20119633:65534:vu-rawhide-81:/:/usr/sbin/nologin
-
-$ getent group vg-rawhide-0 vg-rawhide-81
-vg-rawhide-0:*:20119552:
-vg-rawhide-81:*:20119633:
-
-$ ps -o user:15,pid,tty,command -e|grep '^vu-rawhide'
-vu-rawhide-0      692 ?        /usr/lib/systemd/systemd
-vu-rawhide-0      731 ?        /usr/lib/systemd/systemd-journald
-vu-rawhide-192    734 ?        /usr/lib/systemd/systemd-networkd
-vu-rawhide-193    738 ?        /usr/lib/systemd/systemd-resolved
-vu-rawhide-0      742 ?        /usr/lib/systemd/systemd-logind
-vu-rawhide-81     744 ?        /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only
-vu-rawhide-0      746 ?        /usr/sbin/sshd -D ...
-vu-rawhide-0      752 ?        /usr/lib/systemd/systemd --user
-vu-rawhide-0      753 ?        (sd-pam)
-vu-rawhide-0     1628 ?        login -- zbyszek
-vu-rawhide-1000  1630 ?        /usr/lib/systemd/systemd --user
-vu-rawhide-1000  1631 ?        (sd-pam)
-vu-rawhide-1000  1637 pts/8    -zsh
-
  $ ping -c1 rawhide
  PING rawhide(fe80::94aa:3aff:fe7b:d4b9%ve-rawhide (fe80::94aa:3aff:fe7b:d4b9%ve-rawhide)) 56 data bytes
  64 bytes from fe80::94aa:3aff:fe7b:d4b9%ve-rawhide (fe80::94aa:3aff:fe7b:d4b9%ve-rawhide): icmp_seq=1 ttl=64 time=0.045 ms
diff --git a/man/nss-resolve.xml b/man/nss-resolve.xml

index 332cf0b06d3019b7e24e762c61369fde7ceda009..c377468953dbac286af1405ab1cf77f2e6b0785b 100644 (file)
--- a/man/nss-resolve.xml
+++ b/man/nss-resolve.xml
@@ -63,8 +63,8 @@
      correctly:</para>
  
      <!-- synchronize with other nss-* man pages and factory/etc/nsswitch.conf -->
-<programlisting>passwd:         compat mymachines systemd
-group:          compat mymachines systemd
+<programlisting>passwd:         compat systemd
+group:          compat systemd
  shadow:         compat
  
  hosts:          mymachines <command>resolve [!UNAVAIL=return]</command> myhostname files dns
diff --git a/man/nss-systemd.xml b/man/nss-systemd.xml

index ea293596bee418c6237f4c793a73c6e2f5f37b48..34aee0e88016970f87d4b9cea5d68dec4a0c438b 100644 (file)
--- a/man/nss-systemd.xml
+++ b/man/nss-systemd.xml
@@ -61,8 +61,8 @@
      <command>nss-systemd</command> correctly:</para>
  
      <!-- synchronize with other nss-* man pages and factory/etc/nsswitch.conf -->
-    <programlisting>passwd:         compat mymachines <command>systemd</command>
-group:          compat [SUCCESS=merge] mymachines [SUCCESS=merge] <command>systemd</command>
+    <programlisting>passwd:         compat <command>systemd</command>
+group:          compat [SUCCESS=merge] <command>systemd</command>
  shadow:         compat
  
  hosts:          mymachines resolve [!UNAVAIL=return] myhostname files dns
diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c

index 1f321f9ea3f29ef7740b53670d2326862aed936d..330bd7e7d296bb2fcf55f9fd099997b9c4c7da4a 100644 (file)
--- a/src/nspawn/nspawn.c
+++ b/src/nspawn/nspawn.c
@@ -4636,7 +4636,7 @@ static int run_container(
          if (!barrier_place_and_sync(&barrier)) /* #5 */
                  return log_error_errno(SYNTHETIC_ERRNO(ESRCH), "Child died too early.");
  
-        /* At this point we have made use of the UID we picked, and thus nss-mymachines
+        /* At this point we have made use of the UID we picked, and thus nss-systemd/systemd-machined.service
           * will make them appear in getpwuid(), thus we can release the /etc/passwd lock. */
          etc_passwd_lock = safe_close(etc_passwd_lock);
  
diff --git a/src/nss-mymachines/nss-mymachines.c b/src/nss-mymachines/nss-mymachines.c

index 9269e7fd7bfee09b5c392addd6462851f8eb1aa3..5db0dcef7687358331cc6eb1d70693522a171354 100644 (file)
--- a/src/nss-mymachines/nss-mymachines.c
+++ b/src/nss-mymachines/nss-mymachines.c
@@ -19,15 +19,11 @@
  #include "nss-util.h"
  #include "signal-util.h"
  #include "string-util.h"
-#include "user-util.h"
  
