glibc/nss/getnssent_r.c

259 lines
7.1 KiB
C
Raw Normal View History

/* Copyright (C) 2000-2017 Free Software Foundation, Inc.
This file is part of the GNU C Library.
The GNU C Library is free software; you can redistribute it and/or
modify it under the terms of the GNU Lesser General Public
License as published by the Free Software Foundation; either
version 2.1 of the License, or (at your option) any later version.
The GNU C Library is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
Lesser General Public License for more details.
You should have received a copy of the GNU Lesser General Public
License along with the GNU C Library; if not, see
<http://www.gnu.org/licenses/>. */
#include <errno.h>
#include <netdb.h>
#include "nsswitch.h"
#include <resolv/resolv_context.h>
/* Set up NIP to run through the services. If ALL is zero, use NIP's
current location if it's not nil. Return nonzero if there are no
services (left). */
static int
setup (const char *func_name, db_lookup_function lookup_fct,
void **fctp, service_user **nip, service_user **startp, int all)
{
int no_more;
if (*startp == NULL)
{
* nscd/Makefile (nscd-modules): Replace gethstbynm2_r with gethstbynm3_r. * nscd/gethstbynm2_r.c: Remove. * nscd/gethstbynm3_r.c: New file. * nscd/aicache.c (addhstaiX): Use __gethostbyaddr2_r instead of __gethostbyaddr_r. * nscd/gethstbyad_r.c: Generate __gethostbyaddr2_r function. Define __gethostbyaddr_r compatibility wrapper. * nscd/hstcache.c (cache_addhst): Add ttl parameter. Use it when determining timeout of entry. (lookup): Take new parameter and pass it to __gethostbyname3_r and __gethostbyaddr2_r. (addhstbyX): Pass reference to variable for TTL to lookup and cache_addhst. * nss/Versions [glibc] (GLIBC_PRIVATE): Export __nss_passwd_lookup2, __nss_group_lookup2, __nss_hosts_lookup2, __nss_services_lookup2, and __nss_next2. Remove __nss_services_lookup. * nss/XXX-lookup.c: Name function now *_lookup2. Add new parameter. Add compat wrapper. * nss/getXXbyYY_r.c: Changes to call new *_lookup2 functions and __nss_next2. * nss/getXXent_r.c: Likewise. * nss/getnssent_r.c: Likewise. * nss/nsswitch.c (__nss_lookup): Add new parameter. If first function does not exist in module, try the optional second name. (__nss_next2): New function. (__nss_next): Now wrapper around __nss_next2. * nss/nsswitch.h: Adjust __nss_lookup prototype. Declare __nss_next2. Adjust definition of db_lookup_function type. * nss/service-lookup.c: Define NO_COMPAT. * include/netdb.h: Declare __gethostbyaddr2_r and __gethostbyname3_r. * inet/ether_hton.c: Use __nss_next2 instead of __nss_next. * inet/ether_ntoh.c: Likewise. * sunrpc/netname.c: Likewise. * sunrpc/publickey.c: Likewise. * inet/getnetgrent.c: Likewise. Adjust calls to __nss_lookup. * inet/gethstbyad_r.c (DB_LOOKUP_FCT): Change to __nss_hosts_lookup2. * inet/gethstbynm2_r.c (DB_LOOKUP_FCT): Likewise. * inet/gethstbynm_r.c (DB_LOOKUP_FCT): Likewise. * inet/gethstent_r.c (DB_LOOKUP_FCT): Likewise. * nscd/aicache.c (addhstaiX): Fix default TTL handling. * inet/getnetgrent.c (setup): Encrypt static pointer.
