]>
Commit | Line | Data |
---|---|---|
6679571b MT |
1 | This builds off of the recursion checking introduced by -depth to avoid |
2 | a deadlock if/when we recurse into ourselves while looking up the user's | |
3 | UID to compare it to the configured value. Revision for upstream #341. | |
4 | ||
5 | diff -ur nss_ldap-265/ldap-nss.c nss_ldap-265-2/ldap-nss.c | |
6 | --- nss_ldap-265/ldap-nss.c 2010-08-19 17:16:51.000000000 -0400 | |
7 | +++ nss_ldap-265-2/ldap-nss.c 2010-08-19 17:25:09.000000000 -0400 | |
8 | @@ -34,6 +34,7 @@ | |
9 | #endif | |
10 | ||
11 | #include <assert.h> | |
12 | +#include <pwd.h> | |
13 | #include <stdlib.h> | |
14 | #include <unistd.h> | |
15 | #include <string.h> | |
16 | @@ -4356,20 +4357,55 @@ | |
17 | int | |
18 | _nss_ldap_test_initgroups_ignoreuser (const char *user) | |
19 | { | |
20 | - char **p; | |
21 | + char **p, *buf; | |
22 | + size_t buflen; | |
23 | + struct passwd pwd, *passwd; | |
24 | ||
25 | - if (__config == NULL) | |
26 | - return 0; | |
27 | - | |
28 | - if (__config->ldc_initgroups_ignoreusers == NULL) | |
29 | - return 0; | |
30 | - | |
31 | - for (p = __config->ldc_initgroups_ignoreusers; *p != NULL; p++) | |
32 | + if (__config != NULL) | |
33 | { | |
34 | - if (strcmp (*p, user) == 0) | |
35 | - return 1; | |
36 | + if (__config->ldc_initgroups_ignoreusers != NULL) | |
37 | + for (p = __config->ldc_initgroups_ignoreusers; *p != NULL; p++) | |
38 | + { | |
39 | + if (strcmp (*p, user) == 0) | |
40 | + return 1; | |
41 | + } | |
42 | + if (__config->ldc_initgroups_minimum_uid >= 0) | |
43 | + { | |
44 | + memset (&pwd, 0, sizeof(pwd)); | |
45 | + buflen = 0x100; | |
46 | + buf = malloc(buflen); | |
47 | + if (buf != NULL) | |
48 | + { | |
49 | + passwd = NULL; | |
50 | + while ((getpwnam_r(user, &pwd, buf, buflen, &passwd) != 0) && | |
51 | + (passwd != &pwd)) | |
52 | + { | |
53 | + switch (errno) | |
54 | + { | |
55 | + case ERANGE: | |
56 | + buflen *= 2; | |
57 | + free(buf); | |
58 | + if (buflen > 0x100000) | |
59 | + buf = NULL; | |
60 | + else | |
61 | + buf = malloc(buflen); | |
62 | + break; | |
63 | + case EINTR: | |
64 | + continue; | |
65 | + break; | |
66 | + default: | |
67 | + free(buf); | |
68 | + buf = NULL; | |
69 | + break; | |
70 | + } | |
71 | + if (buf == NULL) | |
72 | + break; | |
73 | + } | |
74 | + } | |
75 | + if ((passwd == &pwd) && (passwd->pw_uid < 1000)) | |
76 | + return 1; | |
77 | + } | |
78 | } | |
79 | - | |
80 | return 0; | |
81 | } | |
82 | ||
83 | diff -ur nss_ldap-265/ldap-nss.h nss_ldap-265-2/ldap-nss.h | |
84 | --- nss_ldap-265/ldap-nss.h 2010-08-19 17:16:51.000000000 -0400 | |
85 | +++ nss_ldap-265-2/ldap-nss.h 2010-08-19 17:18:47.000000000 -0400 | |
86 | @@ -400,6 +400,7 @@ | |
87 | time_t ldc_mtime; | |
88 | ||
89 | char **ldc_initgroups_ignoreusers; | |
90 | + int ldc_initgroups_minimum_uid; | |
91 | ||
92 | /* disable the do-res_init()-on-resolv.conf-changes hack */ | |
93 | unsigned int ldc_resolv_conf_res_init_hack; | |
94 | diff -ur nss_ldap-265/ldap-pwd.c nss_ldap-265-2/ldap-pwd.c | |
95 | --- nss_ldap-265/ldap-pwd.c 2010-08-19 17:16:51.000000000 -0400 | |
96 | +++ nss_ldap-265-2/ldap-pwd.c 2010-08-19 16:40:43.000000000 -0400 | |
97 | @@ -49,6 +49,7 @@ | |
98 | #include "ldap-nss.h" | |
99 | #include "ldap-pwd.h" | |
100 | #include "util.h" | |
101 | +#include "depth.h" | |
102 | ||
103 | #ifdef HAVE_PORT_AFTER_H | |
104 | #include <port_after.h> | |
105 | @@ -242,6 +243,10 @@ | |
106 | struct passwd * result, | |
107 | char *buffer, size_t buflen, int *errnop) | |
108 | { | |
109 | +#ifdef HAVE_THREAD_LOCAL_STORAGE | |
110 | + if (_nss_ldap_get_depth() > 0) | |
111 | + return NSS_STATUS_UNAVAIL; | |
112 | +#endif | |
