cbc60528c3
- libsubid: don't print error messages on stderr by default - libsubid: libsubid_init return false if out of memory - useradd: fix SUB_UID_COUNT=0 - libsubid: don't return owner in list_owner_ranges API call - libsubid: libsubid_init don't print messages on error - libsubid: fix newusers when nss provides subids - man: clarify subid delegation - libsubid: make shadow_logfd not extern
152 lines
5.7 KiB
Diff
152 lines
5.7 KiB
Diff
diff -up shadow-4.8.1/lib/nss.c.libsubid_fix_newusers_nss_provides_subids shadow-4.8.1/lib/nss.c
|
|
--- shadow-4.8.1/lib/nss.c.libsubid_fix_newusers_nss_provides_subids 2021-05-25 09:37:14.772741048 +0200
|
|
+++ shadow-4.8.1/lib/nss.c 2021-05-25 09:37:14.782741188 +0200
|
|
@@ -116,14 +116,6 @@ void nss_init(char *nsswitch_path) {
|
|
subid_nss = NULL;
|
|
goto done;
|
|
}
|
|
- subid_nss->has_any_range = dlsym(h, "shadow_subid_has_any_range");
|
|
- if (!subid_nss->has_any_range) {
|
|
- fprintf(shadow_logfd, "%s did not provide @has_any_range@\n", libname);
|
|
- dlclose(h);
|
|
- free(subid_nss);
|
|
- subid_nss = NULL;
|
|
- goto done;
|
|
- }
|
|
subid_nss->find_subid_owners = dlsym(h, "shadow_subid_find_subid_owners");
|
|
if (!subid_nss->find_subid_owners) {
|
|
fprintf(shadow_logfd, "%s did not provide @find_subid_owners@\n", libname);
|
|
diff -up shadow-4.8.1/lib/prototypes.h.libsubid_fix_newusers_nss_provides_subids shadow-4.8.1/lib/prototypes.h
|
|
--- shadow-4.8.1/lib/prototypes.h.libsubid_fix_newusers_nss_provides_subids 2021-05-25 09:37:14.780741160 +0200
|
|
+++ shadow-4.8.1/lib/prototypes.h 2021-05-25 09:37:14.782741188 +0200
|
|
@@ -279,18 +279,6 @@ extern bool nss_is_initialized();
|
|
|
|
struct subid_nss_ops {
|
|
/*
|
|
- * nss_has_any_range: does a user own any subid range
|
|
- *
|
|
- * @owner: username
|
|
- * @idtype: subuid or subgid
|
|
- * @result: true if a subid allocation was found for @owner
|
|
- *
|
|
- * returns success if the module was able to determine an answer (true or false),
|
|
- * else an error status.
|
|
- */
|
|
- enum subid_status (*has_any_range)(const char *owner, enum subid_type idtype, bool *result);
|
|
-
|
|
- /*
|
|
* nss_has_range: does a user own a given subid range
|
|
*
|
|
* @owner: username
|
|
diff -up shadow-4.8.1/lib/subordinateio.c.libsubid_fix_newusers_nss_provides_subids shadow-4.8.1/lib/subordinateio.c
|
|
--- shadow-4.8.1/lib/subordinateio.c.libsubid_fix_newusers_nss_provides_subids 2021-05-25 09:37:14.780741160 +0200
|
|
+++ shadow-4.8.1/lib/subordinateio.c 2021-05-25 09:37:14.782741188 +0200
|
|
@@ -598,19 +598,8 @@ int sub_uid_open (int mode)
|
|
return commonio_open (&subordinate_uid_db, mode);
|
|
}
|
|
|
|
-bool sub_uid_assigned(const char *owner)
|
|
+bool local_sub_uid_assigned(const char *owner)
|
|
{
|
|
- struct subid_nss_ops *h;
|
|
- bool found;
|
|
- enum subid_status status;
|
|
- h = get_subid_nss_handle();
|
|
- if (h) {
|
|
- status = h->has_any_range(owner, ID_TYPE_UID, &found);
|
|
- if (status == SUBID_STATUS_SUCCESS && found)
|
|
- return true;
|
|
- return false;
|
|
- }
|
|
-
|
|
return range_exists (&subordinate_uid_db, owner);
|
|
}
|
|
|
|
@@ -720,18 +709,8 @@ bool have_sub_gids(const char *owner, gi
|
|
return have_range(&subordinate_gid_db, owner, start, count);
|
|
}
|
|
|
|
-bool sub_gid_assigned(const char *owner)
|
|
+bool local_sub_gid_assigned(const char *owner)
