1 /* Copyright (C) 1998-2004, 2006, 2007 Free Software Foundation, Inc.
2 This file is part of the GNU C Library.
3 Contributed by Thorsten Kukuk <kukuk@suse.de>, 1998.
5 The GNU C Library is free software; you can redistribute it and/or
6 modify it under the terms of the GNU Lesser General Public
7 License as published by the Free Software Foundation; either
8 version 2.1 of the License, or (at your option) any later version.
10 The GNU C Library is distributed in the hope that it will be useful,
11 but WITHOUT ANY WARRANTY; without even the implied warranty of
12 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
13 Lesser General Public License for more details.
15 You should have received a copy of the GNU Lesser General Public
16 License along with the GNU C Library; if not, write to the Free
17 Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
26 #include <stdio_ext.h>
29 #include <rpc/types.h>
30 #include <sys/param.h>
32 #include <bits/libc-lock.h>
33 #include <kernel-features.h>
35 static service_user
*ni
;
36 /* Type of the lookup function. */
37 static enum nss_status (*nss_initgroups_dyn
) (const char *, gid_t
,
38 long int *, long int *,
39 gid_t
**, long int, int *);
40 static enum nss_status (*nss_getgrnam_r
) (const char *name
,
41 struct group
* grp
, char *buffer
,
42 size_t buflen
, int *errnop
);
43 static enum nss_status (*nss_getgrgid_r
) (gid_t gid
, struct group
* grp
,
44 char *buffer
, size_t buflen
,
46 static enum nss_status (*nss_getgrent_r
) (struct group
* grp
, char *buffer
,
47 size_t buflen
, int *errnop
);
49 /* Protect global state against multiple changers. */
50 __libc_lock_define_initialized (static, lock
)
53 /* Get the declaration of the parser function. */
55 #define STRUCTURE group
57 #include <nss/nss_files/files-parse.c>
59 /* Structure for remembering -group members ... */
60 #define BLACKLIST_INITIAL_SIZE 512
61 #define BLACKLIST_INCREMENT 256
73 struct blacklist_t blacklist
;
75 typedef struct ent_t ent_t
;
78 /* Positive if O_CLOEXEC is supported, negative if it is not supported,
79 zero if it is still undecided. This variable is shared with the
80 other compat functions. */
81 #ifdef __ASSUME_O_CLOEXEC
82 # define __compat_have_cloexec 1
85 extern int __compat_have_cloexec
;
87 # define __compat_have_cloexec -1
91 /* Prototypes for local functions. */
92 static void blacklist_store_name (const char *, ent_t
*);
93 static int in_blacklist (const char *, int, ent_t
*);
95 /* Initialize the NSS interface/functions. The calling function must
98 init_nss_interface (void)
100 __libc_lock_lock (lock
);
104 && __nss_database_lookup ("group_compat", NULL
, "nis", &ni
) >= 0)
106 nss_initgroups_dyn
= __nss_lookup_function (ni
, "initgroups_dyn");
107 nss_getgrnam_r
= __nss_lookup_function (ni
, "getgrnam_r");
108 nss_getgrgid_r
= __nss_lookup_function (ni
, "getgrgid_r");
109 nss_getgrent_r
= __nss_lookup_function (ni
, "getgrent_r");
112 __libc_lock_unlock (lock
);
115 static enum nss_status
116 internal_setgrent (ent_t
*ent
)
118 enum nss_status status
= NSS_STATUS_SUCCESS
;
123 init_nss_interface ();
125 if (ent
->blacklist
.data
!= NULL
)
127 ent
->blacklist
.current
= 1;
128 ent
->blacklist
.data
