[nss-pam-ldapd] - backport support for the "validnames" option from SVN and use it to allow parentheses characters
Nalin Dahyabhai
nalin at fedoraproject.org
Thu Jul 14 20:46:52 UTC 2011
commit 2e65cf1587b7a88ea7b89cce8188ec452ed00ecb
Author: Nalin Dahyabhai <nalin at dahyabhai.net>
Date: Thu Jul 14 16:37:55 2011 -0400
- backport support for the "validnames" option from SVN and use it to allow
parentheses characters by modifying the default setting (#690870), then
modify the default again to also allow shorter and shorter names to pass
muster (#706860)
nss-pam-ldapd-0.7.13-validname.patch | 317 ++++++++++++++++++++++++++++++++++
nss-pam-ldapd.spec | 10 +-
2 files changed, 326 insertions(+), 1 deletions(-)
---
diff --git a/nss-pam-ldapd-0.7.13-validname.patch b/nss-pam-ldapd-0.7.13-validname.patch
new file mode 100644
index 0000000..1ccae69
--- /dev/null
+++ b/nss-pam-ldapd-0.7.13-validname.patch
@@ -0,0 +1,317 @@
+Pulled from SVN, then tweaked to apply to 0.7.5, with the man page sections
+added because we don't regenerate them, and with the defaults changed to allow
+opening and closing parentheses everywhere. Defaults changed again to make
+characters after the first optional, then tweaked to apply to 0.7.13.
+
+Index: tests/test_common.c
+===================================================================
+--- tests/test_common.c (revision 1410)
++++ tests/test_common.c (revision 1411)
+@@ -26,15 +26,14 @@
+ #include <assert.h>
+
+ #include "nslcd/common.h"
++#include "nslcd/cfg.h"
+
++/* we include nslcd/cfg.c here to use cfg_defaults() to set the default
++ regular expression used in test_isvalidname() */
++#include "nslcd/cfg.c"
++#include "common/expr.c"
++#include "nslcd/attmap.c"
++
+-/* this is a simple way to get this into an executable */
+-const char **base_get_var(int UNUSED(map)) {return NULL;}
+-int *scope_get_var(int UNUSED(map)) {return NULL;}
+-const char **filter_get_var(int UNUSED(map)) {return NULL;}
+-const char **attmap_get_var(int UNUSED(map),const char UNUSED(*name)) {return NULL;}
+-const char *attmap_get_value(MYLDAP_ENTRY UNUSED(*entry),const char UNUSED(*attr),char UNUSED(*buffer),size_t UNUSED(buflen)) {return "";}
+-void *attmap_add_attributes(void UNUSED(*set),const char UNUSED(*attr)) {return NULL;}
+-const char *attmap_set_mapping(const char UNUSED(**var),const char UNUSED(*value)) {return NULL;}
+
+ static void test_isvalidname(void)
+ {
+@@ -41,6 +46,8 @@
+ /* the main program... */
+ int main(int UNUSED(argc),char UNUSED(*argv[]))
+ {
++ nslcd_cfg=(struct ldap_config *)malloc(sizeof(struct ldap_config));
++ cfg_defaults(nslcd_cfg);
+ test_isvalidname();
+ return 0;
+ }
+Index: tests/Makefile.am
+===================================================================
+--- tests/Makefile.am (revision 1410)
++++ tests/Makefile.am (revision 1411)
+@@ -73,7 +73,7 @@
+ test_getpeercred_LDADD = ../compat/libcompat.a
+
+ test_common_SOURCES = test_common.c
+-test_common_LDADD = ../nslcd/log.o ../nslcd/common.o ../nslcd/cfg.o \
++test_common_LDADD = ../nslcd/log.o ../nslcd/common.o \
+ ../nslcd/alias.o ../nslcd/ether.o ../nslcd/group.o \
+ ../nslcd/host.o ../nslcd/netgroup.o ../nslcd/network.o \
+ ../nslcd/passwd.o ../nslcd/protocol.o ../nslcd/rpc.o \
+Index: nslcd/cfg.c
+===================================================================
+--- nslcd/cfg.c (revision 1410)
++++ nslcd/cfg.c (revision 1411)
+@@ -5,7 +5,7 @@
+
+ Copyright (C) 1997-2005 Luke Howard
+ Copyright (C) 2007 West Consulting
