[nss_ldap] - take another stab at implementing a working nss_initgroups_minimum_uid setting, and default it t
Nalin Dahyabhai
nalin at fedoraproject.org
Fri Aug 20 19:09:16 UTC 2010
commit 29d9e6745ffdef3d7af1afd8b33e85007ed04412
Author: Nalin Dahyabhai <nalin at redhat.com>
Date: Thu Aug 19 19:18:14 2010 -0400
- take another stab at implementing a working nss_initgroups_minimum_uid
setting, and default it to 500
- can't static link any more, potential symbol collisions are go
nss_ldap-257-initgroups-minimum_uid.patch | 135 --------------------
nss_ldap-265-initgroups-minimum_uid.patch | 190 +++++++++++++++++++++++++++++
nss_ldap.spec | 16 ++-
3 files changed, 199 insertions(+), 142 deletions(-)
---
diff --git a/nss_ldap-265-initgroups-minimum_uid.patch b/nss_ldap-265-initgroups-minimum_uid.patch
new file mode 100644
index 0000000..fdcf56a
--- /dev/null
+++ b/nss_ldap-265-initgroups-minimum_uid.patch
@@ -0,0 +1,190 @@
+This builds off of the recursion checking introduced by -depth to avoid
+a deadlock if/when we recurse into ourselves while looking up the user's
+UID to compare it to the configured value.
+
+diff -ur nss_ldap-265/ldap-nss.c nss_ldap-265-2/ldap-nss.c
+--- nss_ldap-265/ldap-nss.c 2010-08-19 17:16:51.000000000 -0400
++++ nss_ldap-265-2/ldap-nss.c 2010-08-19 17:25:09.000000000 -0400
+@@ -34,6 +34,7 @@
+ #endif
+
+ #include <assert.h>
++#include <pwd.h>
+ #include <stdlib.h>
+ #include <unistd.h>
+ #include <string.h>
+@@ -4356,20 +4357,55 @@
+ int
+ _nss_ldap_test_initgroups_ignoreuser (const char *user)
+ {
+- char **p;
++ char **p, *buf;
++ size_t buflen;
++ struct passwd pwd, *passwd;
+
+- if (__config == NULL)
+- return 0;
+-
+- if (__config->ldc_initgroups_ignoreusers == NULL)
+- return 0;
+-
+- for (p = __config->ldc_initgroups_ignoreusers; *p != NULL; p++)
++ if (__config != NULL)
+ {
+- if (strcmp (*p, user) == 0)
+- return 1;
++ if (__config->ldc_initgroups_ignoreusers != NULL)
++ for (p = __config->ldc_initgroups_ignoreusers; *p != NULL; p++)
++ {
++ if (strcmp (*p, user) == 0)
++ return 1;
++ }
++ if (__config->ldc_initgroups_minimum_uid >= 0)
++ {
++ memset (&pwd, 0, sizeof(pwd));
++ buflen = 16;
++ buf = malloc(buflen);
++ if (buf != NULL)
++ {
++ passwd = NULL;
++ while ((getpwnam_r(user, &pwd, buf, buflen, &passwd) != 0) &&
++ (passwd != &pwd))
++ {
++ switch (errno)
++ {
++ case ERANGE:
++ buflen *= 2;
++ free(buf);
++ if (buflen > 0x100000)
++ buf = NULL;
++ else
++ buf = malloc(buflen);
++ break;
++ case EINTR:
++ continue;
++ break;
++ default:
++ free(buf);
++ buf = NULL;
++ break;
++ }
++ if (buf == NULL)
++ break;
++ }
++ }
++ if ((passwd == &pwd) && (passwd->pw_uid < 1000))
++ return 1;
++ }
+ }
+-
+ return 0;
+ }
+
+diff -ur nss_ldap-265/ldap-nss.h nss_ldap-265-2/ldap-nss.h
+--- nss_ldap-265/ldap-nss.h 2010-08-19 17:16:51.000000000 -0400
++++ nss_ldap-265-2/ldap-nss.h 2010-08-19 17:18:47.000000000 -0400
+@@ -400,6 +400,7 @@
+ time_t ldc_mtime;
+
+ char **ldc_initgroups_ignoreusers;
++ int ldc_initgroups_minimum_uid;
+
+ /* disable the do-res_init()-on-resolv.conf-changes hack */
+ unsigned int ldc_resolv_conf_res_init_hack;
+diff -ur nss_ldap-265/ldap-pwd.c nss_ldap-265-2/ldap-pwd.c
+--- nss_ldap-265/ldap-pwd.c 2010-08-19 17:16:51.000000000 -0400
++++ nss_ldap-265-2/ldap-pwd.c 2010-08-19 16:40:43.000000000 -0400
+@@ -49,6 +49,7 @@
+ #include "ldap-nss.h"