  NSS_GETHOSTBYNAME_PROTOTYPES(mymachines);
  NSS_GETPW_PROTOTYPES(mymachines);
  NSS_GETGR_PROTOTYPES(mymachines);
  
-#define HOST_UID_LIMIT ((uid_t) UINT32_C(0x10000))
-#define HOST_GID_LIMIT ((gid_t) UINT32_C(0x10000))
-
  static int count_addresses(sd_bus_message *m, int af, unsigned *ret) {
          unsigned c = 0;
          int r;
@@ -402,94 +398,7 @@ enum nss_status _nss_mymachines_getpwnam_r(
                  char *buffer, size_t buflen,
                  int *errnop) {
  
-        _cleanup_(sd_bus_error_free) sd_bus_error error = SD_BUS_ERROR_NULL;
-        _cleanup_(sd_bus_message_unrefp) sd_bus_message* reply = NULL;
-        _cleanup_(sd_bus_flush_close_unrefp) sd_bus *bus = NULL;
-        const char *p, *e, *machine;
-        uint32_t mapped;
-        uid_t uid;
-        size_t l;
-        int r;
-
-        PROTECT_ERRNO;
-        BLOCK_SIGNALS(NSS_SIGNALS_BLOCK);
-
-        assert(name);
-        assert(pwd);
-
-        p = startswith(name, "vu-");
-        if (!p)
-                return NSS_STATUS_NOTFOUND;
-
-        e = strrchr(p, '-');
-        if (!e || e == p)
-                return NSS_STATUS_NOTFOUND;
-
-        if (e - p > HOST_NAME_MAX - 1) /* -1 for the last dash */
-                return NSS_STATUS_NOTFOUND;
-
-        r = parse_uid(e + 1, &uid);
-        if (r < 0)
-                return NSS_STATUS_NOTFOUND;
-
-        machine = strndupa(p, e - p);
-        if (!machine_name_is_valid(machine))
-                return NSS_STATUS_NOTFOUND;
-
-        if (getenv_bool_secure("SYSTEMD_NSS_BYPASS_BUS") > 0)
-                /* Make sure we can't deadlock if we are invoked by dbus-daemon. This way, it won't be able to resolve
-                 * these UIDs, but that should be unproblematic as containers should never be able to connect to a bus
-                 * running on the host. */
-                return NSS_STATUS_NOTFOUND;
-
-        if (avoid_deadlock()) {
-                r = -EDEADLK;
-                goto fail;
-        }
-
-        r = sd_bus_open_system(&bus);
-        if (r < 0)
-                goto fail;
-
-        r = bus_call_method(bus, bus_machine_mgr, "MapFromMachineUser", &error, &reply, "su", machine, (uint32_t) uid);
-        if (r < 0) {
-                if (sd_bus_error_has_name(&error, BUS_ERROR_NO_SUCH_USER_MAPPING))
-                        return NSS_STATUS_NOTFOUND;
-
-                goto fail;
-        }
-
-        r = sd_bus_message_read(reply, "u", &mapped);
-        if (r < 0)
-                goto fail;
-
-        /* Refuse to work if the mapped address is in the host UID range, or if there was no mapping at all. */
-        if (mapped < HOST_UID_LIMIT || mapped == uid)
-                return NSS_STATUS_NOTFOUND;
-
-        l = strlen(name);
-        if (buflen < l+1) {
-                UNPROTECT_ERRNO;
-                *errnop = ERANGE;
-                return NSS_STATUS_TRYAGAIN;
-        }
-
-        memcpy(buffer, name, l+1);
-
-        pwd->pw_name = buffer;
-        pwd->pw_uid = mapped;
-        pwd->pw_gid = GID_NOBODY;
-        pwd->pw_gecos = buffer;
-        pwd->pw_passwd = (char*) "*"; /* locked */
-        pwd->pw_dir = (char*) "/";
-        pwd->pw_shell = (char*) NOLOGIN;
-
-        return NSS_STATUS_SUCCESS;
-
-fail:
-        UNPROTECT_ERRNO;
-        *errnop = -r;
-        return NSS_STATUS_UNAVAIL;
+        return NSS_STATUS_NOTFOUND;
  }
  
  enum nss_status _nss_mymachines_getpwuid_r(
@@ -498,162 +407,16 @@ enum nss_status _nss_mymachines_getpwuid_r(
                  char *buffer, size_t buflen,
                  int *errnop) {
  
