diff options
| author | Dave Olson <olson@cumulusnetworks.com> | 2017-08-07 20:33:20 -0700 |
|---|---|---|
| committer | Dave Olson <olson@cumulusnetworks.com> | 2017-08-07 20:54:10 -0700 |
| commit | 527c42ab4e4d64650aab9d060f498ae3d34a2359 (patch) | |
| tree | c9aab39784676529895b40f0b3c5e2608f34008d | |
| parent | d80fcfbb3c55561110bf0686c87fb949f866a88c (diff) | |
| download | libnss-mapuser-527c42ab4e4d64650aab9d060f498ae3d34a2359.tar.gz libnss-mapuser-527c42ab4e4d64650aab9d060f498ae3d34a2359.zip | |
Do not use mapuser functionality with useradd,userdel,usermod
Ticket: CM-17450
Reviewed By: olson
Testing Done: ran programs with change
The useradd family will not work correctly with the mapuser/mapuid
functionality, and useradd provides no method to force creating
a user that already exists.
So check which program invoked us, using __progname (getprogname() could
also be used for non-glibc use), and return NOTFOUND immediately in that
case.
This is a major hack, but it's simple, and avoids a significant issue.
Unfortunately, the RADIUS protocol gives us no way to determine that
an account name is valid without also authenticating, and libnss plugins
do not have the ability to authenticate.
| -rw-r--r-- | nss_mapname.c | 17 | ||||
| -rw-r--r-- | nss_mapuid.c | 17 |
2 files changed, 34 insertions, 0 deletions
diff --git a/nss_mapname.c b/nss_mapname.c index ea9b7f2..9132f6e 100644 --- a/nss_mapname.c +++ b/nss_mapname.c @@ -42,6 +42,13 @@ static const char *nssname = "nss_mapuser"; /* for syslogs */ /* + * If you aren't using glibc or a variant that supports this, + * and you have a system that supports the BSD getprogname(), + * you can replace this use with getprogname() + */ +extern const char *__progname; + +/* * This is an NSS entry point. * We map any username given to the account listed in the configuration file * We only fail if we can't read the configuration file, or the username @@ -56,6 +63,16 @@ enum nss_status _nss_mapname_getpwnam_r(const char *name, struct passwd *pw, enum nss_status status = NSS_STATUS_NOTFOUND; struct pwbuf pbuf; + /* + * the useradd family will not add/mod/del users correctly with + * the mapuid functionality, so return immediately if we are + * running as part of those processes. + */ + if (__progname && (!strcmp(__progname, "useradd") || + !strcmp(__progname, "usermod") || + !strcmp(__progname, "userdel"))) + return status; + if (nss_mapuser_config(errnop, nssname) == 1) { syslog(LOG_NOTICE, "%s: bad configuration", nssname); return status; diff --git a/nss_mapuid.c b/nss_mapuid.c index 7b8faa7..f97b28e 100644 --- a/nss_mapuid.c +++ b/nss_mapuid.c @@ -53,6 +53,13 @@ static const char *nssname = "nss_mapuid"; /* for syslogs */ static const char dbdir[] = "/run/mapuser/"; /* + * If you aren't using glibc or a variant that supports this, + * and you have a system that supports the BSD getprogname(), + * you can replace this use with getprogname() + */ +extern const char *__progname; + +/* * Read the requested session file (in the dbdir by intent), verify the * uid matches, and setup the passwd structure with the username found * in the file. @@ -185,6 +192,16 @@ enum nss_status _nss_mapuid_getpwuid_r(uid_t uid, struct passwd *pw, enum nss_status status = NSS_STATUS_NOTFOUND; uint32_t session; + /* + * the useradd family will not add/mod/del users correctly with + * the mapuid functionality, so return immediately if we are + * running as part of those processes. + */ + if (__progname && (!strcmp(__progname, "useradd") || + !strcmp(__progname, "usermod") || + !strcmp(__progname, "userdel"))) + return status; + /* this can happen for permission reasons, do don't complain except * at debug */ if (nss_mapuser_config(errnop, nssname) == 1) { |