From: Lennart Poettering <lennart@poettering.net>
Date: Thu, 18 Aug 2016 22:35:05 +0000 (+0200)
Subject: nss-mymachines: avoid connecting to dbus from inside dbus-daemon
X-Git-Tag: v232~289^2
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=6e32c03ed87e5dfd3857013e909e48b5e61564c1;p=thirdparty%2Fsystemd.git

nss-mymachines: avoid connecting to dbus from inside dbus-daemon

Inspired from the new logic in nss-systemd let's make sure we don't end up
deadlocking in nss-mymachines either in case dbus-daemon tries to a look up a
name and we want to connect to the bus.

This case is much simpler though, as there's no point in resolving virtual
machine UIDs by dbus-daemon as those should never be able to connect to the
host's busses.
---

diff --git a/src/nss-mymachines/nss-mymachines.c b/src/nss-mymachines/nss-mymachines.c
index 8d57b26cbc5..895f61c4629 100644
--- a/src/nss-mymachines/nss-mymachines.c
+++ b/src/nss-mymachines/nss-mymachines.c
@@ -25,6 +25,7 @@
 
 #include "alloc-util.h"
 #include "bus-common-errors.h"
+#include "env-util.h"
 #include "hostname-util.h"
 #include "in-addr-util.h"
 #include "macro.h"
@@ -434,6 +435,12 @@ enum nss_status _nss_mymachines_getpwnam_r(
         if (!machine_name_is_valid(machine))
                 goto not_found;
 
+        if (getenv_bool("SYSTEMD_NSS_BYPASS_BUS") > 0)
+                /* Make sure we can't deadlock if we are invoked by dbus-daemon. This way, it won't be able to resolve
+                 * these UIDs, but that should be unproblematic as containers should never be able to connect to a bus
+                 * running on the host. */
+                goto not_found;
+
         r = sd_bus_open_system(&bus);
         if (r < 0)
                 goto fail;
@@ -514,6 +521,9 @@ enum nss_status _nss_mymachines_getpwuid_r(
         if (uid < HOST_UID_LIMIT)
                 goto not_found;
 
+        if (getenv_bool("SYSTEMD_NSS_BYPASS_BUS") > 0)
+                goto not_found;
+
         r = sd_bus_open_system(&bus);
         if (r < 0)
                 goto fail;
@@ -605,6 +615,9 @@ enum nss_status _nss_mymachines_getgrnam_r(
         if (!machine_name_is_valid(machine))
                 goto not_found;
 
+        if (getenv_bool("SYSTEMD_NSS_BYPASS_BUS") > 0)
+                goto not_found;
+
         r = sd_bus_open_system(&bus);
         if (r < 0)
                 goto fail;
@@ -682,6 +695,9 @@ enum nss_status _nss_mymachines_getgrgid_r(
         if (gid < HOST_GID_LIMIT)
                 goto not_found;
 
+        if (getenv_bool("SYSTEMD_NSS_BYPASS_BUS") > 0)
+                goto not_found;
+
         r = sd_bus_open_system(&bus);
         if (r < 0)
                 goto fail;