2007-10-30 00:48:09 +00:00
no_more = lookup_fct (nip, func_name, NULL, fctp);
*startp = no_more ? (service_user *) -1l : *nip;
}
else if (*startp == (service_user *) -1l)
/* No services at all. */
return 1;
else
{
if (all || !*nip)
/* Reset to the beginning of the service list. */
*nip = *startp;
/* Look up the first function. */
* nscd/Makefile (nscd-modules): Replace gethstbynm2_r with gethstbynm3_r. * nscd/gethstbynm2_r.c: Remove. * nscd/gethstbynm3_r.c: New file. * nscd/aicache.c (addhstaiX): Use __gethostbyaddr2_r instead of __gethostbyaddr_r. * nscd/gethstbyad_r.c: Generate __gethostbyaddr2_r function. Define __gethostbyaddr_r compatibility wrapper. * nscd/hstcache.c (cache_addhst): Add ttl parameter. Use it when determining timeout of entry. (lookup): Take new parameter and pass it to __gethostbyname3_r and __gethostbyaddr2_r. (addhstbyX): Pass reference to variable for TTL to lookup and cache_addhst. * nss/Versions [glibc] (GLIBC_PRIVATE): Export __nss_passwd_lookup2, __nss_group_lookup2, __nss_hosts_lookup2, __nss_services_lookup2, and __nss_next2. Remove __nss_services_lookup. * nss/XXX-lookup.c: Name function now *_lookup2. Add new parameter. Add compat wrapper. * nss/getXXbyYY_r.c: Changes to call new *_lookup2 functions and __nss_next2. * nss/getXXent_r.c: Likewise. * nss/getnssent_r.c: Likewise. * nss/nsswitch.c (__nss_lookup): Add new parameter. If first function does not exist in module, try the optional second name. (__nss_next2): New function. (__nss_next): Now wrapper around __nss_next2. * nss/nsswitch.h: Adjust __nss_lookup prototype. Declare __nss_next2. Adjust definition of db_lookup_function type. * nss/service-lookup.c: Define NO_COMPAT. * include/netdb.h: Declare __gethostbyaddr2_r and __gethostbyname3_r. * inet/ether_hton.c: Use __nss_next2 instead of __nss_next. * inet/ether_ntoh.c: Likewise. * sunrpc/netname.c: Likewise. * sunrpc/publickey.c: Likewise. * inet/getnetgrent.c: Likewise. Adjust calls to __nss_lookup. * inet/gethstbyad_r.c (DB_LOOKUP_FCT): Change to __nss_hosts_lookup2. * inet/gethstbynm2_r.c (DB_LOOKUP_FCT): Likewise. * inet/gethstbynm_r.c (DB_LOOKUP_FCT): Likewise. * inet/gethstent_r.c (DB_LOOKUP_FCT): Likewise. * nscd/aicache.c (addhstaiX): Fix default TTL handling. * inet/getnetgrent.c (setup): Encrypt static pointer.
2007-10-30 00:48:09 +00:00
no_more = __nss_lookup (nip, func_name, NULL, fctp);
}
return no_more;
}
void
__nss_setent (const char *func_name, db_lookup_function lookup_fct,
service_user **nip, service_user **startp,
service_user **last_nip, int stayopen, int *stayopen_tmp,
int res)
{
union
{
setent_function f;
void *ptr;
} fct;
int no_more;
struct resolv_context *res_ctx = NULL;
if (res)
{
res_ctx = __resolv_context_get ();
if (res_ctx == NULL)
{
__set_h_errno (NETDB_INTERNAL);
return;
}
}
/* Cycle through the services and run their `setXXent' functions until
we find an available service. */
no_more = setup (func_name, lookup_fct, &fct.ptr, nip,
startp, 1);
while (! no_more)
{
int is_last_nip = *nip == *last_nip;
enum nss_status status;
if (stayopen_tmp)
status = DL_CALL_FCT (fct.f, (*stayopen_tmp));
else
status = DL_CALL_FCT (fct.f, (0));
NSS: Implement group merging support. https://sourceware.org/glibc/wiki/Proposals/GroupMerging == Justification == It is common today for users to rely on centrally-managed user stores for handling their user accounts. However, much software existing today does not have an innate understanding of such accounts. Instead, they commonly rely on membership in known groups for managing access-control (for example the "wheel" group on Fedora and RHEL systems or the "adm" group on Debian-derived systems). In the present incarnation of nsswitch, the only way to have such groups managed by a remote user store such as FreeIPA or Active Directory would be to manually remove the groups from /etc/group on the clients so that nsswitch would then move past nss_files and into the SSSD, nss-ldap or other remote user database. == Solution == With this patch, a new action is introduced for nsswitch: NSS_ACTION_MERGE. To take advantage of it, one will add [SUCCESS=merge] between two database entries in the nsswitch.conf file. When a group is located in the first of the two group entries, processing will continue on to the next one. If the group is also found in the next entry (and the group name and GID are an exact match), the member list of the second entry will be added to the group