+- Copyright (C) 2007, 2008, 2009, 2010 Arthur de Jong
++ Copyright (C) 2007, 2008, 2009, 2010, 2011 Arthur de Jong
+
+ This library is free software; you can redistribute it and/or
+ modify it under the terms of the GNU Lesser General Public
+@@ -75,6 +75,11 @@
+ exit(EXIT_FAILURE); \
+ }
+
++/* prototype for parse_validnames_statement() because it is used in
++ cfg_defaults() */
++static void parse_validnames_statement(const char *filename,int lnr,
++ const char *keyword,char *line,struct ldap_config *cfg);
++
+ /* set the configuration information to the defaults */
+ static void cfg_defaults(struct ldap_config *cfg)
+ {
+@@ -121,6 +126,8 @@
+ cfg->ldc_pagesize=0;
+ cfg->ldc_nss_initgroups_ignoreusers=NULL;
+ cfg->ldc_pam_authz_search=NULL;
++ parse_validnames_statement(__FILE__,__LINE__,"",
++ "/^[a-z0-9._@$()][a-z0-9._@$() \\~-]*[a-z0-9._@$()~-]?$/i",cfg);
+ }
+
+ /* simple strdup wrapper */
+@@ -568,6 +575,52 @@
+ *var=xstrdup(value);
+ }
+
++/* parse the validnames statement */
++static void parse_validnames_statement(const char *filename,int lnr,
++ const char *keyword,char *line,struct ldap_config *cfg)
++{
++ char *value=NULL;
++ int i,l;
++ int flags=REG_EXTENDED|REG_NOSUB;
++ /* the rest of the line should be a regular expression */
++ get_restdup(filename,lnr,keyword,&line,&value);
++ /* check formatting and update flags */
++ if (value[0]!='/')
++ {
++ log_log(LOG_ERR,"%s:%d: regular expression incorrectly delimited",filename,lnr);
++ exit(EXIT_FAILURE);
++ }
++ l=strlen(value);
++ if (value[l-1]=='i')
++ {
++ value[l-1]='\0';
++ l--;
++ flags|=REG_ICASE;
++ }
++ if (value[l-1]!='/')
++ {
++ log_log(LOG_ERR,"%s:%d: regular expression incorrectly delimited",filename,lnr);
++ exit(EXIT_FAILURE);
++ }
++ value[l-1]='\0';
++ /* compile the regular expression */
++ if ((i=regcomp(&cfg->validnames,value+1,flags))!= 0)
++ {
++ /* get the error message */
++ l=regerror(i,&cfg->validnames,NULL,0);
++ value=malloc(l);
++ if (value==NULL)
++ log_log(LOG_ERR,"%s:%d: invalid regular expression",filename,lnr);
++ else
++ {
++ regerror(i,&cfg->validnames,value,l);
++ log_log(LOG_ERR,"%s:%d: invalid regular expression: %s",filename,lnr,
++ value);
++ }
++ exit(EXIT_FAILURE);
++ }
++}
++
+ static void parse_base_statement(const char *filename,int lnr,
+ const char *keyword,char *line,
+ struct ldap_config *cfg)
+@@ -1013,6 +1066,10 @@
+ check_argumentcount(filename,lnr,keyword,(line!=NULL)&&(*line!='\0'));
+ cfg->ldc_pam_authz_search=xstrdup(line);
+ }
++ else if (strcasecmp(keyword,"validnames")==0)
++ {
++ parse_validnames_statement(filename,lnr,keyword,line,cfg);
++ }
+ #ifdef ENABLE_CONFIGFILE_CHECKING
+ /* fallthrough */
+ else
+Index: nslcd/cfg.h
+===================================================================
+--- nslcd/cfg.h (revision 1410)
++++ nslcd/cfg.h (revision 1411)
+@@ -5,7 +5,7 @@
+
+ Copyright (C) 1997-2005 Luke Howard
+ Copyright (C) 2007 West Consulting
+- Copyright (C) 2007, 2008, 2009, 2010 Arthur de Jong
++ Copyright (C) 2007, 2008, 2009, 2010, 2011 Arthur de Jong
+
+ This library is free software; you can redistribute it and/or
+ modify it under the terms of the GNU Lesser General Public
+@@ -30,6 +30,7 @@
+ #include <sys/types.h>
+ #include <lber.h>
+ #include <ldap.h>
++#include <regex.h>
+
+ #include "compat/attrs.h"
+ #include "common/set.h"
+@@ -139,6 +140,8 @@
+ SET *ldc_nss_initgroups_ignoreusers;
+ /* the search that should be performed to do autorisation checks */
+ char *ldc_pam_authz_search;
++ /* the regular expression to determine valid names */
