| /* SPDX-License-Identifier: LGPL-2.1-or-later */ |
| |
| #include "env-util.h" |
| #include "fd-util.h" |
| #include "nss-systemd.h" |
| #include "strv.h" |
| #include "user-record-nss.h" |
| #include "user-record.h" |
| #include "user-util.h" |
| #include "userdb-glue.h" |
| #include "userdb.h" |
| |
| UserDBFlags nss_glue_userdb_flags(void) { |
| UserDBFlags flags = USERDB_EXCLUDE_NSS; |
| |
| /* Make sure that we don't go in circles when allocating a dynamic UID by checking our own database */ |
| if (getenv_bool_secure("SYSTEMD_NSS_DYNAMIC_BYPASS") > 0) |
| flags |= USERDB_EXCLUDE_DYNAMIC_USER; |
| |
| return flags; |
| } |
| |
| int nss_pack_user_record( |
| UserRecord *hr, |
| struct passwd *pwd, |
| char *buffer, |
| size_t buflen) { |
| |
| const char *rn, *hd, *shell; |
| size_t required; |
| |
| assert(hr); |
| assert(pwd); |
| |
| assert(hr->user_name); |
| required = strlen(hr->user_name) + 1; |
| |
| required += 2; /* strlen(PASSWORD_SEE_SHADOW) + 1 */ |
| |
| assert_se(rn = user_record_real_name(hr)); |
| required += strlen(rn) + 1; |
| |
| assert_se(hd = user_record_home_directory(hr)); |
| required += strlen(hd) + 1; |
| |
| assert_se(shell = user_record_shell(hr)); |
| required += strlen(shell) + 1; |
| |
| if (buflen < required) |
| return -ERANGE; |
| |
| *pwd = (struct passwd) { |
| .pw_name = buffer, |
| .pw_uid = hr->uid, |
| .pw_gid = user_record_gid(hr), |
| }; |
| |
| assert(buffer); |
| |
| pwd->pw_passwd = stpcpy(pwd->pw_name, hr->user_name) + 1; |
| pwd->pw_gecos = stpcpy(pwd->pw_passwd, PASSWORD_SEE_SHADOW) + 1; |
| pwd->pw_dir = stpcpy(pwd->pw_gecos, rn) + 1; |
| pwd->pw_shell = stpcpy(pwd->pw_dir, hd) + 1; |
| strcpy(pwd->pw_shell, shell); |
| |
| return 0; |
| } |
| |
| enum nss_status userdb_getpwnam( |
| const char *name, |
| struct passwd *pwd, |
| char *buffer, size_t buflen, |
| int *errnop) { |
| |
| _cleanup_(user_record_unrefp) UserRecord *hr = NULL; |
| int r; |
| |
| assert(pwd); |
| assert(errnop); |
| |
| if (_nss_systemd_is_blocked()) |
| return NSS_STATUS_NOTFOUND; |
| |
| r = userdb_by_name(name, nss_glue_userdb_flags()|USERDB_SUPPRESS_SHADOW, &hr); |
| if (r == -ESRCH) |
| return NSS_STATUS_NOTFOUND; |
| if (r < 0) { |
| *errnop = -r; |
| return NSS_STATUS_UNAVAIL; |
| } |
| |
| r = nss_pack_user_record(hr, pwd, buffer, buflen); |
| if (r < 0) { |
| *errnop = -r; |
| return NSS_STATUS_TRYAGAIN; |
| } |
| |
| return NSS_STATUS_SUCCESS; |
| } |
| |
| enum nss_status userdb_getpwuid( |
| uid_t uid, |
| struct passwd *pwd, |
| char *buffer, |
| size_t buflen, |
| int *errnop) { |
| |
| _cleanup_(user_record_unrefp) UserRecord *hr = NULL; |
| int r; |
| |
| assert(pwd); |
| assert(errnop); |
| |
| if (_nss_systemd_is_blocked()) |
| return NSS_STATUS_NOTFOUND; |
| |
| r = userdb_by_uid(uid, nss_glue_userdb_flags()|USERDB_SUPPRESS_SHADOW, &hr); |
| if (r == -ESRCH) |
| return NSS_STATUS_NOTFOUND; |
| if (r < 0) { |
| *errnop = -r; |
| return NSS_STATUS_UNAVAIL; |
| } |
| |
| r = nss_pack_user_record(hr, pwd, buffer, buflen); |
| if (r < 0) { |
| *errnop = -r; |