[0] = '|';
129 ent
->blacklist
.data
[1] = '\0';
132 ent
->blacklist
.current
= 0;
134 ent
->stream
= fopen ("/etc/group", "rme");
136 if (ent
->stream
== NULL
)
137 status
= errno
== EAGAIN
? NSS_STATUS_TRYAGAIN
: NSS_STATUS_UNAVAIL
;
140 /* We have to make sure the file is `closed on exec'. */
143 if (__compat_have_cloexec
<= 0)
146 result
= flags
= fcntl (fileno_unlocked (ent
->stream
), F_GETFD
, 0);
149 #if defined O_CLOEXEC && !defined __ASSUME_O_CLOEXEC
150 if (__compat_have_cloexec
== 0)
151 __compat_have_cloexec
= (flags
& FD_CLOEXEC
) ? 1 : -1;
153 if (__compat_have_cloexec
< 0)
157 result
= fcntl (fileno_unlocked (ent
->stream
), F_SETFD
,
165 /* Something went wrong. Close the stream and return a
167 fclose (ent
->stream
);
169 status
= NSS_STATUS_UNAVAIL
;
172 /* We take care of locking ourself. */
173 __fsetlocking (ent
->stream
, FSETLOCKING_BYCALLER
);
180 static enum nss_status
181 internal_endgrent (ent_t
*ent
)
183 if (ent
->stream
!= NULL
)
185 fclose (ent
->stream
);
189 if (ent
->blacklist
.data
!= NULL
)
191 ent
->blacklist
.current
= 1;
192 ent
->blacklist
.data
[0] = '|';
193 ent
->blacklist
.data
[1] = '\0';
196 ent
->blacklist
.current
= 0;
198 return NSS_STATUS_SUCCESS
;
201 /* This function checks, if the user is a member of this group and if
202 yes, add the group id to the list. */
204 check_and_add_group (const char *user
, gid_t group
, long int *start
,
205 long int *size
, gid_t
**groupsp
, long int limit
,
208 gid_t
*groups
= *groupsp
;
211 /* Don't add main group to list of groups. */
212 if (grp
->gr_gid
== group
)
215 for (member
= grp
->gr_mem
; *member
!= NULL
; ++member
)
216 if (strcmp (*member
, user
) == 0)
218 /* Matches user. Insert this group. */
221 /* Need a bigger buffer. */
225 if (limit
> 0 && *size
== limit
)
226 /* We reached the maximum. */
232 newsize
= MIN (limit
, 2 * *size
);
234 newgroups
= realloc (groups
, newsize
* sizeof (*groups
));
235 if (newgroups
== NULL
)
237 *groupsp
= groups
= newgroups
;
241 groups
[*start
] = grp
->gr_gid
;
248 /* Get the next group from NSS (+ entry). If the NSS module supports
249 initgroups_dyn, get all entries at once. */
250 static enum nss_status
251 getgrent_next_nss (ent_t
*ent
, char *buffer
, size_t buflen
, const char *user
,
252 gid_t group
, long int *start
, long int *size
,
253 gid_t
**groupsp
, long int limit
, int *errnop
)
255 enum nss_status status
;
258 /* if this module does not support getgrent_r and initgroups_dyn,
259 abort. We cannot find the needed group entries. */
260 if (nss_getgrent_r
== NULL
&& nss_initgroups_dyn
== NULL
)
261 return NSS_STATUS_UNAVAIL
;
263 /* Try nss_initgroups_dyn if supported. We also need getgrgid_r.
264 If this function is not supported, step through the whole group
265 database with getgrent_r. */
266 if (nss_initgroups_dyn
&& nss_getgrgid_r
)
268 long int mystart
= 0;
269 long int mysize
= limit
<= 0 ? *size
: limit
;
270 gid_t
*mygroups
= malloc (mysize
* sizeof (gid_t
));
272 if (mygroups
== NULL
)
273 return NSS_STATUS_TRYAGAIN
;
275 /* For every gid in the list we get from the NSS module,
276 get the whole group entry. We need to do this, since we
277 need the group name to check if it is in the blacklist.
