[nss_ldap/f14/master] - take another stab at implementing a working nss_initgroups_minimum_uid setting, and default it t

Nalin Dahyabhai nalin at fedoraproject.org
Fri Aug 20 19:09:33 UTC 2010 

commit 035c969f45f80227d5d49920b004583d43301099
Author: Nalin Dahyabhai <nalin at redhat.com>
Date:   Thu Aug 19 19:20:18 2010 -0400

    - take another stab at implementing a working nss_initgroups_minimum_uid
      setting, and default it to 500

 nss_ldap-265-initgroups-minimum_uid.patch |  190 +++++++++++++++++++++++++++++
 1 files changed, 190 insertions(+), 0 deletions(-)
---
diff --git a/nss_ldap-265-initgroups-minimum_uid.patch b/nss_ldap-265-initgroups-minimum_uid.patch
new file mode 100644
index 0000000..fdcf56a
--- /dev/null
+++ b/nss_ldap-265-initgroups-minimum_uid.patch
@@ -0,0 +1,190 @@
+This builds off of the recursion checking introduced by -depth to avoid
+a deadlock if/when we recurse into ourselves while looking up the user's
+UID to compare it to the configured value.
+
+diff -ur nss_ldap-265/ldap-nss.c nss_ldap-265-2/ldap-nss.c
+--- nss_ldap-265/ldap-nss.c	2010-08-19 17:16:51.000000000 -0400
++++ nss_ldap-265-2/ldap-nss.c	2010-08-19 17:25:09.000000000 -0400
+@@ -34,6 +34,7 @@
+ #endif
+ 
+ #include <assert.h>
++#include <pwd.h>
+ #include <stdlib.h>
+ #include <unistd.h>
+ #include <string.h>
+@@ -4356,20 +4357,55 @@
+ int
+ _nss_ldap_test_initgroups_ignoreuser (const char *user)
+ {
+-  char **p;
++  char **p, *buf;
++  size_t buflen;
++  struct passwd pwd, *passwd;
+ 
+-  if (__config == NULL)
+-    return 0;
+-
+-  if (__config->ldc_initgroups_ignoreusers == NULL)
+-    return 0;
+-
+-  for (p = __config->ldc_initgroups_ignoreusers; *p != NULL; p++)
++  if (__config != NULL)
+     {
+-      if (strcmp (*p, user) == 0)
+-	return 1;
++      if (__config->ldc_initgroups_ignoreusers != NULL)
++        for (p = __config->ldc_initgroups_ignoreusers; *p != NULL; p++)
++          {
++            if (strcmp (*p, user) == 0)
++              return 1;
++          }
++      if (__config->ldc_initgroups_minimum_uid >= 0)
++        {
++          memset (&pwd, 0, sizeof(pwd));
++          buflen = 16;
++          buf = malloc(buflen);
++          if (buf != NULL)
++            {
++              passwd = NULL;
++              while ((getpwnam_r(user, &pwd, buf, buflen, &passwd) != 0) &&
++                     (passwd != &pwd))
++                {
++                  switch (errno)
++                    {
++                      case ERANGE:
++                        buflen *= 2; 
++                        free(buf);
++                        if (buflen > 0x100000)
++                          buf = NULL;
++                        else
++                          buf = malloc(buflen);
++                        break;
++                      case EINTR:
++                        continue;
++                        break;
++                      default:
++                        free(buf);
++                        buf = NULL;
++                        break;
++                    }
++                  if (buf == NULL)
++                    break;
++                }
++            }
++          if ((passwd == &pwd) && (passwd->pw_uid < 1000))
++            return 1;
++        }
+     }
+-
+   return 0;
+ }
+ 
+diff -ur nss_ldap-265/ldap-nss.h nss_ldap-265-2/ldap-nss.h
+--- nss_ldap-265/ldap-nss.h	2010-08-19 17:16:51.000000000 -0400
++++ nss_ldap-265-2/ldap-nss.h	2010-08-19 17:18:47.000000000 -0400
+@@ -400,6 +400,7 @@
+   time_t ldc_mtime;
+ 
+   char **ldc_initgroups_ignoreusers;
++  int ldc_initgroups_minimum_uid;
+ 
+   /* disable the do-res_init()-on-resolv.conf-changes hack */
+   unsigned int ldc_resolv_conf_res_init_hack;
+diff -ur nss_ldap-265/ldap-pwd.c nss_ldap-265-2/ldap-pwd.c