++ regex_t validnames;
+ };
+
+ /* this is a pointer to the global configuration, it should be available
+Index: nslcd/common.c
+===================================================================
+--- nslcd/common.c (revision 1410)
++++ nslcd/common.c (revision 1411)
+@@ -33,10 +33,12 @@
+ #include <arpa/inet.h>
+ #include <strings.h>
+ #include <limits.h>
++#include <regex.h>
+
+ #include "nslcd.h"
+ #include "common.h"
+ #include "log.h"
++#include "cfg.h"
+
+ /* simple wrapper around snptintf() to return non-0 in case
+ of any failure (but always keep string 0-terminated) */
+@@ -140,41 +142,10 @@
+ (any code for this is more than welcome) */
+ }
+
+-/*
+- Checks to see if the specified name seems to be a valid user or group name.
+-
+- This test is based on the definition from POSIX (IEEE Std 1003.1, 2004,
+- 3.426 User Name, 3.189 Group Name and 3.276 Portable Filename Character Set):
+- http://www.opengroup.org/onlinepubs/009695399/basedefs/xbd_chap03.html#tag_03_426
+- http://www.opengroup.org/onlinepubs/009695399/basedefs/xbd_chap03.html#tag_03_189
+- http://www.opengroup.org/onlinepubs/009695399/basedefs/xbd_chap03.html#tag_03_276
+-
+- The standard defines user names valid if they contain characters from
+- the set [A-Za-z0-9._-] where the hyphen should not be used as first
+- character. As an extension this test allows some more characters.
+-*/
++/* Checks if the specified name seems to be a valid user or group name. */
+ int isvalidname(const char *name)
+ {
+- int i;
+- if ((name==NULL)||(name[0]=='\0'))
+- return 0;
+- /* check characters */
+- for (i=0;name[i]!='\0';i++)
+- {
+-#ifdef LOGIN_NAME_MAX
+- if (i>=LOGIN_NAME_MAX)
+- return 0;
+-#endif /* LOGIN_NAME_MAX */
+- if ( ! ( ( (i!=0) && (name[i]=='-') ) ||
+- ( (i!=0) && (name[i]=='\\') && name[i+1]!='\0' ) ||
+- (name[i]>='@' && name[i] <= 'Z') ||
+- (name[i]>='a' && name[i] <= 'z') ||
+- (name[i]>='0' && name[i] <= '9') ||
+- name[i]=='.' || name[i]=='_' || name[i]=='$' || name[i]==' ') )
+- return 0;
+- }
+- /* no test failed so it must be good */
+- return -1;
++ return regexec(&nslcd_cfg->validnames,name,0,NULL,0)==0;
+ }
+
+ /* this writes a single address to the stream */
+Index: configure.ac
+===================================================================
+--- configure.ac (revision 1410)
++++ configure.ac (revision 1411)
+@@ -549,6 +549,8 @@
+ then
+ AC_CHECK_HEADERS(gssapi/gssapi.h gssapi/gssapi_generic.h gssapi/gssapi_krb5.h gssapi.h)
+ fi
++
++ AC_CHECK_HEADERS(regex.h)
+
+ # checks for availability of system libraries for nslcd
+ AC_SEARCH_LIBS(gethostbyname,nsl socket)
+@@ -563,6 +564,7 @@
+ AC_CHECK_FUNCS(__nss_configure_lookup)
+ AC_CHECK_FUNCS(getenv putenv clearenv)
+ AC_CHECK_FUNCS(dlopen dlsym dlerror)
++ AC_CHECK_FUNCS(regcomp regexec regerror)
+
+ # replace getopt_long() function if it is not on the system
+ AC_REPLACE_FUNCS(getopt_long)
+Index: man/nslcd.conf.5.xml
+===================================================================
+--- man/nslcd.conf.5.xml (revision 1410)
++++ man/nslcd.conf.5.xml (revision 1411)
+@@ -671,6 +671,25 @@
+ </listitem>
+ </varlistentry>
+
++ <varlistentry id="validnames">
++ <term><option>validnames</option> <replaceable>REGEX</replaceable></term>
++ <listitem>
++ <para>
++ This option can be used to specify how user and group names are
++ verified within the system. This pattern is used to check all user and
++ group names that are requested and returned from <acronym>LDAP</acronym>.