|
|
{
|
|
- struct subid_nss_ops *h;
|
|
- bool found;
|
|
- enum subid_status status;
|
|
- h = get_subid_nss_handle();
|
|
- if (h) {
|
|
- status = h->has_any_range(owner, ID_TYPE_GID, &found);
|
|
- if (status == SUBID_STATUS_SUCCESS && found)
|
|
- return true;
|
|
- return false;
|
|
- }
|
|
return range_exists (&subordinate_gid_db, owner);
|
|
}
|
|
|
|
diff -up shadow-4.8.1/lib/subordinateio.h.libsubid_fix_newusers_nss_provides_subids shadow-4.8.1/lib/subordinateio.h
|
|
--- shadow-4.8.1/lib/subordinateio.h.libsubid_fix_newusers_nss_provides_subids 2021-05-25 09:37:14.780741160 +0200
|
|
+++ shadow-4.8.1/lib/subordinateio.h 2021-05-25 09:37:14.782741188 +0200
|
|
@@ -16,7 +16,7 @@
|
|
extern int sub_uid_close(void);
|
|
extern bool have_sub_uids(const char *owner, uid_t start, unsigned long count);
|
|
extern bool sub_uid_file_present (void);
|
|
-extern bool sub_uid_assigned(const char *owner);
|
|
+extern bool local_sub_uid_assigned(const char *owner);
|
|
extern int sub_uid_lock (void);
|
|
extern int sub_uid_setdbname (const char *filename);
|
|
extern /*@observer@*/const char *sub_uid_dbname (void);
|
|
@@ -34,7 +34,7 @@ extern void free_subordinate_ranges(stru
|
|
extern int sub_gid_close(void);
|
|
extern bool have_sub_gids(const char *owner, gid_t start, unsigned long count);
|
|
extern bool sub_gid_file_present (void);
|
|
-extern bool sub_gid_assigned(const char *owner);
|
|
+extern bool local_sub_gid_assigned(const char *owner);
|
|
extern int sub_gid_lock (void);
|
|
extern int sub_gid_setdbname (const char *filename);
|
|
extern /*@observer@*/const char *sub_gid_dbname (void);
|
|
diff -up shadow-4.8.1/src/newusers.c.libsubid_fix_newusers_nss_provides_subids shadow-4.8.1/src/newusers.c
|
|
--- shadow-4.8.1/src/newusers.c.libsubid_fix_newusers_nss_provides_subids 2021-05-25 09:37:14.776741104 +0200
|
|
+++ shadow-4.8.1/src/newusers.c 2021-05-25 09:37:25.955897160 +0200
|
|
@@ -1021,6 +1021,24 @@ static void close_files (void)
|
|
#endif /* ENABLE_SUBIDS */
|
|
}
|
|
|
|
+static bool want_subuids(void)
|
|
+{
|
|
+ if (get_subid_nss_handle() != NULL)
|
|
+ return false;
|
|
+ if (getdef_ulong ("SUB_UID_COUNT", 65536) == 0)
|
|
+ return false;
|
|
+ return true;
|
|
+}
|
|
+
|
|
+static bool want_subgids(void)
|
|
+{
|
|
+ if (get_subid_nss_handle() != NULL)
|
|
+ return false;
|
|
+ if (getdef_ulong ("SUB_GID_COUNT", 65536) == 0)
|
|
+ return false;
|
|
+ return true;
|
|
+}
|
|
+
|
|
int main (int argc, char **argv)
|
|
{
|
|
char buf[BUFSIZ];
|
|
@@ -1250,7 +1268,7 @@ int main (int argc, char **argv)
|
|
/*
|
|
* Add subordinate uids if the user does not have them.
|
|
*/
|
|
- if (is_sub_uid && !sub_uid_assigned(fields[0])) {
|
|
+ if (is_sub_uid && want_subuids() && !local_sub_uid_assigned(fields[0])) {
|
|
uid_t sub_uid_start = 0;
|
|
unsigned long sub_uid_count = 0;
|
|
if (find_new_sub_uids(fields[0], &sub_uid_start, &sub_uid_count) == 0) {
|
|
@@ -1270,7 +1288,7 @@ int main (int argc, char **argv)
|
|
/*
|
|
* Add subordinate gids if the user does not have them.
|
|
*/
|
|
- if (is_sub_gid && !sub_gid_assigned(fields[0])) {
|
|
+ if (is_sub_gid && want_subgids() && !local_sub_gid_assigned(fields[0])) {
|
|
gid_t sub_gid_start = 0;
|
|
unsigned long sub_gid_count = 0;
|
|
if (find_new_sub_gids(fields[0], &sub_gid_start, &sub_gid_count) == 0) {
|