userdbd: avoid sending gshadow hash to unprivileged callers via varlink

author Luca Boccassi <luca.boccassi@gmail.com>

Wed, 25 Feb 2026 00:21:17 +0000 (00:21 +0000)

committer Luca Boccassi <luca.boccassi@gmail.com>

Fri, 27 Feb 2026 21:57:04 +0000 (21:57 +0000)
author Luca Boccassi <luca.boccassi@gmail.com>
Wed, 25 Feb 2026 00:21:17 +0000 (00:21 +0000)
committer Luca Boccassi <luca.boccassi@gmail.com>
Fri, 27 Feb 2026 21:57:04 +0000 (21:57 +0000)
diff --git a/src/userdb/userwork.c b/src/userdb/userwork.c

index 1e36face408c453e945d3826dd14739601574e1f..03a5db86cd8dce44e39e2c5a07d722c1e62ef84b 100644 (file)
--- a/src/userdb/userwork.c
+++ b/src/userdb/userwork.c
@@ -258,7 +258,7 @@ static int build_group_json(sd_varlink *link, GroupRecord *gr, sd_json_variant *
                  (FLAGS_SET(gr->mask, USER_RECORD_PRIVILEGED) &&
                   !FLAGS_SET(stripped->mask, USER_RECORD_PRIVILEGED));
  
-        v = sd_json_variant_ref(gr->json);
+        v = sd_json_variant_ref(stripped->json);
          r = add_nss_service(&v);
          if (r < 0)
                  return r;
diff --git a/test/units/TEST-74-AUX-UTILS.varlinkctl.sh b/test/units/TEST-74-AUX-UTILS.varlinkctl.sh

index 84e6a4b7f28ba084a96e5238df5ad7ca4b3f6b08..3a1fc1dc75a8178ce7909d9a3e8e9382eea62892 100755 (executable)
--- a/test/units/TEST-74-AUX-UTILS.varlinkctl.sh
+++ b/test/units/TEST-74-AUX-UTILS.varlinkctl.sh
@@ -48,6 +48,19 @@ if command -v userdbctl >/dev/null; then
      varlinkctl call --more -j /run/systemd/userdb/io.systemd.Multiplexer io.systemd.UserDatabase.GetMemberships '{ "service" : "io.systemd.Multiplexer" }' --graceful=io.systemd.UserDatabase.NoRecordFound | jq --seq .
      varlinkctl call --oneway /run/systemd/userdb/io.systemd.Multiplexer io.systemd.UserDatabase.GetMemberships '{ "service" : "io.systemd.Multiplexer" }'
      (! varlinkctl call --oneway /run/systemd/userdb/io.systemd.Multiplexer io.systemd.UserDatabase.GetMemberships '{ "service" : "io.systemd.Multiplexer" }' | grep .)
+
+    if command -v openssl >/dev/null && command -v groupadd >/dev/null; then
+        group=haldo
+        salt=waldo
+        getent group "$group" >/dev/null 2>&1 || groupadd "$group"
+        HASH="$(openssl passwd -6 -salt "$salt" baldo)"
+        groupmod -p "$HASH" "$group"
+
+        (! run0 -u testuser varlinkctl call --json=pretty \
+            /run/systemd/userdb/io.systemd.Multiplexer \
+            io.systemd.UserDatabase.GetGroupRecord \
+            '{"groupName":"haldo","service":"io.systemd.NameServiceSwitch"}' | grep waldo)
+    fi
  fi
  
  IDL_FILE="$(mktemp)"
author	Luca Boccassi <luca.boccassi@gmail.com>
	Wed, 25 Feb 2026 00:21:17 +0000 (00:21 +0000)
committer	Luca Boccassi <luca.boccassi@gmail.com>
	Fri, 27 Feb 2026 21:57:04 +0000 (21:57 +0000)
src/userdb/userwork.c		patch \| blob \| blame \| history
test/units/TEST-74-AUX-UTILS.varlinkctl.sh		patch \| blob \| blame \| history