From: Lennart Poettering <lennart@poettering.net>
Date: Thu, 9 Apr 2020 12:28:56 +0000 (+0200)
Subject: logind: avoid shadow lookups when doing userdb client side
X-Git-Tag: v246-rc1~610^2
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F15377%2Fhead;p=thirdparty%2Fsystemd.git

logind: avoid shadow lookups when doing userdb client side

Let's not trigger MACs needlessly.

Ideally everybody would turn on userdb, but if people insist in not
doing so, then let's not attempt to open shadow.

It's a bit ugly to implement this, since shadow information is more than
just passwords (but accound validity metadata), and thus userdb's own
"privieleged" scheme is orthogonal to this, but let's still do this for
the client side.

Fixes: #15105
---

diff --git a/src/login/logind-core.c b/src/login/logind-core.c
index 22a42b077c0..a9006d746a0 100644
--- a/src/login/logind-core.c
+++ b/src/login/logind-core.c
@@ -171,7 +171,7 @@ int manager_add_user_by_name(
         assert(m);
         assert(name);
 
-        r = userdb_by_name(name, 0, &ur);
+        r = userdb_by_name(name, USERDB_AVOID_SHADOW, &ur);
         if (r < 0)
                 return r;
 
@@ -189,7 +189,7 @@ int manager_add_user_by_uid(
         assert(m);
         assert(uid_is_valid(uid));
 
-        r = userdb_by_uid(uid, 0, &ur);
+        r = userdb_by_uid(uid, USERDB_AVOID_SHADOW, &ur);
         if (r < 0)
                 return r;