++ </para>
++ <para>
++ The regular expression should be specified as a POSIX extended regular
++ expression. The expression itself needs to be separated by slash (/)
++ characters and the 'i' flag may be appended at the end to indicate
++ that the match should be case-insensetive.
++ The default value is
++ <literal>/^[a-z0-9._@$()][a-z0-9._@$() \\~-]+[a-z0-9._@$()~-]$/i</literal>
++ </para>
++ </listitem>
++ </varlistentry>
++
+ <varlistentry>
+ <term><option>pam_authz_search</option>
+ <replaceable>FILTER</replaceable></term>
+--- man/nslcd.conf.5 2010-05-14 16:48:18.000000000 -0400
++++ man/nslcd.conf.5 2011-03-29 12:02:56.209777493 -0400
+@@ -265,6 +265,20 @@ This option may be specified multiple ti
+ Alternatively, the value \*(T<ALLLOCAL\*(T> may be
+ used. With that value nslcd builds a full list of
+ non-LDAP users on startup.
++.TP
++\*(T<\fBvalidnames\fR\*(T> \fIREGEX\fR
++This option can be used to specify how user and group names are
++verified within the system. This pattern is used to check all user and
++group names that are requested and returned from LDAP.
++
++The regular expression should be specified as a POSIX extended regular
++expression. The expression itself needs to be separated by slash (/)
++characters and the 'i' flag may be appended at the end to indicate
++that the match should be case-insensitive.
++
++The default value is
++ \*(T</^[a-z0-9._@$()][a-z0-9._@$() \\~-]*[a-z0-9._@$()~-]?$/i\*(T>
++
+ .TP
+ \*(T<\fBpam_authz_search\fR\*(T> \fIFILTER\fR
+ This option allows flexible fine tuning of the authorisation check that
diff --git a/nss-pam-ldapd.spec b/nss-pam-ldapd.spec
index 06726b4..483eb70 100644
--- a/nss-pam-ldapd.spec
+++ b/nss-pam-ldapd.spec
@@ -14,7 +14,7 @@
Name: nss-pam-ldapd
Version: 0.7.13
-Release: 6%{?dist}
+Release: 7%{?dist}
Summary: An nsswitch module which uses directory servers
Group: System Environment/Base
License: LGPLv2+
@@ -25,8 +25,10 @@ Source2: nslcd.init
Source3: nslcd.tmpfiles
Source4: nslcd.service
Patch0: nss-pam-ldapd-0.7.x-buffers.patch
+Patch1: nss-pam-ldapd-0.7.13-validname.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
BuildRequires: openldap-devel, krb5-devel
+BuildRequires: autoconf, automake
Obsoletes: nss-ldapd < 0.7
Provides: nss-ldapd = %{version}-%{release}
@@ -57,6 +59,8 @@ nsswitch module.
%prep
%setup -q
%patch0 -p1 -b .buffers
+%patch1 -p0 -b .validname
+autoreconf -f -i
%build
%configure --libdir=/%{_lib} --disable-pam
@@ -257,6 +261,10 @@ exit 0
install (#706454)
- make sure that we have enough space to parse any valid GID value when
parsing a user's primary GID (#716822)
+- backport support for the "validnames" option from SVN and use it to allow
+ parentheses characters by modifying the default setting (#690870), then
+ modify the default again to also allow shorter and shorter names to pass
+ muster (#706860)
* Wed Jul 13 2011 Nalin Dahyabhai <nalin at redhat.com> 0.7.13-6
- convert to systemd-native startup (#716997)
More information about the scm-commits
mailing list