| blob | 07a3b9282c37c9dd81c3c9421f06d6b2c5e71867 |
1 /* Copyright (C) 1998-2004, 2006, 2007, 2009 Free Software Foundation, Inc.
2 This file is part of the GNU C Library.
3 Contributed by Thorsten Kukuk <kukuk@suse.de>, 1998.
5 The GNU C Library is free software; you can redistribute it and/or
6 modify it under the terms of the GNU Lesser General Public
7 License as published by the Free Software Foundation; either
8 version 2.1 of the License, or (at your option) any later version.
10 The GNU C Library is distributed in the hope that it will be useful,
11 but WITHOUT ANY WARRANTY; without even the implied warranty of
12 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
13 Lesser General Public License for more details.
15 You should have received a copy of the GNU Lesser General Public
16 License along with the GNU C Library; if not, write to the Free
17 Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
18 02111-1307 USA. */
20 #include <alloca.h>
21 #include <ctype.h>
22 #include <errno.h>
23 #include <fcntl.h>
24 #include <grp.h>
25 #include <nss.h>
26 #include <stdio_ext.h>
27 #include <string.h>
28 #include <unistd.h>
29 #include <rpc/types.h>
30 #include <sys/param.h>
31 #include <nsswitch.h>
32 #include <bits/libc-lock.h>
33 #include <kernel-features.h>
36 /* Type of the lookup function. */
51 /* Protect global state against multiple changers. */
55 /* Get the declaration of the parser function. */
56 #define ENTNAME grent
57 #define STRUCTURE group
58 #define EXTERN_PARSER
59 #include <nss/nss_files/files-parse.c>
61 /* Structure for remembering -group members ... */
62 #define BLACKLIST_INITIAL_SIZE 512
63 #define BLACKLIST_INCREMENT 256
64 struct blacklist_t
65 {
69 };
71 struct ent_t
72 {
78 };
82 /* Positive if O_CLOEXEC is supported, negative if it is not supported,
83 zero if it is still undecided. This variable is shared with the
84 other compat functions. */
85 #ifdef __ASSUME_O_CLOEXEC
86 # define __compat_have_cloexec 1
87 #else
88 # ifdef O_CLOEXEC
90 # else
91 # define __compat_have_cloexec -1
92 # endif
93 #endif
95 /* Prototypes for local functions. */
99 /* Initialize the NSS interface/functions. The calling function must
100 hold the lock. */
101 static void
103 {
106 /* Retest. */
109 {
116 }
119 }
121 static enum nss_status
123 {
132 {
136 }
137 else
144 else
145 {
146 /* We have to make sure the file is `closed on exec'. */
150 {
154 {
155 #if defined O_CLOEXEC && !defined __ASSUME_O_CLOEXEC
160 #endif
161 {
164 flags);
165 }
166 }
167 }
170 {
171 /* Something went wrong. Close the stream and return a
172 failure. */
176 }
177 else
178 /* We take care of locking ourself. */
180 }
183 }
186 static enum nss_status
188 {
190 {
193 }
196 {
200 }
201 else
208 }
210 /* Add new group record. */
211 static void
213 gid_t gid)
214 {
217 /* Matches user. Insert this group. */
219 {
220 /* Need a bigger buffer. */
225 /* We reached the maximum. */
230 else
238 }
242 }
244 /* This function checks, if the user is a member of this group and if
245 yes, add the group id to the list. Return nonzero is we couldn't
246 handle the group because the user is not in the member list. */
247 static int
251 {
254 /* Don't add main group to list of groups. */
260 {
263 }
266 }
268 /* Get the next group from NSS (+ entry). If the NSS module supports
269 initgroups_dyn, get all entries at once. */
270 static enum nss_status
274 {
278 /* Try nss_initgroups_dyn if supported. We also need getgrgid_r.
279 If this function is not supported, step through the whole group
280 database with getgrent_r. */
282 {
290 /* For every gid in the list we get from the NSS module,
291 get the whole group entry. We need to do this, since we
292 need the group name to check if it is in the blacklist.
293 In worst case, this is as twice as slow as stepping with
294 getgrent_r through the whole group database. But for large
295 group databases this is faster, since the user can only be
296 in a limited number of groups. */
299 {
300 /* If there is no blacklist we can trust the underlying
301 initgroups implementation. */
305 else
306 {
307 /* A temporary buffer. We use the normal buffer, until we find
308 an entry, for which this buffer is to small. In this case, we
309 overwrite the pointer with one to a bigger buffer. */
314 {
317 == NSS_STATUS_TRYAGAIN
320 {
323 }
324 else
328 {
330 {
333 }
339 {
341 {
344 }
348 }
349 }
350 }
351 }
356 }
359 }
361 /* If we come here, the NSS module does not support initgroups_dyn
362 or we were confronted with a split group. In these cases we have
363 to step through the whole list ourself. */
364 iter:
365 do
366 {
368 NSS_STATUS_SUCCESS)
370 }
377 }
379 static enum nss_status
383 {
392 {
397 do
398 {
399 /* We need at least 3 characters for one line. */
401 {
402 erange:
405 }
414 {
415 erange_reset:
418 }
420 /* Terminate the line for any case. */
423 /* Skip leading blanks. */
426 }
428 /* Parse the line. If it is invalid, loop to
429 get the next line of the file to parse. */
431 errnop)));
434 /* The parser ran out of space. */
438 /* This is a real entry. */
441 /* -group */
444 {
447 }
449 /* +group */
452 {
456 /* Store the group in the blacklist for the "+" at the end of
457 /etc/group */
469 }
471 /* +:... */
473 {
474 /* If the selected module does not support getgrent_r or
475 initgroups_dyn, abort. We cannot find the needed group
476 entries. */
483 {
486 }
491 }
492 }
497 }
500 enum nss_status
504 {
516 do
517 {
523 }
529 }
532 /* Support routines for remembering -@netgroup and -user entries.
533 The names are stored in a single string with `|' as separator. */
534 static void
536 {
540 /* First call, setup cache. */
542 {
550 }
551 else
552 {
557 {
561 {
565 }
567 }
568 }
576 }
578 /* returns TRUE if ent->blacklist contains name, else FALSE */
579 static bool_t
581 {
593 }