| return NSS_STATUS_TRYAGAIN; |
| } |
| |
| return NSS_STATUS_SUCCESS; |
| } |
| |
| int nss_pack_user_record_shadow( |
| UserRecord *hr, |
| struct spwd *spwd, |
| char *buffer, |
| size_t buflen) { |
| |
| const char *hashed; |
| size_t required; |
| |
| assert(hr); |
| assert(spwd); |
| |
| assert(hr->user_name); |
| required = strlen(hr->user_name) + 1; |
| |
| assert_se(hashed = strv_isempty(hr->hashed_password) ? PASSWORD_LOCKED_AND_INVALID : hr->hashed_password[0]); |
| required += strlen(hashed) + 1; |
| |
| if (buflen < required) |
| return -ERANGE; |
| |
| *spwd = (struct spwd) { |
| .sp_namp = buffer, |
| .sp_lstchg = hr->last_password_change_usec == 0 ? 1 : /* map 0 to 1, since 0 means please change password on next login */ |
| hr->last_password_change_usec == UINT64_MAX ? -1 : |
| (long int) (hr->last_password_change_usec / USEC_PER_DAY), |
| .sp_min = hr->password_change_min_usec != UINT64_MAX ? (long int) (hr->password_change_min_usec / USEC_PER_DAY) : -1, |
| .sp_max = hr->password_change_max_usec != UINT64_MAX ? (long int) (hr->password_change_max_usec / USEC_PER_DAY) : -1, |
| .sp_warn = hr->password_change_warn_usec != UINT64_MAX ? (long int) (hr->password_change_warn_usec / USEC_PER_DAY) : -1, |
| .sp_inact = hr->password_change_inactive_usec != UINT64_MAX ? (long int) (hr->password_change_inactive_usec / USEC_PER_DAY) : -1, |
| .sp_expire = hr->locked > 0 || hr->not_after_usec == 0 ? 1 : /* already expired/locked */ |
| hr->not_after_usec == UINT64_MAX ? -1 : |
| (long int) (hr->not_after_usec / USEC_PER_DAY), |
| .sp_flag = ULONG_MAX, |
| }; |
| |
| assert(buffer); |
| |
| spwd->sp_pwdp = stpcpy(spwd->sp_namp, hr->user_name) + 1; |
| strcpy(spwd->sp_pwdp, hashed); |
| |
| return 0; |
| } |
| |
| enum nss_status userdb_getspnam( |
| const char *name, |
| struct spwd *spwd, |
| char *buffer, size_t buflen, |
| int *errnop) { |
| |
| _cleanup_(user_record_unrefp) UserRecord *hr = NULL; |
| int r; |
| |
| assert(spwd); |
| assert(errnop); |
| |
| if (_nss_systemd_is_blocked()) |
| return NSS_STATUS_NOTFOUND; |
| |
| r = userdb_by_name(name, nss_glue_userdb_flags(), &hr); |
| if (r == -ESRCH) |
| return NSS_STATUS_NOTFOUND; |
| if (r < 0) { |
| *errnop = -r; |
| return NSS_STATUS_UNAVAIL; |
| } |
| |
| if (hr->incomplete) /* protected records missing? */ |
| return NSS_STATUS_NOTFOUND; |
| |
| r = nss_pack_user_record_shadow(hr, spwd, buffer, buflen); |
| if (r < 0) { |
| *errnop = -r; |
| return NSS_STATUS_TRYAGAIN; |
| } |
| |
| return NSS_STATUS_SUCCESS; |
| } |
| |
| int nss_pack_group_record( |
| GroupRecord *g, |
| char **extra_members, |
| struct group *gr, |
| char *buffer, |
| size_t buflen) { |
| |
| char **array = NULL, *p, **m; |
| size_t required, n = 0, i = 0; |
| |
| assert(g); |
| assert(gr); |
| |
| assert(g->group_name); |
| required = strlen(g->group_name) + 1; |
| |
| STRV_FOREACH(m, g->members) { |
| required += sizeof(char*); /* space for ptr array entry */ |
| required += strlen(*m) + 1; |
| n++; |
| } |
| STRV_FOREACH(m, extra_members) { |
| if (strv_contains(g->members, *m)) |
| continue; |