278 In worst case, this is as twice as slow as stepping with
279 getgrent_r through the whole group database. But for large
280 group databases this is faster, since the user can only be
281 in a limited number of groups. */
282 if (nss_initgroups_dyn (user
, group
, &mystart
, &mysize
, &mygroups
,
283 limit
, errnop
) == NSS_STATUS_SUCCESS
)
285 /* A temporary buffer. We use the normal buffer, until we find
286 an entry, for which this buffer is to small. In this case, we
287 overwrite the pointer with one to a bigger buffer. */
288 char *tmpbuf
= buffer
;
289 size_t tmplen
= buflen
;
292 for (i
= 0; i
< mystart
; i
++)
294 while ((status
= nss_getgrgid_r (mygroups
[i
], &grpbuf
, tmpbuf
,
296 errnop
)) == NSS_STATUS_TRYAGAIN
297 && *errnop
== ERANGE
)
298 if (tmpbuf
== buffer
)
301 tmpbuf
= __alloca (tmplen
);
304 tmpbuf
= extend_alloca (tmpbuf
, tmplen
, 2 * tmplen
);
306 if (!in_blacklist (grpbuf
.gr_name
,
307 strlen (grpbuf
.gr_name
), ent
))
308 check_and_add_group (user
, group
, start
, size
, groupsp
,
314 return NSS_STATUS_NOTFOUND
;
320 /* If we come here, the NSS module does not support initgroups_dyn
321 and we have to step through the whole list ourself. */
324 if ((status
= nss_getgrent_r (&grpbuf
, buffer
, buflen
, errnop
)) !=
328 while (in_blacklist (grpbuf
.gr_name
, strlen (grpbuf
.gr_name
), ent
));
330 check_and_add_group (user
, group
, start
, size
, groupsp
, limit
, &grpbuf
);
331 return NSS_STATUS_SUCCESS
;
334 static enum nss_status
335 internal_getgrent_r (ent_t
*ent
, char *buffer
, size_t buflen
, const char *user
,
336 gid_t group
, long int *start
, long int *size
,
337 gid_t
**groupsp
, long int limit
, int *errnop
)
339 struct parser_data
*data
= (void *) buffer
;
343 return getgrent_next_nss (ent
, buffer
, buflen
, user
, group
,
344 start
, size
, groupsp
, limit
, errnop
);
354 /* We need at least 3 characters for one line. */
355 if (__builtin_expect (buflen
< 3, 0))
359 return NSS_STATUS_TRYAGAIN
;
362 fgetpos (ent
->stream
, &pos
);
363 buffer
[buflen
- 1] = '\xff';
364 p
= fgets_unlocked (buffer
, buflen
, ent
->stream
);
365 if (p
== NULL
&& feof_unlocked (ent
->stream
))
366 return NSS_STATUS_NOTFOUND
;
368 if (p
== NULL
|| __builtin_expect (buffer
[buflen
- 1] != '\xff', 0))
371 fsetpos (ent
->stream
, &pos
);
375 /* Terminate the line for any case. */
376 buffer
[buflen
- 1] = '\0';
378 /* Skip leading blanks. */
382 while (*p
== '\0' || *p
== '#' || /* Ignore empty and comment lines. */
383 /* Parse the line. If it is invalid, loop to
384 get the next line of the file to parse. */
385 !(parse_res
= _nss_files_parse_grent (p
, &grpbuf
, data
, buflen
,
388 if (__builtin_expect (parse_res
== -1, 0))
389 /* The parser ran out of space. */
392 if (grpbuf
.gr_name
[0] != '+' && grpbuf
.gr_name
[0] != '-')
393 /* This is a real entry. */
397 if (grpbuf
.gr_name
[0] == '-' && grpbuf
.gr_name
[1] != '\0'
398 && grpbuf
.gr_name
[1] != '@')
400 blacklist_store_name (&grpbuf
.gr_name
[1], ent
);
405 if (grpbuf