+ #include "ldap-pwd.h"
+ #include "util.h"
++#include "depth.h"
+
+ #ifdef HAVE_PORT_AFTER_H
+ #include <port_after.h>
+@@ -242,6 +243,10 @@
+ struct passwd * result,
+ char *buffer, size_t buflen, int *errnop)
+ {
++#ifdef HAVE_THREAD_LOCAL_STORAGE
++ if (_nss_ldap_get_depth() > 0)
++ return NSS_STATUS_UNAVAIL;
++#endif
+ LOOKUP_NAME (name, result, buffer, buflen, errnop, _nss_ldap_filt_getpwnam,
+ LM_PASSWD, _nss_ldap_parse_pw, LDAP_NSS_BUFLEN_DEFAULT)
+ AND_REQUIRE_MATCH(name, result->pw_name);
+@@ -261,6 +266,10 @@
+ struct passwd *result,
+ char *buffer, size_t buflen, int *errnop)
+ {
++#ifdef HAVE_THREAD_LOCAL_STORAGE
++ if (_nss_ldap_get_depth() > 0)
++ return NSS_STATUS_UNAVAIL;
++#endif
+ LOOKUP_NUMBER (uid, result, buffer, buflen, errnop, _nss_ldap_filt_getpwuid,
+ LM_PASSWD, _nss_ldap_parse_pw, LDAP_NSS_BUFLEN_DEFAULT);
+ }
+diff -ur nss_ldap-265/nss_ldap.5 nss_ldap-265-2/nss_ldap.5
+--- nss_ldap-265/nss_ldap.5 2010-08-19 17:16:51.000000000 -0400
++++ nss_ldap-265-2/nss_ldap.5 2010-08-19 17:19:23.000000000 -0400
+@@ -445,6 +445,14 @@
+ to return NSS_STATUS_NOTFOUND if called with a listed users as
+ its argument.
+ .TP
++.B nss_initgroups_minimum_uid <uid>
++This option directs the
++.B nss_ldap
++implementation of
++.BR initgroups(3)
++to return NSS_STATUS_NOTFOUND if called with a user whose UID is
++below the value given as the argument.
++.TP
+ .B nss_getgrent_skipmembers <yes|no>
+ Specifies whether or not to populate the members list in
+ the group structure for group lookups. If very large groups
+diff -ur nss_ldap-265/util.c nss_ldap-265-2/util.c
+--- nss_ldap-265/util.c 2010-08-19 17:16:51.000000000 -0400
++++ nss_ldap-265-2/util.c 2010-08-19 17:18:33.000000000 -0400
+@@ -669,6 +669,7 @@
+ result->ldc_reconnect_maxsleeptime = LDAP_NSS_MAXSLEEPTIME;
+ result->ldc_reconnect_maxconntries = LDAP_NSS_MAXCONNTRIES;
+ result->ldc_initgroups_ignoreusers = NULL;
++ result->ldc_initgroups_minimum_uid = -1;
+
+ for (i = 0; i <= LM_NONE; i++)
+ {
+@@ -1180,6 +1181,10 @@
+ break;
+ }
+ }
++ else if (!strcasecmp (k, NSS_LDAP_KEY_INITGROUPS_MINIMUM_UID))
++ {
++ result->ldc_initgroups_minimum_uid = atoi(v);
++ }
+ else if (!strcasecmp (k, NSS_LDAP_KEY_GETGRENT_SKIPMEMBERS))
+ {
+ if (!strcasecmp (v, "on") || !strcasecmp (v, "yes")
+diff -ur nss_ldap-265/util.h nss_ldap-265-2/util.h
+--- nss_ldap-265/util.h 2009-11-06 05:28:08.000000000 -0500
++++ nss_ldap-265-2/util.h 2010-08-19 17:19:46.000000000 -0400
+@@ -92,6 +92,7 @@
+ #define NSS_LDAP_KEY_PAGESIZE "pagesize"
+ #define NSS_LDAP_KEY_INITGROUPS "nss_initgroups"
+ #define NSS_LDAP_KEY_INITGROUPS_IGNOREUSERS "nss_initgroups_ignoreusers"
++#define NSS_LDAP_KEY_INITGROUPS_MINIMUM_UID "nss_initgroups_minimum_uid"
+ #define NSS_LDAP_KEY_GETGRENT_SKIPMEMBERS "nss_getgrent_skipmembers"
+
+ /* more reconnect policy fine-tuning */
+--- nss_ldap-265/ldap.conf 2005-08-17 18:35:13.000000000 -0400
++++ nss_ldap-265/ldap.conf 2006-02-09 14:14:05.000000000 -0500
+@@ -177,8 +177,8 @@
+ #nss_base_aliases ou=Aliases,dc=padl,dc=com?one
+ #nss_base_netgroup ou=Netgroup,dc=padl,dc=com?one
+
+-# Just assume that there are no supplemental groups for these named users
+-nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd,gdm,polkituser,rtkit,pulse,rpc,rpcuser,nobody
++# Just assume that there are no supplemental groups for system users.
