From 527c42ab4e4d64650aab9d060f498ae3d34a2359 Mon Sep 17 00:00:00 2001 From: Dave Olson Date: Mon, 7 Aug 2017 20:33:20 -0700 Subject: Do not use mapuser functionality with useradd,userdel,usermod Ticket: CM-17450 Reviewed By: olson Testing Done: ran programs with change The useradd family will not work correctly with the mapuser/mapuid functionality, and useradd provides no method to force creating a user that already exists. So check which program invoked us, using __progname (getprogname() could also be used for non-glibc use), and return NOTFOUND immediately in that case. This is a major hack, but it's simple, and avoids a significant issue. Unfortunately, the RADIUS protocol gives us no way to determine that an account name is valid without also authenticating, and libnss plugins do not have the ability to authenticate. --- nss_mapname.c | 17 +++++++++++++++++ nss_mapuid.c | 17 +++++++++++++++++ 2 files changed, 34 insertions(+) diff --git a/nss_mapname.c b/nss_mapname.c index ea9b7f2..9132f6e 100644 --- a/nss_mapname.c +++ b/nss_mapname.c @@ -41,6 +41,13 @@ static const char *nssname = "nss_mapuser"; /* for syslogs */ +/* + * If you aren't using glibc or a variant that supports this, + * and you have a system that supports the BSD getprogname(), + * you can replace this use with getprogname() + */ +extern const char *__progname; + /* * This is an NSS entry point. * We map any username given to the account listed in the configuration file @@ -56,6 +63,16 @@ enum nss_status _nss_mapname_getpwnam_r(const char *name, struct passwd *pw, enum nss_status status = NSS_STATUS_NOTFOUND; struct pwbuf pbuf; + /* + * the useradd family will not add/mod/del users correctly with + * the mapuid functionality, so return immediately if we are + * running as part of those processes. + */ + if (__progname && (!strcmp(__progname, "useradd") || + !strcmp(__progname, "usermod") || + !strcmp(__progname, "userdel"))) + return status; + if (nss_mapuser_config(errnop, nssname) == 1) { syslog(LOG_NOTICE, "%s: bad configuration", nssname); return status; diff --git a/nss_mapuid.c b/nss_mapuid.c index 7b8faa7..f97b28e 100644 --- a/nss_mapuid.c +++ b/nss_mapuid.c @@ -52,6 +52,13 @@ static const char *nssname = "nss_mapuid"; /* for syslogs */ static const char dbdir[] = "/run/mapuser/"; +/* + * If you aren't using glibc or a variant that supports this, + * and you have a system that supports the BSD getprogname(), + * you can replace this use with getprogname() + */ +extern const char *__progname; + /* * Read the requested session file (in the dbdir by intent), verify the * uid matches, and setup the passwd structure with the username found @@ -185,6 +192,16 @@ enum nss_status _nss_mapuid_getpwuid_r(uid_t uid, struct passwd *pw, enum nss_status status = NSS_STATUS_NOTFOUND; uint32_t session; + /* + * the useradd family will not add/mod/del users correctly with + * the mapuid functionality, so return immediately if we are + * running as part of those processes. + */ + if (__progname && (!strcmp(__progname, "useradd") || + !strcmp(__progname, "usermod") || + !strcmp(__progname, "userdel"))) + return status; + /* this can happen for permission reasons, do don't complain except * at debug */ if (nss_mapuser_config(errnop, nssname) == 1) { -- cgit v1.2.3 From 1871475c4a3101aa8136362923f0d3ecdc7bb171 Mon Sep 17 00:00:00 2001 From: Dave Olson Date: Wed, 17 Jan 2018 12:51:06 -0800 Subject: Added daemon and nobody to exclude_users list Ticket: CM-19469 Reviewed By: nobody Testing Done: ran with change. Similar to the change for tacacs, but this already had snmp. Added quagga as well, for users that haven't completed the transition from quagga to frr. Bumped changelog and documented --- debian/changelog | 6 ++++++ nss_mapuser.conf | 2 +- 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/debian/changelog b/debian/changelog index 061d0a0..7b60a63 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +libnss-mapuser (1.0.0-cl3u2) RELEASED; urgency=low + + * Added more system accounts to exclude_users: daemon, quagga, + + -- dev-support Wed, 17 Jan 2018 12:55:08 -0800 + libnss-mapuser (1.0.0-cl3u1) RELEASED; urgency=low * Initial version to do successful NSS lookups on any username, diff --git a/nss_mapuser.conf b/nss_mapuser.conf index 9ead5bb..5adf5e8 100644 --- a/nss_mapuser.conf +++ b/nss_mapuser.conf @@ -27,7 +27,7 @@ min_uid=1001 # that during pathname completion, bash can do an NSS lookup on "*" # To avoid server round trip delays, or worse, unreachable server delays # on filename completion, we include "*" in the exclusion list. -exclude_users=root,cron,cumulus,frr,man,ntp,radius_user,sshd,snmp,nobody,* +exclude_users=root,daemon,cron,cumulus,quagga,frr,man,ntp,radius_user,sshd,snmp,nobody,* # Map all usernames to the radius_user account (use the uid, gid, shell, and # base of the home directory from the cumulus entry in /etc/passwd). -- cgit v1.2.3