[nss_ldap/f14/master] - take another stab at implementing a working nss_initgroups_minimum_uid setting, and default it t
Nalin Dahyabhai
nalin at fedoraproject.org
Fri Aug 20 19:09:33 UTC 2010
commit 035c969f45f80227d5d49920b004583d43301099
Author: Nalin Dahyabhai <nalin at redhat.com>
Date: Thu Aug 19 19:20:18 2010 -0400
- take another stab at implementing a working nss_initgroups_minimum_uid
setting, and default it to 500
nss_ldap-265-initgroups-minimum_uid.patch | 190 +++++++++++++++++++++++++++++
1 files changed, 190 insertions(+), 0 deletions(-)
---
diff --git a/nss_ldap-265-initgroups-minimum_uid.patch b/nss_ldap-265-initgroups-minimum_uid.patch
new file mode 100644
index 0000000..fdcf56a
--- /dev/null
+++ b/nss_ldap-265-initgroups-minimum_uid.patch
@@ -0,0 +1,190 @@
+This builds off of the recursion checking introduced by -depth to avoid
+a deadlock if/when we recurse into ourselves while looking up the user's
+UID to compare it to the configured value.
+
+diff -ur nss_ldap-265/ldap-nss.c nss_ldap-265-2/ldap-nss.c
+--- nss_ldap-265/ldap-nss.c 2010-08-19 17:16:51.000000000 -0400
++++ nss_ldap-265-2/ldap-nss.c 2010-08-19 17:25:09.000000000 -0400
+@@ -34,6 +34,7 @@
+ #endif
+
+ #include <assert.h>
++#include <pwd.h>
+ #include <stdlib.h>
+ #include <unistd.h>
+ #include <string.h>
+@@ -4356,20 +4357,55 @@
+ int
+ _nss_ldap_test_initgroups_ignoreuser (const char *user)
+ {
+- char **p;
++ char **p, *buf;
++ size_t buflen;
++ struct passwd pwd, *passwd;
+
+- if (__config == NULL)
+- return 0;
+-
+- if (__config->ldc_initgroups_ignoreusers == NULL)
+- return 0;
+-
+- for (p = __config->ldc_initgroups_ignoreusers; *p != NULL; p++)
++ if (__config != NULL)
+ {
+- if (strcmp (*p, user) == 0)
+- return 1;
++ if (__config->ldc_initgroups_ignoreusers != NULL)
++ for (p = __config->ldc_initgroups_ignoreusers; *p != NULL; p++)
++ {
++ if (strcmp (*p, user) == 0)
++ return 1;
++ }
++ if (__config->ldc_initgroups_minimum_uid >= 0)
++ {
++ memset (&pwd, 0, sizeof(pwd));
++ buflen = 16;
++ buf = malloc(buflen);
++ if (buf != NULL)
++ {
++ passwd = NULL;
++ while ((getpwnam_r(user, &pwd, buf, buflen, &passwd) != 0) &&
++ (passwd != &pwd))
++ {
++ switch (errno)
++ {
++ case ERANGE:
++ buflen *= 2;
++ free(buf);
++ if (buflen > 0x100000)
++ buf = NULL;
++ else
++ buf = malloc(buflen);
++ break;
++ case EINTR:
++ continue;
++ break;
++ default:
++ free(buf);
++ buf = NULL;
++ break;
++ }
++ if (buf == NULL)
++ break;
++ }
++ }
++ if ((passwd == &pwd) && (passwd->pw_uid < 1000))
++ return 1;
++ }
+ }
+-
+ return 0;
+ }
+
+diff -ur nss_ldap-265/ldap-nss.h nss_ldap-265-2/ldap-nss.h
+--- nss_ldap-265/ldap-nss.h 2010-08-19 17:16:51.000000000 -0400
++++ nss_ldap-265-2/ldap-nss.h 2010-08-19 17:18:47.000000000 -0400
+@@ -400,6 +400,7 @@
+ time_t ldc_mtime;
+
+ char **ldc_initgroups_ignoreusers;
++ int ldc_initgroups_minimum_uid;
+
+ /* disable the do-res_init()-on-resolv.conf-changes hack */
+ unsigned int ldc_resolv_conf_res_init_hack;
+diff -ur nss_ldap-265/ldap-pwd.c nss_ldap-265-2/ldap-pwd.c
+--- nss_ldap-265/ldap-pwd.c 2010-08-19 17:16:51.000000000 -0400
++++ nss_ldap-265-2/ldap-pwd.c 2010-08-19 16:40:43.000000000 -0400
+@@ -49,6 +49,7 @@
+ #include "ldap-nss.h"
+ #include "ldap-pwd.h"
+ #include "util.h"
++#include "depth.h"
+
+ #ifdef HAVE_PORT_AFTER_H
+ #include <port_after.h>
+@@ -242,6 +243,10 @@