object to be returned. == Implementation == After each DL_LOOKUP_FN() returns, the next action is checked. If the function returned NSS_STATUS_SUCCESS and the next action is NSS_ACTION_MERGE, a copy of the result buffer is saved for the next pass through the loop. If on this next pass through the loop the database returns another instance of a group matching both the group name and GID, the member list is added to the previous list and it is returned as a single object. If the following database does not contain the same group, then the original is copied back into the destination buffer. This patch implements merge functionality only for the group database. For other databases, there is a default implementation that will return the EINVAL errno if a merge is requested. The merge functionality can be implemented for other databases at a later time if such is needed. Each database must provide a unique implementation of the deep-copy and merge functions. If [SUCCESS=merge] is present in nsswitch.conf for a glibc version that does not support it, glibc will process results up until that operation, at which time it will return results if it has found them or else will simply return an error. In practical terms, this ends up behaving like the remainder of the nsswitch.conf line does not exist. == Iterators == This feature does not modify the iterator functionality from its current behavior. If getgrnam() or getgrgid() is called, glibc will iterate through all entries in the `group` line in nsswitch.conf and display the list of members without attempting to merge them. This is consistent with the behavior of nss_files where if two separate lines are specified for the same group in /etc/groups, getgrnam()/getgrgid() will display both. Clients are already expected to handle this gracefully. == No Premature Optimizations == The following is a list of places that might be eligible for optimization, but were not overengineered for this initial contribution: * Any situation where a merge may occur will result in one malloc() of the same size as the input buffer. * Any situation where a merge does occur will result in a second malloc() to hold the list of pointers to member name strings. * The list of members is simply concatenated together and is not tested for uniqueness (which is identical to the behavior for nss_files, which will simply return identical values if they both exist on the line in the file. This could potentially be optimized to reduce space usage in the buffer, but it is both complex and computationally expensive to do so. == Testing == I performed testing by running the getent utility against my newly-built glibc and configuring /etc/nsswitch.conf with the following entry: group: group: files [SUCCESS=merge] sss In /etc/group I included the line: wheel:x:10:sgallagh I then configured my local SSSD using the id_provider=local to respond with: wheel:*:10:localuser,localuser2 I then ran `getent group wheel` against the newly-built glibc in multiple situations and received the expected output as described above: * When SSSD was running. * When SSSD was configured in nsswitch.conf but the daemon was not running. * When SSSD was configured in nsswitch.conf but nss_sss.so.2 was not installed on the system. * When the order of 'sss' and 'files' was reversed. * All of the above with the [SUCCESS=merge] removed (to ensure no regressions). * All of the above with `getent group 10`. * All of the above with `getent group` with and without `enumerate=true` set in SSSD. * All of the above with and without nscd enabled on the system.
2016-04-30 02:11:09 +00:00
/* This is a special-case. When [SUCCESS=merge] is in play,
_nss_next2() will skip to the next database. Due to the
implementation of that function, we can't know whether we're
in an enumeration or an individual lookup, which behaves
differently with regards to merging. We'll treat SUCCESS as
an indication to start the enumeration at this database. */
if (nss_next_action (*nip, status) == NSS_ACTION_MERGE)
no_more = 1;
else
no_more = __nss_next2 (nip, func_name, NULL, &fct.ptr, status, 0);
if (is_last_nip)
*last_nip = *nip;
}
__resolv_context_put (res_ctx);
if (stayopen_tmp)
*stayopen_tmp = stayopen;
}
void
__nss_endent (const char *func_name, db_lookup_function lookup_fct,
service_user **nip, service_user **startp,
service_user **last_nip, int res)
{
union
{
endent_function f;
void *ptr;
} fct;
int no_more;
