/*
- * Copyright (c) 1996, 1998-2005, 2007-2011
+ * Copyright (c) 1996, 1998-2005, 2007-2013
* Todd C. Miller <Todd.Miller@courtesan.com>
*
* Permission to use, copy, modify, and distribute this software for any
#include <config.h>
#include <sys/types.h>
-#include <sys/stat.h>
-#include <sys/param.h>
#include <stdio.h>
#ifdef STDC_HEADERS
# include <stdlib.h>
#include "sudoers.h"
#include "redblack.h"
+#include "pwutil.h"
/*
* The passwd and group caches.
*/
static struct rbtree *pwcache_byuid, *pwcache_byname;
static struct rbtree *grcache_bygid, *grcache_byname;
+static struct rbtree *grlist_cache;
static int cmp_pwuid(const void *, const void *);
static int cmp_pwnam(const void *, const void *);
#define cmp_grnam cmp_pwnam
-#define ptr_to_item(p) ((struct cache_item *)((char *)(p) - sizeof(struct cache_item)))
-
-struct cache_item {
- unsigned int refcnt;
- /* key */
- union {
- uid_t uid;
- gid_t gid;
- char *name;
- } k;
- /* datum */
- union {
- struct passwd *pw;
- struct group *gr;
- } d;
-};
-
/*
* Compare by uid.
*/
return strcmp(ci1->k.name, ci2->k.name);
}
-#define FIELD_SIZE(src, name, size) \
-do { \
- if (src->name) { \
- size = strlen(src->name) + 1; \
- total += size; \
- } \
-} while (0)
-
-#define FIELD_COPY(src, dst, name, size) \
-do { \
- if (src->name) { \
- memcpy(cp, src->name, size); \
- dst->name = cp; \
- cp += size; \
- } \
-} while (0)
-
-/*
- * Dynamically allocate space for a struct item plus the key and data
- * elements. If name is non-NULL it is used as the key, else the
- * uid is the key. Fills in datum from struct password.
- *
- * We would like to fill in the encrypted password too but the
- * call to the shadow function could overwrite the pw buffer (NIS).
- */
-static struct cache_item *
-make_pwitem(const struct passwd *pw, const char *name)
-{
- char *cp;
- const char *pw_shell;
- size_t nsize, psize, csize, gsize, dsize, ssize, total;
- struct cache_item *item;
- struct passwd *newpw;
-
- /* If shell field is empty, expand to _PATH_BSHELL. */
- pw_shell = (pw->pw_shell == NULL || pw->pw_shell[0] == '\0')
- ? _PATH_BSHELL : pw->pw_shell;
-
- /* Allocate in one big chunk for easy freeing. */
- nsize = psize = csize = gsize = dsize = ssize = 0;
- total = sizeof(struct cache_item) + sizeof(struct passwd);
- FIELD_SIZE(pw, pw_name, nsize);
- FIELD_SIZE(pw, pw_passwd, psize);
-#ifdef HAVE_LOGIN_CAP_H
- FIELD_SIZE(pw, pw_class, csize);
-#endif
- FIELD_SIZE(pw, pw_gecos, gsize);
- FIELD_SIZE(pw, pw_dir, dsize);
- /* Treat shell specially since we expand "" -> _PATH_BSHELL */
- ssize = strlen(pw_shell) + 1;
- total += ssize;
- if (name != NULL)
- total += strlen(name) + 1;
-
- /* Allocate space for struct item, struct passwd and the strings. */
- if ((item = malloc(total)) == NULL)
- return NULL;
- cp = (char *) item + sizeof(struct cache_item);
-
- /*
- * Copy in passwd contents and make strings relative to space
- * at the end of the buffer.
- */
- newpw = (struct passwd *) cp;
- memcpy(newpw, pw, sizeof(struct passwd));
- cp += sizeof(struct passwd);
- FIELD_COPY(pw, newpw, pw_name, nsize);
- FIELD_COPY(pw, newpw, pw_passwd, psize);
-#ifdef HAVE_LOGIN_CAP_H
- FIELD_COPY(pw, newpw, pw_class, csize);
-#endif
- FIELD_COPY(pw, newpw, pw_gecos, gsize);
- FIELD_COPY(pw, newpw, pw_dir, dsize);
- /* Treat shell specially since we expand "" -> _PATH_BSHELL */
- memcpy(cp, pw_shell, ssize);
- newpw->pw_shell = cp;
- cp += ssize;
-
- /* Set key and datum. */
- if (name != NULL) {
- memcpy(cp, name, strlen(name) + 1);
- item->k.name = cp;
- } else {
- item->k.uid = pw->pw_uid;
- }
- item->d.pw = newpw;
- item->refcnt = 1;
-
- return item;
-}
-
void
-pw_addref(struct passwd *pw)
+sudo_pw_addref(struct passwd *pw)
{
+ debug_decl(sudo_pw_addref, SUDO_DEBUG_NSS)
ptr_to_item(pw)->refcnt++;
+ debug_return;
}
static void
-pw_delref_item(void *v)
+sudo_pw_delref_item(void *v)
{
struct cache_item *item = v;
+ debug_decl(sudo_pw_delref_item, SUDO_DEBUG_NSS)
if (--item->refcnt == 0)
efree(item);
+
+ debug_return;
}
void
-pw_delref(struct passwd *pw)
+sudo_pw_delref(struct passwd *pw)
{
- pw_delref_item(ptr_to_item(pw));
+ debug_decl(sudo_pw_delref, SUDO_DEBUG_NSS)
+ sudo_pw_delref_item(ptr_to_item(pw));
+ debug_return;
}
/*
* Get a password entry by uid and allocate space for it.