113 | LOOKUP_NAME (name, result, buffer, buflen, errnop, _nss_ldap_filt_getpwnam, | |
114 | LM_PASSWD, _nss_ldap_parse_pw, LDAP_NSS_BUFLEN_DEFAULT) | |
115 | AND_REQUIRE_MATCH(name, result->pw_name); | |
116 | @@ -261,6 +266,10 @@ | |
117 | struct passwd *result, | |
118 | char *buffer, size_t buflen, int *errnop) | |
119 | { | |
120 | +#ifdef HAVE_THREAD_LOCAL_STORAGE | |
121 | + if (_nss_ldap_get_depth() > 0) | |
122 | + return NSS_STATUS_UNAVAIL; | |
123 | +#endif | |
124 | LOOKUP_NUMBER (uid, result, buffer, buflen, errnop, _nss_ldap_filt_getpwuid, | |
125 | LM_PASSWD, _nss_ldap_parse_pw, LDAP_NSS_BUFLEN_DEFAULT); | |
126 | } | |
127 | diff -ur nss_ldap-265/nss_ldap.5 nss_ldap-265-2/nss_ldap.5 | |
128 | --- nss_ldap-265/nss_ldap.5 2010-08-19 17:16:51.000000000 -0400 | |
129 | +++ nss_ldap-265-2/nss_ldap.5 2010-08-19 17:19:23.000000000 -0400 | |
130 | @@ -445,6 +445,14 @@ | |
131 | to return NSS_STATUS_NOTFOUND if called with a listed users as | |
132 | its argument. | |
133 | .TP | |
134 | +.B nss_initgroups_minimum_uid <uid> | |
135 | +This option directs the | |
136 | +.B nss_ldap | |
137 | +implementation of | |
138 | +.BR initgroups(3) | |
139 | +to return NSS_STATUS_NOTFOUND if called with a user whose UID is | |
140 | +below the value given as the argument. | |
141 | +.TP | |
142 | .B nss_getgrent_skipmembers <yes|no> | |
143 | Specifies whether or not to populate the members list in | |
144 | the group structure for group lookups. If very large groups | |
145 | diff -ur nss_ldap-265/util.c nss_ldap-265-2/util.c | |
146 | --- nss_ldap-265/util.c 2010-08-19 17:16:51.000000000 -0400 | |
147 | +++ nss_ldap-265-2/util.c 2010-08-19 17:18:33.000000000 -0400 | |
148 | @@ -669,6 +669,7 @@ | |
149 | result->ldc_reconnect_maxsleeptime = LDAP_NSS_MAXSLEEPTIME; | |
150 | result->ldc_reconnect_maxconntries = LDAP_NSS_MAXCONNTRIES; | |
151 | result->ldc_initgroups_ignoreusers = NULL; | |
152 | + result->ldc_initgroups_minimum_uid = -1; | |
153 | ||
154 | for (i = 0; i <= LM_NONE; i++) | |
155 | { | |
156 | @@ -1180,6 +1181,10 @@ | |
157 | break; | |
158 | } | |
159 | } | |
160 | + else if (!strcasecmp (k, NSS_LDAP_KEY_INITGROUPS_MINIMUM_UID)) | |
161 | + { | |
162 | + result->ldc_initgroups_minimum_uid = atoi(v); | |
163 | + } | |
164 | else if (!strcasecmp (k, NSS_LDAP_KEY_GETGRENT_SKIPMEMBERS)) | |
165 | { | |
166 | if (!strcasecmp (v, "on") || !strcasecmp (v, "yes") | |
167 | diff -ur nss_ldap-265/util.h nss_ldap-265-2/util.h | |
168 | --- nss_ldap-265/util.h 2009-11-06 05:28:08.000000000 -0500 | |
169 | +++ nss_ldap-265-2/util.h 2010-08-19 17:19:46.000000000 -0400 | |
170 | @@ -92,6 +92,7 @@ | |
171 | #define NSS_LDAP_KEY_PAGESIZE "pagesize" | |
172 | #define NSS_LDAP_KEY_INITGROUPS "nss_initgroups" | |
173 | #define NSS_LDAP_KEY_INITGROUPS_IGNOREUSERS "nss_initgroups_ignoreusers" | |
174 | +#define NSS_LDAP_KEY_INITGROUPS_MINIMUM_UID "nss_initgroups_minimum_uid" | |
175 | #define NSS_LDAP_KEY_GETGRENT_SKIPMEMBERS "nss_getgrent_skipmembers" | |
176 | ||
177 | /* more reconnect policy fine-tuning */ | |
178 | --- nss_ldap-265/ldap.conf 2005-08-17 18:35:13.000000000 -0400 | |
179 | +++ nss_ldap-265/ldap.conf 2006-02-09 14:14:05.000000000 -0500 | |
180 | @@ -177,8 +177,8 @@ | |
181 | #nss_base_aliases ou=Aliases,dc=padl,dc=com?one | |
182 | #nss_base_netgroup ou=Netgroup,dc=padl,dc=com?one | |
183 | ||
184 | -# Just assume that there are no supplemental groups for these named users | |
185 | -nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd,gdm,polkituser,rtkit,pulse,rpc,rpcuser,nobody | |
186 | +# Just assume that there are no supplemental groups for system users. | |
187 | +nss_initgroups_minimum_uid 500 | |
188 | ||
189 | # attribute/objectclass mapping | |
190 | # Syntax: |