struct resolv_context *res_ctx = NULL;
if (res)
{
res_ctx = __resolv_context_get ();
if (res_ctx == NULL)
{
__set_h_errno (NETDB_INTERNAL);
return;
}
}
/* Cycle through all the services and run their endXXent functions. */
no_more = setup (func_name, lookup_fct, &fct.ptr, nip, startp, 1);
while (! no_more)
{
/* Ignore status, we force check in __NSS_NEXT. */
DL_CALL_FCT (fct.f, ());
if (*nip == *last_nip)
/* We have processed all services which were used. */
break;
* nscd/Makefile (nscd-modules): Replace gethstbynm2_r with gethstbynm3_r. * nscd/gethstbynm2_r.c: Remove. * nscd/gethstbynm3_r.c: New file. * nscd/aicache.c (addhstaiX): Use __gethostbyaddr2_r instead of __gethostbyaddr_r. * nscd/gethstbyad_r.c: Generate __gethostbyaddr2_r function. Define __gethostbyaddr_r compatibility wrapper. * nscd/hstcache.c (cache_addhst): Add ttl parameter. Use it when determining timeout of entry. (lookup): Take new parameter and pass it to __gethostbyname3_r and __gethostbyaddr2_r. (addhstbyX): Pass reference to variable for TTL to lookup and cache_addhst. * nss/Versions [glibc] (GLIBC_PRIVATE): Export __nss_passwd_lookup2, __nss_group_lookup2, __nss_hosts_lookup2, __nss_services_lookup2, and __nss_next2. Remove __nss_services_lookup. * nss/XXX-lookup.c: Name function now *_lookup2. Add new parameter. Add compat wrapper. * nss/getXXbyYY_r.c: Changes to call new *_lookup2 functions and __nss_next2. * nss/getXXent_r.c: Likewise. * nss/getnssent_r.c: Likewise. * nss/nsswitch.c (__nss_lookup): Add new parameter. If first function does not exist in module, try the optional second name. (__nss_next2): New function. (__nss_next): Now wrapper around __nss_next2. * nss/nsswitch.h: Adjust __nss_lookup prototype. Declare __nss_next2. Adjust definition of db_lookup_function type. * nss/service-lookup.c: Define NO_COMPAT. * include/netdb.h: Declare __gethostbyaddr2_r and __gethostbyname3_r. * inet/ether_hton.c: Use __nss_next2 instead of __nss_next. * inet/ether_ntoh.c: Likewise. * sunrpc/netname.c: Likewise. * sunrpc/publickey.c: Likewise. * inet/getnetgrent.c: Likewise. Adjust calls to __nss_lookup. * inet/gethstbyad_r.c (DB_LOOKUP_FCT): Change to __nss_hosts_lookup2. * inet/gethstbynm2_r.c (DB_LOOKUP_FCT): Likewise. * inet/gethstbynm_r.c (DB_LOOKUP_FCT): Likewise. * inet/gethstent_r.c (DB_LOOKUP_FCT): Likewise. * nscd/aicache.c (addhstaiX): Fix default TTL handling. * inet/getnetgrent.c (setup): Encrypt static pointer.
2007-10-30 00:48:09 +00:00
no_more = __nss_next2 (nip, func_name, NULL, &fct.ptr, 0, 1);
}
*last_nip = *nip = NULL;
__resolv_context_put (res_ctx);
}
int
__nss_getent_r (const char *getent_func_name,
const char *setent_func_name,
db_lookup_function lookup_fct,
service_user **nip, service_user **startp,
service_user **last_nip, int *stayopen_tmp, int res,
void *resbuf, char *buffer, size_t buflen,
void **result, int *h_errnop)
{
union
{
getent_function f;
void *ptr;
} fct;
int no_more;
enum nss_status status;
struct resolv_context *res_ctx = NULL;
if (res)
{
res_ctx = __resolv_context_get ();
if (res_ctx == NULL)
{
*h_errnop = NETDB_INTERNAL;
*result = NULL;
return errno;
}
}
/* Initialize status to return if no more functions are found. */
status = NSS_STATUS_NOTFOUND;
/* Run through available functions, starting with the same function last
run. We will repeat each function as long as it succeeds, and then go
on to the next service action. */
no_more = setup (getent_func_name, lookup_fct, &fct.ptr, nip,
startp, 0);
while (! no_more)
{
int is_last_nip = *nip == *last_nip;
status = DL_CALL_FCT (fct.f,
(resbuf, buffer, buflen, &errno, &h_errno));
2011-04-23 01:34:32 +00:00
/* The status is NSS_STATUS_TRYAGAIN and errno is ERANGE the
provided buffer is too small. In this case we should give
the user the possibility to enlarge the buffer and we should
not simply go on with the next service (even if the TRYAGAIN
action tells us so). */
if (status == NSS_STATUS_TRYAGAIN
&& (h_errnop == NULL || *h_errnop == NETDB_INTERNAL)
&& errno == ERANGE)
break;
do
{
