From: Lennart Poettering <lennart@poettering.net>
Date: Tue, 15 Oct 2024 11:59:57 +0000 (+0200)
Subject: userdb: return ESRCH if userdb service refuses a user/group name as invalid
X-Git-Tag: v257-rc1~215^2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F34778%2Fhead;p=thirdparty%2Fsystemd.git

userdb: return ESRCH if userdb service refuses a user/group name as invalid

if a userdb service refuse a user/group name as invalid, let's turn this
into ESRCH client-side following that there definitely is no user/group
record for a completely invalid user/group name.

Replaces: #34558
---

diff --git a/src/shared/userdb.c b/src/shared/userdb.c
index 557de70ea80..ff83d4bf902 100644
--- a/src/shared/userdb.c
+++ b/src/shared/userdb.c
@@ -171,9 +171,15 @@ static int userdb_on_query_reply(
         if (error_id) {
                 log_debug("Got lookup error: %s", error_id);
 
+                /* Convert various forms of record not found into -ESRCH, since NSS typically doesn't care,
+                 * about the details. Note that if a userName specification is refused as invalid parameter,
+                 * we also turn this into -ESRCH following the logic that there cannot be a user record for a
+                 * completely invalid user name. */
                 if (STR_IN_SET(error_id,
                                "io.systemd.UserDatabase.NoRecordFound",
-                               "io.systemd.UserDatabase.ConflictingRecordFound"))
+                               "io.systemd.UserDatabase.ConflictingRecordFound") ||
+                    sd_varlink_error_is_invalid_parameter(error_id, parameters, "userName") ||
+                    sd_varlink_error_is_invalid_parameter(error_id, parameters, "groupName"))
                         r = -ESRCH;
                 else if (streq(error_id, "io.systemd.UserDatabase.ServiceNotAvailable"))
                         r = -EHOSTDOWN;