| |
| required += sizeof(char*); |
| required += strlen(*m) + 1; |
| n++; |
| } |
| |
| required += sizeof(char*); /* trailing NULL in ptr array entry */ |
| |
| if (buflen < required) |
| return -ERANGE; |
| |
| array = (char**) buffer; /* place ptr array at beginning of buffer, under assumption buffer is aligned */ |
| p = buffer + sizeof(void*) * (n + 1); /* place member strings right after the ptr array */ |
| |
| STRV_FOREACH(m, g->members) { |
| array[i++] = p; |
| p = stpcpy(p, *m) + 1; |
| } |
| STRV_FOREACH(m, extra_members) { |
| if (strv_contains(g->members, *m)) |
| continue; |
| |
| array[i++] = p; |
| p = stpcpy(p, *m) + 1; |
| } |
| |
| assert_se(i == n); |
| array[n] = NULL; |
| |
| *gr = (struct group) { |
| .gr_name = strcpy(p, g->group_name), |
| .gr_gid = g->gid, |
| .gr_passwd = (char*) PASSWORD_SEE_SHADOW, |
| .gr_mem = array, |
| }; |
| |
| return 0; |
| } |
| |
| enum nss_status userdb_getgrnam( |
| const char *name, |
| struct group *gr, |
| char *buffer, |
| size_t buflen, |
| int *errnop) { |
| |
| _cleanup_(group_record_unrefp) GroupRecord *g = NULL; |
| _cleanup_strv_free_ char **members = NULL; |
| int r; |
| |
| assert(gr); |
| assert(errnop); |
| |
| if (_nss_systemd_is_blocked()) |
| return NSS_STATUS_NOTFOUND; |
| |
| r = groupdb_by_name(name, nss_glue_userdb_flags()|USERDB_SUPPRESS_SHADOW, &g); |
| if (r < 0 && r != -ESRCH) { |
| *errnop = -r; |
| return NSS_STATUS_UNAVAIL; |
| } |
| |
| r = membershipdb_by_group_strv(name, nss_glue_userdb_flags()|USERDB_SUPPRESS_SHADOW, &members); |
| if (r < 0 && r != -ESRCH) { |
| *errnop = -r; |
| return NSS_STATUS_UNAVAIL; |
| } |
| |
| if (!g) { |
| _unused_ _cleanup_(_nss_systemd_unblockp) bool blocked = false; |
| |
| if (strv_isempty(members)) |
| return NSS_STATUS_NOTFOUND; |
| |
| /* Grmbl, so we are supposed to extend a group entry, but the group entry itself is not |
| * accessible via non-NSS. Hence let's do what we have to do, and query NSS after all to |
| * acquire it, so that we can extend it (that's because glibc's group merging feature will |
| * merge groups only if both GID and name match and thus we need to have both first). It |
| * sucks behaving recursively likely this, but it's apparently what everybody does. We break |
| * the recursion for ourselves via the _nss_systemd_block_nss() lock. */ |
| |
| r = _nss_systemd_block(true); |
| if (r < 0) |
| return r; |
| |
| blocked = true; |
| |
| r = nss_group_record_by_name(name, false, &g); |
| if (r == -ESRCH) |
| return NSS_STATUS_NOTFOUND; |
| if (r < 0) { |
| *errnop = -r; |
| return NSS_STATUS_UNAVAIL; |
| } |
| } |
| |
| r = nss_pack_group_record(g, members, gr, buffer, buflen); |
| if (r < 0) { |
| *errnop = -r; |
| return NSS_STATUS_TRYAGAIN; |
| } |
| |
| return NSS_STATUS_SUCCESS; |
| } |
| |
| enum nss_status userdb_getgrgid( |
| gid_t gid, |
| struct group *gr, |
| char *buffer, |
| size_t buflen, |
| int *errnop) { |
| |
| |
| _cleanup_(group_record_unrefp) GroupRecord *g = NULL; |
| _cleanup_strv_free_ char **members = NULL; |
| bool from_nss; |
| int r; |