.gr_name
[0] == '+' && grpbuf
.gr_name
[1] != '\0'
406 && grpbuf
.gr_name
[1] != '@')
408 if (in_blacklist (&grpbuf
.gr_name
[1],
409 strlen (&grpbuf
.gr_name
[1]), ent
))
411 /* Store the group in the blacklist for the "+" at the end of
413 blacklist_store_name (&grpbuf
.gr_name
[1], ent
);
414 if (nss_getgrnam_r
== NULL
)
415 return NSS_STATUS_UNAVAIL
;
416 else if (nss_getgrnam_r (&grpbuf
.gr_name
[1], &grpbuf
, buffer
,
417 buflen
, errnop
) != NSS_STATUS_SUCCESS
)
420 check_and_add_group (user
, group
, start
, size
, groupsp
,
423 return NSS_STATUS_SUCCESS
;
427 if (grpbuf
.gr_name
[0] == '+' && grpbuf
.gr_name
[1] == '\0')
430 return getgrent_next_nss (ent
, buffer
, buflen
, user
, group
,
431 start
, size
, groupsp
, limit
, errnop
);
435 check_and_add_group (user
, group
, start
, size
, groupsp
, limit
, &grpbuf
);
437 return NSS_STATUS_SUCCESS
;
442 _nss_compat_initgroups_dyn (const char *user
, gid_t group
, long int *start
,
443 long int *size
, gid_t
**groupsp
, long int limit
,
446 size_t buflen
= sysconf (_SC_GETPW_R_SIZE_MAX
);
448 enum nss_status status
;
449 ent_t intern
= { TRUE
, NULL
, {NULL
, 0, 0} };
451 status
= internal_setgrent (&intern
);
452 if (status
!= NSS_STATUS_SUCCESS
)
455 tmpbuf
= __alloca (buflen
);
459 while ((status
= internal_getgrent_r (&intern
, tmpbuf
, buflen
,
460 user
, group
, start
, size
,
461 groupsp
, limit
, errnop
))
462 == NSS_STATUS_TRYAGAIN
&& *errnop
== ERANGE
)
463 tmpbuf
= extend_alloca (tmpbuf
, buflen
, 2 * buflen
);
465 while (status
== NSS_STATUS_SUCCESS
);
467 internal_endgrent (&intern
);
469 return NSS_STATUS_SUCCESS
;
473 /* Support routines for remembering -@netgroup and -user entries.
474 The names are stored in a single string with `|' as separator. */
476 blacklist_store_name (const char *name
, ent_t
*ent
)
478 int namelen
= strlen (name
);
481 /* First call, setup cache. */
482 if (ent
->blacklist
.size
== 0)
484 ent
->blacklist
.size
= MAX (BLACKLIST_INITIAL_SIZE
, 2 * namelen
);
485 ent
->blacklist
.data
= malloc (ent
->blacklist
.size
);
486 if (ent
->blacklist
.data
== NULL
)
488 ent
->blacklist
.data
[0] = '|';
489 ent
->blacklist
.data
[1] = '\0';
490 ent
->blacklist
.current
= 1;
494 if (in_blacklist (name
, namelen
, ent
))
495 return; /* no duplicates */
497 if (ent
->blacklist
.current
+ namelen
+ 1 >= ent
->blacklist
.size
)
499 ent
->blacklist
.size
+= MAX (BLACKLIST_INCREMENT
, 2 * namelen
);
500 tmp
= realloc (ent
->blacklist
.data
, ent
->blacklist
.size
);
503 free (ent
->blacklist
.data
);
504 ent
->blacklist
.size
= 0;
507 ent
->blacklist
.data
= tmp
;
511 tmp
= stpcpy (ent
->blacklist
.data
+ ent
->blacklist
.current
, name
);
514 ent
->blacklist
.current
+= namelen
+ 1;
519 /* returns TRUE if ent->blacklist contains name, else FALSE */
521 in_blacklist (const char *name
, int namelen
, ent_t
*ent
)
523 char buf
[namelen
+ 3];
526 if (ent
->blacklist
.data
== NULL
)
530 cp
= stpcpy (&buf
[1], name
);
533 return strstr (ent
->blacklist
.data
, buf
) != NULL
;