From d955317f2365d1b1d85ddfd8fa00df5facee6967 Mon Sep 17 00:00:00 2001
From: Anders Blomdell <anders.blomdell@control.lth.se>
Date: Tue, 2 Sep 2025 11:51:14 +0200
Subject: [PATCH] When using nss-module, avoid using '/etc/sub[ug]id'

Use 'want_sub[ug]id_file' to short-circuit acess to '/etc/sub[ug]id' when
nss-moduleis active
---
 src/newgidmap.c | 5 +++--
 src/newuidmap.c | 5 +++--
 src/newusers.c  | 8 ++++----
 src/useradd.c   | 6 ++++--
 src/userdel.c   | 4 ++--
 src/usermod.c   | 4 ++--
 6 files changed, 18 insertions(+), 14 deletions(-)

diff --git a/src/newgidmap.c b/src/newgidmap.c
index cac4d11fa..e52cd4fa7 100644
--- a/src/newgidmap.c
+++ b/src/newgidmap.c
@@ -214,7 +214,7 @@ int main(int argc, char **argv)
 		return EXIT_FAILURE;
 	}
 
-	if (!sub_gid_open(O_RDONLY)) {
+	if (want_subgid_file() && !sub_gid_open(O_RDONLY)) {
 		fprintf (stderr,
 		         _("%s: cannot open %s: %s\n"),
 		         Prog, sub_gid_dbname (), strerror (errno));
@@ -230,7 +230,8 @@ int main(int argc, char **argv)
 
 	write_setgroups(proc_dir_fd, allow_setgroups);
 	write_mapping(proc_dir_fd, ranges, mappings, "gid_map", pw->pw_uid);
-	sub_gid_close();
+	if (want_subgid_file())
+		sub_gid_close();
 
 	return EXIT_SUCCESS;
 }
diff --git a/src/newuidmap.c b/src/newuidmap.c
index 8aa330904..474194c11 100644
--- a/src/newuidmap.c
+++ b/src/newuidmap.c
@@ -143,7 +143,7 @@ int main(int argc, char **argv)
 		return EXIT_FAILURE;
 	}
 
-	if (!sub_uid_open(O_RDONLY)) {
+	if (want_subuid_file() && !sub_uid_open(O_RDONLY)) {
 		fprintf (stderr,
 		         _("%s: cannot open %s: %s\n"),
 		         Prog, sub_uid_dbname (), strerror (errno));
@@ -158,7 +158,8 @@ int main(int argc, char **argv)
 	verify_ranges(pw, ranges, mappings);
 
 	write_mapping(proc_dir_fd, ranges, mappings, "uid_map", pw->pw_uid);
-	sub_uid_close();
+	if (want_subuid_file())
+		sub_uid_close();
 
 	return EXIT_SUCCESS;
 }
diff --git a/src/newusers.c b/src/newusers.c
index f7ba15ddd..cce72f6c6 100644
--- a/src/newusers.c
+++ b/src/newusers.c
@@ -1077,8 +1077,8 @@ int main (int argc, char **argv)
 	is_shadow_grp = sgr_file_present ();
 #endif
 #ifdef ENABLE_SUBIDS
-	is_sub_uid = sub_uid_file_present () && !rflg;
-	is_sub_gid = sub_gid_file_present () && !rflg;
+	is_sub_uid = want_subuid_file() && sub_uid_file_present() && !rflg;
+	is_sub_gid = want_subgid_file() && sub_gid_file_present() && !rflg;
 #endif				/* ENABLE_SUBIDS */
 
 	open_files ();
@@ -1251,7 +1251,7 @@ int main (int argc, char **argv)
 		/*
 		 * Add subordinate uids if the user does not have them.
 		 */
-		if (is_sub_uid && want_subuid_file() && !local_sub_uid_assigned(fields[0])) {
+		if (is_sub_uid && !local_sub_uid_assigned(fields[0])) {
 			uid_t sub_uid_start = 0;
 			unsigned long sub_uid_count = 0;
 			if (find_new_sub_uids(&sub_uid_start, &sub_uid_count) != 0)
@@ -1273,7 +1273,7 @@ int main (int argc, char **argv)
 		/*
 		 * Add subordinate gids if the user does not have them.
 		 */
-		if (is_sub_gid && want_subgid_file() && !local_sub_gid_assigned(fields[0])) {
+		if (is_sub_gid && !local_sub_gid_assigned(fields[0])) {
 			gid_t sub_gid_start = 0;
 			unsigned long sub_gid_count = 0;
 			if (find_new_sub_gids(&sub_gid_start, &sub_gid_count) != 0) {
diff --git a/src/useradd.c b/src/useradd.c
index 69a9b6d6a..2b3b42b68 100644
--- a/src/useradd.c
+++ b/src/useradd.c
@@ -2448,10 +2448,12 @@ int main (int argc, char **argv)
 	uid_max = getdef_ulong ("UID_MAX", 60000UL);
 	subuid_count = getdef_ulong ("SUB_UID_COUNT", 65536);
 	subgid_count = getdef_ulong ("SUB_GID_COUNT", 65536);
-	is_sub_uid = subuid_count > 0 && sub_uid_file_present () &&
+	is_sub_uid = want_subuid_file () &&
+	    subuid_count > 0 && sub_uid_file_present () &&
 	    (!rflg || Fflg) &&
 	    (!user_id || (user_id <= uid_max && user_id >= uid_min));
-	is_sub_gid = subgid_count > 0 && sub_gid_file_present () &&
+	is_sub_gid = want_subgid_file() &&
+	    subgid_count > 0 && sub_gid_file_present() &&
 	    (!rflg || Fflg) &&
 	    (!user_id || (user_id <= uid_max && user_id >= uid_min));
 #endif				/* ENABLE_SUBIDS */
diff --git a/src/userdel.c b/src/userdel.c
index 2f8d59fa7..5b1a8a866 100644
--- a/src/userdel.c
+++ b/src/userdel.c
@@ -1028,8 +1028,8 @@ int main (int argc, char **argv)
 	is_shadow_grp = sgr_file_present ();
 #endif				/* SHADOWGRP */
 #ifdef ENABLE_SUBIDS
-	is_sub_uid = sub_uid_file_present ();
-	is_sub_gid = sub_gid_file_present ();
+	is_sub_uid = want_subuid_file() && sub_uid_file_present();
+	is_sub_gid = want_subgid_file() && sub_gid_file_present();
 #endif				/* ENABLE_SUBIDS */
 
 	/*
diff --git a/src/usermod.c b/src/usermod.c
index 02414da9d..ceb0ad60e 100644
--- a/src/usermod.c
+++ b/src/usermod.c
@@ -2185,8 +2185,8 @@ int main (int argc, char **argv)
 	is_shadow_grp = sgr_file_present ();
 #endif
 #ifdef ENABLE_SUBIDS
-	is_sub_uid = sub_uid_file_present ();
-	is_sub_gid = sub_gid_file_present ();
+	is_sub_uid = want_subuid_file() && sub_uid_file_present();
+	is_sub_gid = want_subgid_file() && sub_gid_file_present();
 #endif				/* ENABLE_SUBIDS */
 
 	process_flags (argc, argv);
-- 
2.47.3