NSS: Implement group merging support. https://sourceware.org/glibc/wiki/Proposals/GroupMerging == Justification == It is common today for users to rely on centrally-managed user stores for handling their user accounts. However, much software existing today does not have an innate understanding of such accounts. Instead, they commonly rely on membership in known groups for managing access-control (for example the "wheel" group on Fedora and RHEL systems or the "adm" group on Debian-derived systems). In the present incarnation of nsswitch, the only way to have such groups managed by a remote user store such as FreeIPA or Active Directory would be to manually remove the groups from /etc/group on the clients so that nsswitch would then move past nss_files and into the SSSD, nss-ldap or other remote user database. == Solution == With this patch, a new action is introduced for nsswitch: NSS_ACTION_MERGE. To take advantage of it, one will add [SUCCESS=merge] between two database entries in the nsswitch.conf file. When a group is located in the first of the two group entries, processing will continue on to the next one. If the group is also found in the next entry (and the group name and GID are an exact match), the member list of the second entry will be added to the group object to be returned. == Implementation == After each DL_LOOKUP_FN() returns, the next action is checked. If the function returned NSS_STATUS_SUCCESS and the next action is NSS_ACTION_MERGE, a copy of the result buffer is saved for the next pass through the loop. If on this next pass through the loop the database returns another instance of a group matching both the group name and GID, the member list is added to the previous list and it is returned as a single object. If the following database does not contain the same group, then the original is copied back into the destination buffer. This patch implements merge functionality only for the group database. For other databases, there is a default implementation that will return the EINVAL errno if a merge is requested. The merge functionality can be implemented for other databases at a later time if such is needed. Each database must provide a unique implementation of the deep-copy and merge functions. If [SUCCESS=merge] is present in nsswitch.conf for a glibc version that does not support it, glibc will process results up until that operation, at which time it will return results if it has found them or else will simply return an error. In practical terms, this ends up behaving like the remainder of the nsswitch.conf line does not exist. == Iterators == This feature does not modify the iterator functionality from its current behavior. If getgrnam() or getgrgid() is called, glibc will iterate through all entries in the `group` line in nsswitch.conf and display the list of members without attempting to merge them. This is consistent with the behavior of nss_files where if two separate lines are specified for the same group in /etc/groups, getgrnam()/getgrgid() will display both. Clients are already expected to handle this gracefully. == No Premature Optimizations == The following is a list of places that might be eligible for optimization, but were not overengineered for this initial contribution: * Any situation where a merge may occur will result in one malloc() of the same size as the input buffer. * Any situation where a merge does occur will result in a second malloc() to hold the list of pointers to member name strings. * The list of members is simply concatenated together and is not tested for uniqueness (which is identical to the behavior for nss_files, which will simply return identical values if they both exist on the line in the file. This could potentially be optimized to reduce space usage in the buffer, but it is both complex and computationally expensive to do so. == Testing == I performed testing by running the getent utility against my newly-built glibc and configuring /etc/nsswitch.conf with the following entry: group: group: files [SUCCESS=merge] sss In /etc/group I included the line: wheel:x:10:sgallagh I then configured my local SSSD using the id_provider=local to respond with: wheel:*:10:localuser,localuser2 I then ran `getent group wheel` against the newly-built glibc in multiple situations and received the expected output as described above: * When SSSD was running. * When SSSD was configured in nsswitch.conf but the daemon was not running. * When SSSD was configured in nsswitch.conf but nss_sss.so.2 was not installed on the system. * When the order of 'sss' and 'files' was reversed. * All of the above with the [SUCCESS=merge] removed (to ensure no regressions). * All of the above with `getent group 10`. * All of the above with `getent group` with and without `enumerate=true` set in SSSD. * All of the above with and without nscd enabled on the system.