+ struct passwd * result,
+ char *buffer, size_t buflen, int *errnop)
+ {
++#ifdef HAVE_THREAD_LOCAL_STORAGE
++ if (_nss_ldap_get_depth() > 0)
++ return NSS_STATUS_UNAVAIL;
++#endif
+ LOOKUP_NAME (name, result, buffer, buflen, errnop, _nss_ldap_filt_getpwnam,
+ LM_PASSWD, _nss_ldap_parse_pw, LDAP_NSS_BUFLEN_DEFAULT)
+ AND_REQUIRE_MATCH(name, result->pw_name);
+@@ -261,6 +266,10 @@
+ struct passwd *result,
+ char *buffer, size_t buflen, int *errnop)
+ {
++#ifdef HAVE_THREAD_LOCAL_STORAGE
++ if (_nss_ldap_get_depth() > 0)
++ return NSS_STATUS_UNAVAIL;
++#endif
+ LOOKUP_NUMBER (uid, result, buffer, buflen, errnop, _nss_ldap_filt_getpwuid,
+ LM_PASSWD, _nss_ldap_parse_pw, LDAP_NSS_BUFLEN_DEFAULT);
+ }
+diff -ur nss_ldap-265/nss_ldap.5 nss_ldap-265-2/nss_ldap.5
+--- nss_ldap-265/nss_ldap.5 2010-08-19 17:16:51.000000000 -0400
++++ nss_ldap-265-2/nss_ldap.5 2010-08-19 17:19:23.000000000 -0400
+@@ -445,6 +445,14 @@
+ to return NSS_STATUS_NOTFOUND if called with a listed users as
+ its argument.
+ .TP
++.B nss_initgroups_minimum_uid <uid>
++This option directs the
++.B nss_ldap
++implementation of
++.BR initgroups(3)
++to return NSS_STATUS_NOTFOUND if called with a user whose UID is
++below the value given as the argument.
++.TP
+ .B nss_getgrent_skipmembers <yes|no>
+ Specifies whether or not to populate the members list in
+ the group structure for group lookups. If very large groups
+diff -ur nss_ldap-265/util.c nss_ldap-265-2/util.c
+--- nss_ldap-265/util.c 2010-08-19 17:16:51.000000000 -0400
++++ nss_ldap-265-2/util.c 2010-08-19 17:18:33.000000000 -0400
+@@ -669,6 +669,7 @@
+ result->ldc_reconnect_maxsleeptime = LDAP_NSS_MAXSLEEPTIME;
+ result->ldc_reconnect_maxconntries = LDAP_NSS_MAXCONNTRIES;
+ result->ldc_initgroups_ignoreusers = NULL;
++ result->ldc_initgroups_minimum_uid = -1;
+
+ for (i = 0; i <= LM_NONE; i++)
+ {
+@@ -1180,6 +1181,10 @@
+ break;
+ }
+ }
++ else if (!strcasecmp (k, NSS_LDAP_KEY_INITGROUPS_MINIMUM_UID))
++ {
++ result->ldc_initgroups_minimum_uid = atoi(v);
++ }
+ else if (!strcasecmp (k, NSS_LDAP_KEY_GETGRENT_SKIPMEMBERS))
+ {
+ if (!strcasecmp (v, "on") || !strcasecmp (v, "yes")
+diff -ur nss_ldap-265/util.h nss_ldap-265-2/util.h
+--- nss_ldap-265/util.h 2009-11-06 05:28:08.000000000 -0500
++++ nss_ldap-265-2/util.h 2010-08-19 17:19:46.000000000 -0400
+@@ -92,6 +92,7 @@
+ #define NSS_LDAP_KEY_PAGESIZE "pagesize"
+ #define NSS_LDAP_KEY_INITGROUPS "nss_initgroups"
+ #define NSS_LDAP_KEY_INITGROUPS_IGNOREUSERS "nss_initgroups_ignoreusers"
++#define NSS_LDAP_KEY_INITGROUPS_MINIMUM_UID "nss_initgroups_minimum_uid"
+ #define NSS_LDAP_KEY_GETGRENT_SKIPMEMBERS "nss_getgrent_skipmembers"
+
+ /* more reconnect policy fine-tuning */
+--- nss_ldap-265/ldap.conf 2005-08-17 18:35:13.000000000 -0400
++++ nss_ldap-265/ldap.conf 2006-02-09 14:14:05.000000000 -0500
+@@ -177,8 +177,8 @@
+ #nss_base_aliases ou=Aliases,dc=padl,dc=com?one
+ #nss_base_netgroup ou=Netgroup,dc=padl,dc=com?one
+
+-# Just assume that there are no supplemental groups for these named users
+-nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd,gdm,polkituser,rtkit,pulse,rpc,rpcuser,nobody
++# Just assume that there are no supplemental groups for system users.
++nss_initgroups_minimum_uid 500
+
+ # attribute/objectclass mapping
+ # Syntax:
More information about the scm-commits
mailing list