++nss_initgroups_minimum_uid 500
+
+ # attribute/objectclass mapping
+ # Syntax:
diff --git a/nss_ldap.spec b/nss_ldap.spec
index 0adb6d3..2588a56 100644
--- a/nss_ldap.spec
+++ b/nss_ldap.spec
@@ -3,7 +3,7 @@
Summary: NSS library and PAM module for LDAP
Name: nss_ldap
Version: 265
-Release: 5%{?dist}
+Release: 6%{?dist}
URL: http://www.padl.com/OSS/nss_ldap.html
License: LGPLv2+
Group: System Environment/Base
@@ -15,7 +15,6 @@ Source6: version.c
Source7: dlopen.sh
Patch6: nss_ldap-265-depth.patch
Patch8: nss_ldap-254-soname.patch
-Patch11: nss_ldap-257-initgroups-minimum_uid.patch
Patch15: nss_ldap-257-mozldap.patch
Patch17: nss_ldap-259-res_init.patch
Patch21: nss_ldap-264-checkcase.patch
@@ -23,9 +22,9 @@ Patch22: nss_ldap-265-ent_internal.patch
Patch24: nss_ldap-264-cloexec.patch
Patch25: nss_ldap-265-local_users.patch
Patch26: nss_ldap-265-erange.patch
+Patch27: nss_ldap-265-initgroups-minimum_uid.patch
BuildRequires: autoconf, automake, libtool
-BuildRequires: openssl-devel, openssl-static
BuildRequires: cyrus-sasl-devel >= 2.1
BuildRequires: openldap-devel >= 2.0.27
BuildRequires: openldap-evolution-devel
@@ -52,6 +51,7 @@ cp %{SOURCE5} .
%patch24 -p1 -b .cloexec
%patch25 -p1 -b .local_users
%patch26 -p1 -b .erange
+%patch27 -p1 -b .initgroups-minimum_uid
sed -i -e 's,^ldap.conf$,%{name}.conf,g' *.5
sed -i -e 's,^/etc/ldap\.,/etc/%{name}.,g' *.5
sed -i -e 's,ldap.secret,%{name}.secret,g' *.5
@@ -60,16 +60,13 @@ autoreconf -f -i
cp %{_datadir}/libtool/config/config.{sub,guess} .
%build
-# Build with static copies of as may of the dependent libraries as we can, so
-# that we can bind references symbols the module uses to the copy bundled into
-# the module, and hide them from any calling applications.
%configure \
--with-ldap-lib=openldap \
--enable-rfc2307bis \
--with-ldap-conf-file=%{_sysconfdir}/%{name}.conf \
--with-ldap-secret-file=%{_sysconfdir}/%{name}.secret \
--enable-configurable-krb5-ccname-gssapi
-env PATH=`pwd`:"$PATH" make %{?_smp_mflags} LIBS="-L%{_libdir}/evolution-openldap/%{_lib} -Wl,-Bstatic -lldap -llber -lssl -lcrypto -Wl,-Bdynamic -lz -lsasl2 -lgssapi_krb5 -ldl -lpthread_nonshared -lnsl -lresolv"
+env PATH=`pwd`:"$PATH" make
# Check that the module is actually loadable.
sh %{SOURCE7} ./nss_ldap.so
@@ -148,6 +145,11 @@ fi
%attr(0600,root,root) %ghost %config(noreplace) /etc/%{name}.secret
%changelog
+* Thu Aug 19 2010 Nalin Dahyabhai <nalin at redhat.com> 265-6
+- take another stab at implementing a working nss_initgroups_minimum_uid
+ setting, and default it to 500
+- can't static link any more, potential symbol collisions are go
+
* Thu Jul 8 2010 Nalin Dahyabhai <nalin at redhat.com> 265-5
- add proposed patch for upstream #421: sometimes errno gets reset before we
return control to libc
More information about the scm-commits
mailing list