2016-04-30 02:11:09 +00:00
/* This is a special-case. When [SUCCESS=merge] is in play,
_nss_next2() will skip to the next database. Due to the
implementation of that function, we can't know whether we're
in an enumeration or an individual lookup, which behaves
differently with regards to merging. We'll treat SUCCESS as
an indication to return the results here. */
if (status == NSS_STATUS_SUCCESS
&& nss_next_action (*nip, status) == NSS_ACTION_MERGE)
no_more = 1;
else
no_more = __nss_next2 (nip, getent_func_name, NULL, &fct.ptr,
status, 0);
if (is_last_nip)
*last_nip = *nip;
if (! no_more)
{
/* Call the `setXXent' function. This wasn't done before. */
union
{
setent_function f;
void *ptr;
} sfct;
* nscd/Makefile (nscd-modules): Replace gethstbynm2_r with gethstbynm3_r. * nscd/gethstbynm2_r.c: Remove. * nscd/gethstbynm3_r.c: New file. * nscd/aicache.c (addhstaiX): Use __gethostbyaddr2_r instead of __gethostbyaddr_r. * nscd/gethstbyad_r.c: Generate __gethostbyaddr2_r function. Define __gethostbyaddr_r compatibility wrapper. * nscd/hstcache.c (cache_addhst): Add ttl parameter. Use it when determining timeout of entry. (lookup): Take new parameter and pass it to __gethostbyname3_r and __gethostbyaddr2_r. (addhstbyX): Pass reference to variable for TTL to lookup and cache_addhst. * nss/Versions [glibc] (GLIBC_PRIVATE): Export __nss_passwd_lookup2, __nss_group_lookup2, __nss_hosts_lookup2, __nss_services_lookup2, and __nss_next2. Remove __nss_services_lookup. * nss/XXX-lookup.c: Name function now *_lookup2. Add new parameter. Add compat wrapper. * nss/getXXbyYY_r.c: Changes to call new *_lookup2 functions and __nss_next2. * nss/getXXent_r.c: Likewise. * nss/getnssent_r.c: Likewise. * nss/nsswitch.c (__nss_lookup): Add new parameter. If first function does not exist in module, try the optional second name. (__nss_next2): New function. (__nss_next): Now wrapper around __nss_next2. * nss/nsswitch.h: Adjust __nss_lookup prototype. Declare __nss_next2. Adjust definition of db_lookup_function type. * nss/service-lookup.c: Define NO_COMPAT. * include/netdb.h: Declare __gethostbyaddr2_r and __gethostbyname3_r. * inet/ether_hton.c: Use __nss_next2 instead of __nss_next. * inet/ether_ntoh.c: Likewise. * sunrpc/netname.c: Likewise. * sunrpc/publickey.c: Likewise. * inet/getnetgrent.c: Likewise. Adjust calls to __nss_lookup. * inet/gethstbyad_r.c (DB_LOOKUP_FCT): Change to __nss_hosts_lookup2. * inet/gethstbynm2_r.c (DB_LOOKUP_FCT): Likewise. * inet/gethstbynm_r.c (DB_LOOKUP_FCT): Likewise. * inet/gethstent_r.c (DB_LOOKUP_FCT): Likewise. * nscd/aicache.c (addhstaiX): Fix default TTL handling. * inet/getnetgrent.c (setup): Encrypt static pointer.
2007-10-30 00:48:09 +00:00
no_more = __nss_lookup (nip, setent_func_name, NULL, &sfct.ptr);
if (! no_more)
{
if (stayopen_tmp)
status = DL_CALL_FCT (sfct.f, (*stayopen_tmp));
else
status = DL_CALL_FCT (sfct.f, (0));
}
else
status = NSS_STATUS_NOTFOUND;
}
}
while (! no_more && status != NSS_STATUS_SUCCESS);
}
__resolv_context_put (res_ctx);
*result = status == NSS_STATUS_SUCCESS ? resbuf : NULL;
return (status == NSS_STATUS_SUCCESS ? 0
: status != NSS_STATUS_TRYAGAIN ? ENOENT
/* h_errno functions only set errno if h_errno is NETDB_INTERNAL. */
: (h_errnop == NULL || *h_errnop == NETDB_INTERNAL) ? errno
: EAGAIN);
}