+--- nss_ldap-265/ldap-pwd.c	2010-08-19 17:16:51.000000000 -0400
++++ nss_ldap-265-2/ldap-pwd.c	2010-08-19 16:40:43.000000000 -0400
+@@ -49,6 +49,7 @@
+ #include "ldap-nss.h"
+ #include "ldap-pwd.h"
+ #include "util.h"
++#include "depth.h"
+ 
+ #ifdef HAVE_PORT_AFTER_H
+ #include <port_after.h>
+@@ -242,6 +243,10 @@
+ 		      struct passwd * result,
+ 		      char *buffer, size_t buflen, int *errnop)
+ {
++#ifdef HAVE_THREAD_LOCAL_STORAGE
++  if (_nss_ldap_get_depth() > 0)
++    return NSS_STATUS_UNAVAIL;
++#endif
+   LOOKUP_NAME (name, result, buffer, buflen, errnop, _nss_ldap_filt_getpwnam,
+ 	       LM_PASSWD, _nss_ldap_parse_pw, LDAP_NSS_BUFLEN_DEFAULT)
+   AND_REQUIRE_MATCH(name, result->pw_name);
+@@ -261,6 +266,10 @@
+ 		      struct passwd *result,
+ 		      char *buffer, size_t buflen, int *errnop)
+ {
++#ifdef HAVE_THREAD_LOCAL_STORAGE
++  if (_nss_ldap_get_depth() > 0)
++    return NSS_STATUS_UNAVAIL;
++#endif
+   LOOKUP_NUMBER (uid, result, buffer, buflen, errnop, _nss_ldap_filt_getpwuid,
+ 		 LM_PASSWD, _nss_ldap_parse_pw, LDAP_NSS_BUFLEN_DEFAULT);
+ }
+diff -ur nss_ldap-265/nss_ldap.5 nss_ldap-265-2/nss_ldap.5
+--- nss_ldap-265/nss_ldap.5	2010-08-19 17:16:51.000000000 -0400
++++ nss_ldap-265-2/nss_ldap.5	2010-08-19 17:19:23.000000000 -0400
+@@ -445,6 +445,14 @@
+ to return NSS_STATUS_NOTFOUND if called with a listed users as
+ its argument.
+ .TP
++.B nss_initgroups_minimum_uid <uid>
++This option directs the
++.B nss_ldap
++implementation of
++.BR initgroups(3)
++to return NSS_STATUS_NOTFOUND if called with a user whose UID is
++below the value given as the argument.
++.TP
+ .B nss_getgrent_skipmembers <yes|no>
+ Specifies whether or not to populate the members list in
+ the group structure for group lookups. If very large groups
+diff -ur nss_ldap-265/util.c nss_ldap-265-2/util.c
+--- nss_ldap-265/util.c	2010-08-19 17:16:51.000000000 -0400
++++ nss_ldap-265-2/util.c	2010-08-19 17:18:33.000000000 -0400
+@@ -669,6 +669,7 @@
+   result->ldc_reconnect_maxsleeptime = LDAP_NSS_MAXSLEEPTIME;
+   result->ldc_reconnect_maxconntries = LDAP_NSS_MAXCONNTRIES;
+   result->ldc_initgroups_ignoreusers = NULL;
++  result->ldc_initgroups_minimum_uid = -1;
+ 
+   for (i = 0; i <= LM_NONE; i++)
+     {
+@@ -1180,6 +1181,10 @@
+ 	      break;
+ 	    }
+ 	}
++      else if (!strcasecmp (k, NSS_LDAP_KEY_INITGROUPS_MINIMUM_UID))
++	{
++	  result->ldc_initgroups_minimum_uid = atoi(v);
++	}
+       else if (!strcasecmp (k, NSS_LDAP_KEY_GETGRENT_SKIPMEMBERS))
+ 	{
+ 	  if (!strcasecmp (v, "on") || !strcasecmp (v, "yes")
+diff -ur nss_ldap-265/util.h nss_ldap-265-2/util.h
+--- nss_ldap-265/util.h	2009-11-06 05:28:08.000000000 -0500
++++ nss_ldap-265-2/util.h	2010-08-19 17:19:46.000000000 -0400
+@@ -92,6 +92,7 @@
+ #define NSS_LDAP_KEY_PAGESIZE		"pagesize"
+ #define NSS_LDAP_KEY_INITGROUPS		"nss_initgroups"
+ #define NSS_LDAP_KEY_INITGROUPS_IGNOREUSERS	"nss_initgroups_ignoreusers"
++#define NSS_LDAP_KEY_INITGROUPS_MINIMUM_UID	"nss_initgroups_minimum_uid"
+ #define NSS_LDAP_KEY_GETGRENT_SKIPMEMBERS	"nss_getgrent_skipmembers"
+ 
+ /* more reconnect policy fine-tuning */
+--- nss_ldap-265/ldap.conf	2005-08-17 18:35:13.000000000 -0400
++++ nss_ldap-265/ldap.conf	2006-02-09 14:14:05.000000000 -0500
+@@ -177,8 +177,8 @@
+ #nss_base_aliases	ou=Aliases,dc=padl,dc=com?one
+ #nss_base_netgroup	ou=Netgroup,dc=padl,dc=com?one
+ 
+-# Just assume that there are no supplemental groups for these named users
+-nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd,gdm,polkituser,rtkit,pulse,rpc,rpcuser,nobody
++# Just assume that there are no supplemental groups for system users.
++nss_initgroups_minimum_uid 500
+ 
+ # attribute/objectclass mapping
+ # Syntax:

More information about the scm-commits mailing list