-        _cleanup_(sd_bus_error_free) sd_bus_error error = SD_BUS_ERROR_NULL;
-        _cleanup_(sd_bus_message_unrefp) sd_bus_message* reply = NULL;
-        _cleanup_(sd_bus_flush_close_unrefp) sd_bus *bus = NULL;
-        const char *machine;
-        uint32_t mapped;
-        int r;
-
-        PROTECT_ERRNO;
-        BLOCK_SIGNALS(NSS_SIGNALS_BLOCK);
-
-        if (!uid_is_valid(uid))
-                return NSS_STATUS_NOTFOUND;
-
-        /* We consider all uids < 65536 host uids */
-        if (uid < HOST_UID_LIMIT)
-                return NSS_STATUS_NOTFOUND;
-
-        if (getenv_bool_secure("SYSTEMD_NSS_BYPASS_BUS") > 0)
-                return NSS_STATUS_NOTFOUND;
-
-        if (avoid_deadlock()) {
-                r = -EDEADLK;
-                goto fail;
-        }
-
-        r = sd_bus_open_system(&bus);
-        if (r < 0)
-                goto fail;
-
-        r = bus_call_method(bus, bus_machine_mgr, "MapToMachineUser", &error, &reply, "u", (uint32_t) uid);
-        if (r < 0) {
-                if (sd_bus_error_has_name(&error, BUS_ERROR_NO_SUCH_USER_MAPPING))
-                        return NSS_STATUS_NOTFOUND;
-
-                goto fail;
-        }
-
-        r = sd_bus_message_read(reply, "sou", &machine, NULL, &mapped);
-        if (r < 0)
-                goto fail;
-
-        if (mapped == uid)
-                return NSS_STATUS_NOTFOUND;
-
-        if (snprintf(buffer, buflen, "vu-%s-" UID_FMT, machine, (uid_t) mapped) >= (int) buflen) {
-                UNPROTECT_ERRNO;
-                *errnop = ERANGE;
-                return NSS_STATUS_TRYAGAIN;
-        }
-
-        pwd->pw_name = buffer;
-        pwd->pw_uid = uid;
-        pwd->pw_gid = GID_NOBODY;
-        pwd->pw_gecos = buffer;
-        pwd->pw_passwd = (char*) "*"; /* locked */
-        pwd->pw_dir = (char*) "/";
-        pwd->pw_shell = (char*) NOLOGIN;
-
-        return NSS_STATUS_SUCCESS;
-
-fail:
-        UNPROTECT_ERRNO;
-        *errnop = -r;
-        return NSS_STATUS_UNAVAIL;
+        return NSS_STATUS_NOTFOUND;
  }
  
-#pragma GCC diagnostic ignored "-Wsizeof-pointer-memaccess"
-
  enum nss_status _nss_mymachines_getgrnam_r(
                  const char *name,
                  struct group *gr,
                  char *buffer, size_t buflen,
                  int *errnop) {
  
-        _cleanup_(sd_bus_error_free) sd_bus_error error = SD_BUS_ERROR_NULL;
-        _cleanup_(sd_bus_message_unrefp) sd_bus_message* reply = NULL;
-        _cleanup_(sd_bus_flush_close_unrefp) sd_bus *bus = NULL;
-        const char *p, *e, *machine;
-        uint32_t mapped;
-        uid_t gid;
-        size_t l;
-        int r;
-
-        PROTECT_ERRNO;
-        BLOCK_SIGNALS(NSS_SIGNALS_BLOCK);
-
-        assert(name);
-        assert(gr);
-
-        p = startswith(name, "vg-");
-        if (!p)
-                return NSS_STATUS_NOTFOUND;
-
-        e = strrchr(p, '-');
-        if (!e || e == p)
-                return NSS_STATUS_NOTFOUND;
-
-        if (e - p > HOST_NAME_MAX - 1)  /* -1 for the last dash */
-                return NSS_STATUS_NOTFOUND;
-
-        r = parse_gid(e + 1, &gid);
-        if (r < 0)
-                return NSS_STATUS_NOTFOUND;
-
-        machine = strndupa(p, e - p);
-        if (!machine_name_is_valid(machine))
-                return NSS_STATUS_NOTFOUND;
-
-        if (getenv_bool_secure("SYSTEMD_NSS_BYPASS_BUS") > 0)
-                return NSS_STATUS_NOTFOUND;
-
-        if (avoid_deadlock()) {
-                r = -EDEADLK;
-                goto fail;
-        }
-
-        r = sd_bus_open_system(&bus);
-        if (r < 0)
-                goto fail;
-
-        r = bus_call_method(bus, bus_machine_mgr, "MapFromMachineGroup", &error, &reply, "su", machine, (uint32_t) gid);
-        if (r < 0) {
-                if (sd_bus_error_has_name(&error, BUS_ERROR_NO_SUCH_GROUP_MAPPING))
-                        return NSS_STATUS_NOTFOUND;
-
-                goto fail;
-        }
-
-        r = sd_bus_message_read(reply, "u", &mapped);
-        if (r < 0)
-                goto fail;
-
-        if (mapped < HOST_GID_LIMIT || mapped == gid)
-                return NSS_STATUS_NOTFOUND;
-
-        l = sizeof(char*) + strlen(name) + 1;
-        if (buflen < l) {
-                UNPROTECT_ERRNO;
-                *errnop = ERANGE;
-                return NSS_STATUS_TRYAGAIN;
-        }
-
-        memzero(buffer, sizeof(char*));
-        strcpy(buffer + sizeof(char*), name);
-
-        gr->gr_name = buffer + sizeof(char*);
-        gr->gr_gid = mapped;
-        gr->gr_passwd = (char*) "*"; /* locked */
-        gr->gr_mem = (char**) buffer;
-
-        return NSS_STATUS_SUCCESS;
-
-fail:
-        UNPROTECT_ERRNO;
-        *errnop = -r;
-        return NSS_STATUS_UNAVAIL;
+        return NSS_STATUS_NOTFOUND;
  }
  
