From 527c42ab4e4d64650aab9d060f498ae3d34a2359 Mon Sep 17 00:00:00 2001 From: Dave Olson Date: Mon, 7 Aug 2017 20:33:20 -0700 Subject: Do not use mapuser functionality with useradd,userdel,usermod Ticket: CM-17450 Reviewed By: olson Testing Done: ran programs with change The useradd family will not work correctly with the mapuser/mapuid functionality, and useradd provides no method to force creating a user that already exists. So check which program invoked us, using __progname (getprogname() could also be used for non-glibc use), and return NOTFOUND immediately in that case. This is a major hack, but it's simple, and avoids a significant issue. Unfortunately, the RADIUS protocol gives us no way to determine that an account name is valid without also authenticating, and libnss plugins do not have the ability to authenticate. --- nss_mapname.c | 17 +++++++++++++++++ nss_mapuid.c | 17 +++++++++++++++++ 2 files changed, 34 insertions(+) diff --git a/nss_mapname.c b/nss_mapname.c index ea9b7f2..9132f6e 100644 --- a/nss_mapname.c +++ b/nss_mapname.c @@ -41,6 +41,13 @@ static const char *nssname = "nss_mapuser"; /* for syslogs */ +/* + * If you aren't using glibc or a variant that supports this, + * and you have a system that supports the BSD getprogname(), + * you can replace this use with getprogname() + */ +extern const char *__progname; + /* * This is an NSS entry point. * We map any username given to the account listed in the configuration file @@ -56,6 +63,16 @@ enum nss_status _nss_mapname_getpwnam_r(const char *name, struct passwd *pw, enum nss_status status = NSS_STATUS_NOTFOUND; struct pwbuf pbuf; + /* + * the useradd family will not add/mod/del users correctly with + * the mapuid functionality, so return immediately if we are + * running as part of those processes. + */ + if (__progname && (!strcmp(__progname, "useradd") || + !strcmp(__progname, "usermod") || + !strcmp(__progname, "userdel"))) + return status; + if (nss_mapuser_config(errnop, nssname) == 1) { syslog(LOG_NOTICE, "%s: bad configuration", nssname); return status; diff --git a/nss_mapuid.c b/nss_mapuid.c index 7b8faa7..f97b28e 100644 --- a/nss_mapuid.c +++ b/nss_mapuid.c @@ -52,6 +52,13 @@ static const char *nssname = "nss_mapuid"; /* for syslogs */ static const char dbdir[] = "/run/mapuser/"; +/* + * If you aren't using glibc or a variant that supports this, + * and you have a system that supports the BSD getprogname(), + * you can replace this use with getprogname() + */ +extern const char *__progname; + /* * Read the requested session file (in the dbdir by intent), verify the * uid matches, and setup the passwd structure with the username found @@ -185,6 +192,16 @@ enum nss_status _nss_mapuid_getpwuid_r(uid_t uid, struct passwd *pw, enum nss_status status = NSS_STATUS_NOTFOUND; uint32_t session; + /* + * the useradd family will not add/mod/del users correctly with + * the mapuid functionality, so return immediately if we are + * running as part of those processes. + */ + if (__progname && (!strcmp(__progname, "useradd") || + !strcmp(__progname, "usermod") || + !strcmp(__progname, "userdel"))) + return status; + /* this can happen for permission reasons, do don't complain except * at debug */ if (nss_mapuser_config(errnop, nssname) == 1) { -- cgit v1.2.3