| |
| assert(gr); |
| assert(errnop); |
| |
| if (_nss_systemd_is_blocked()) |
| return NSS_STATUS_NOTFOUND; |
| |
| r = groupdb_by_gid(gid, nss_glue_userdb_flags()|USERDB_SUPPRESS_SHADOW, &g); |
| if (r < 0 && r != -ESRCH) { |
| *errnop = -r; |
| return NSS_STATUS_UNAVAIL; |
| } |
| |
| if (!g) { |
| _unused_ _cleanup_(_nss_systemd_unblockp) bool blocked = false; |
| |
| /* So, quite possibly we have to extend an existing group record with additional members. But |
| * to do this we need to know the group name first. The group didn't exist via non-NSS |
| * queries though, hence let's try to acquire it here recursively via NSS. */ |
| |
| r = _nss_systemd_block(true); |
| if (r < 0) |
| return r; |
| |
| blocked = true; |
| |
| r = nss_group_record_by_gid(gid, false, &g); |
| if (r == -ESRCH) |
| return NSS_STATUS_NOTFOUND; |
| if (r < 0) { |
| *errnop = -r; |
| return NSS_STATUS_UNAVAIL; |
| } |
| |
| from_nss = true; |
| } else |
| from_nss = false; |
| |
| r = membershipdb_by_group_strv(g->group_name, nss_glue_userdb_flags()|USERDB_SUPPRESS_SHADOW, &members); |
| if (r < 0 && r != -ESRCH) { |
| *errnop = -r; |
| return NSS_STATUS_UNAVAIL; |
| } |
| |
| /* If we acquired the record via NSS then there's no reason to respond unless we have to augment the |
| * list of members of the group */ |
| if (from_nss && strv_isempty(members)) |
| return NSS_STATUS_NOTFOUND; |
| |
| r = nss_pack_group_record(g, members, gr, buffer, buflen); |
| if (r < 0) { |
| *errnop = -r; |
| return NSS_STATUS_TRYAGAIN; |
| } |
| |
| return NSS_STATUS_SUCCESS; |
| } |
| |
| int nss_pack_group_record_shadow( |
| GroupRecord *hr, |
| struct sgrp *sgrp, |
| char *buffer, |
| size_t buflen) { |
| |
| const char *hashed; |
| size_t required; |
| |
| assert(hr); |
| assert(sgrp); |
| |
| assert(hr->group_name); |
| required = strlen(hr->group_name) + 1; |
| |
| assert_se(hashed = strv_isempty(hr->hashed_password) ? PASSWORD_LOCKED_AND_INVALID : hr->hashed_password[0]); |
| required += strlen(hashed) + 1; |
| |
| if (buflen < required) |
| return -ERANGE; |
| |
| *sgrp = (struct sgrp) { |
| .sg_namp = buffer, |
| }; |
| |
| assert(buffer); |
| |
| sgrp->sg_passwd = stpcpy(sgrp->sg_namp, hr->group_name) + 1; |
| strcpy(sgrp->sg_passwd, hashed); |
| |
| return 0; |
| } |
| |
| enum nss_status userdb_getsgnam( |
| const char *name, |
| struct sgrp *sgrp, |
| char *buffer, size_t buflen, |
| int *errnop) { |
| |
| _cleanup_(group_record_unrefp) GroupRecord *hr = NULL; |
| int r; |
| |
| assert(sgrp); |
| assert(errnop); |
| |
| if (_nss_systemd_is_blocked()) |
| return NSS_STATUS_NOTFOUND; |
| |
| r = groupdb_by_name(name, nss_glue_userdb_flags(), &hr); |
| if (r == -ESRCH) |
| return NSS_STATUS_NOTFOUND; |
| if (r < 0) { |
| *errnop = -r; |
| return NSS_STATUS_UNAVAIL; |
| } |
| |
| if (hr->incomplete) /* protected records missing? */ |
| return NSS_STATUS_NOTFOUND; |
| |
| r = nss_pack_group_record_shadow(hr, sgrp, buffer, buflen); |
| if (r < 0) { |
| *errnop = -r; |
| return NSS_STATUS_TRYAGAIN; |
| } |
| |
| return NSS_STATUS_SUCCESS; |
| } |