  enum nss_status _nss_mymachines_getgrgid_r(
@@ -662,72 +425,5 @@ enum nss_status _nss_mymachines_getgrgid_r(
                  char *buffer, size_t buflen,
                  int *errnop) {
  
-        _cleanup_(sd_bus_error_free) sd_bus_error error = SD_BUS_ERROR_NULL;
-        _cleanup_(sd_bus_message_unrefp) sd_bus_message* reply = NULL;
-        _cleanup_(sd_bus_flush_close_unrefp) sd_bus *bus = NULL;
-        const char *machine;
-        uint32_t mapped;
-        int r;
-
-        PROTECT_ERRNO;
-        BLOCK_SIGNALS(NSS_SIGNALS_BLOCK);
-
-        if (!gid_is_valid(gid))
-                return NSS_STATUS_NOTFOUND;
-
-        /* We consider all gids < 65536 host gids */
-        if (gid < HOST_GID_LIMIT)
-                return NSS_STATUS_NOTFOUND;
-
-        if (getenv_bool_secure("SYSTEMD_NSS_BYPASS_BUS") > 0)
-                return NSS_STATUS_NOTFOUND;
-
-        if (avoid_deadlock()) {
-                r = -EDEADLK;
-                goto fail;
-        }
-
-        r = sd_bus_open_system(&bus);
-        if (r < 0)
-                goto fail;
-
-        r = bus_call_method(bus, bus_machine_mgr, "MapToMachineGroup", &error, &reply, "u", (uint32_t) gid);
-        if (r < 0) {
-                if (sd_bus_error_has_name(&error, BUS_ERROR_NO_SUCH_GROUP_MAPPING))
-                        return NSS_STATUS_NOTFOUND;
-
-                goto fail;
-        }
-
-        r = sd_bus_message_read(reply, "sou", &machine, NULL, &mapped);
-        if (r < 0)
-                goto fail;
-
-        if (mapped == gid)
-                return NSS_STATUS_NOTFOUND;
-
-        if (buflen < sizeof(char*) + 1) {
-                UNPROTECT_ERRNO;
-                *errnop = ERANGE;
-                return NSS_STATUS_TRYAGAIN;
-        }
-
-        memzero(buffer, sizeof(char*));
-        if (snprintf(buffer + sizeof(char*), buflen - sizeof(char*), "vg-%s-" GID_FMT, machine, (gid_t) mapped) >= (int) buflen) {
-                UNPROTECT_ERRNO;
-                *errnop = ERANGE;
-                return NSS_STATUS_TRYAGAIN;
-        }
-
-        gr->gr_name = buffer + sizeof(char*);
-        gr->gr_gid = gid;
-        gr->gr_passwd = (char*) "*"; /* locked */
-        gr->gr_mem = (char**) buffer;
-
-        return NSS_STATUS_SUCCESS;
-
-fail:
-        UNPROTECT_ERRNO;
-        *errnop = -r;
-        return NSS_STATUS_UNAVAIL;
+        return NSS_STATUS_NOTFOUND;
  }
author	Lennart Poettering <lennart@poettering.net>
	Tue, 7 Jul 2020 19:58:12 +0000 (21:58 +0200)
committer	Lennart Poettering <lennart@poettering.net>
	Tue, 14 Jul 2020 15:08:12 +0000 (17:08 +0200)
README		patch \| blob \| blame \| history
docs/UIDS-GIDS.md		patch \| blob \| blame \| history
factory/etc/nsswitch.conf		patch \| blob \| blame \| history
man/nss-myhostname.xml		patch \| blob \| blame \| history
man/nss-mymachines.xml		patch \| blob \| blame \| history
man/nss-resolve.xml		patch \| blob \| blame \| history
man/nss-systemd.xml		patch \| blob \| blame \| history
src/nspawn/nspawn.c		patch \| blob \| blame \| history
src/nss-mymachines/nss-mymachines.c		patch \| blob \| blame \| history