- * Fills in pw_passwd from shadow file if necessary.
*/
struct passwd *
sudo_getpwuid(uid_t uid)
{
struct cache_item key, *item;
struct rbnode *node;
+ debug_decl(sudo_getpwuid, SUDO_DEBUG_NSS)
key.k.uid = uid;
if ((node = rbfind(pwcache_byuid, &key)) != NULL) {
#ifdef HAVE_SETAUTHDB
aix_setauthdb(IDtouser(uid));
#endif
- if ((key.d.pw = getpwuid(uid)) != NULL) {
- item = make_pwitem(key.d.pw, NULL);
- if (rbinsert(pwcache_byuid, item) != NULL)
- errorx(1, "unable to cache uid %u (%s), already exists",
- (unsigned int) uid, item->d.pw->pw_name);
- } else {
- item = emalloc(sizeof(*item));
+ item = sudo_make_pwitem(uid, NULL);
+ if (item == NULL) {
+ item = ecalloc(1, sizeof(*item));
item->refcnt = 1;
item->k.uid = uid;
- item->d.pw = NULL;
- if (rbinsert(pwcache_byuid, item) != NULL)
- errorx(1, "unable to cache uid %u, already exists",
- (unsigned int) uid);
+ /* item->d.pw = NULL; */
}
+ if (rbinsert(pwcache_byuid, item) != NULL)
+ fatalx(_("unable to cache uid %u, already exists"),
+ (unsigned int) uid);
#ifdef HAVE_SETAUTHDB
aix_restoreauthdb();
#endif
done:
item->refcnt++;
- return item->d.pw;
+ debug_return_ptr(item->d.pw);
}
/*
* Get a password entry by name and allocate space for it.
- * Fills in pw_passwd from shadow file if necessary.
*/
struct passwd *
sudo_getpwnam(const char *name)
struct cache_item key, *item;
struct rbnode *node;
size_t len;
+ debug_decl(sudo_getpwnam, SUDO_DEBUG_NSS)
key.k.name = (char *) name;
if ((node = rbfind(pwcache_byname, &key)) != NULL) {
#ifdef HAVE_SETAUTHDB
aix_setauthdb((char *) name);
#endif
- if ((key.d.pw = getpwnam(name)) != NULL) {
- item = make_pwitem(key.d.pw, name);
- if (rbinsert(pwcache_byname, item) != NULL)
- errorx(1, "unable to cache user %s, already exists", name);
- } else {
+ item = sudo_make_pwitem((uid_t)-1, name);
+ if (item == NULL) {
len = strlen(name) + 1;
- item = emalloc(sizeof(*item) + len);
+ item = ecalloc(1, sizeof(*item) + len);
item->refcnt = 1;
item->k.name = (char *) item + sizeof(*item);
memcpy(item->k.name, name, len);
- item->d.pw = NULL;
- if (rbinsert(pwcache_byname, item) != NULL)
- errorx(1, "unable to cache user %s, already exists", name);
+ /* item->d.pw = NULL; */
}
+ if (rbinsert(pwcache_byname, item) != NULL)
+ fatalx(_("unable to cache user %s, already exists"), name);
#ifdef HAVE_SETAUTHDB
aix_restoreauthdb();
#endif
done:
item->refcnt++;
- return item->d.pw;
+ debug_return_ptr(item->d.pw);
}
/*
- * Take a uid in string form "#123" and return a faked up passwd struct.
+ * Take a user, uid, gid, home and shell and return a faked up passwd struct.
+ * If home or shell are NULL default values will be used.
*/
struct passwd *
-sudo_fakepwnam(const char *user, gid_t gid)
+sudo_mkpwent(const char *user, uid_t uid, gid_t gid, const char *home,
+ const char *shell)
{
- struct cache_item *item;
+ struct cache_item_pw *pwitem;
struct passwd *pw;
struct rbnode *node;
- size_t len, namelen;
+ size_t len, name_len, home_len, shell_len;
int i;
-
- namelen = strlen(user);
- len = sizeof(*item) + sizeof(*pw) + namelen + 1 /* pw_name */ +
+ debug_decl(sudo_mkpwent, SUDO_DEBUG_NSS)
+
+ /* Optional arguments. */
+ if (home == NULL)
+ home = "/";
+ if (shell == NULL)
+ shell = _PATH_BSHELL;
+
+ name_len = strlen(user);
+ home_len = strlen(home);
+ shell_len = strlen(shell);
+ len = sizeof(*pwitem) + name_len + 1 /* pw_name */ +
sizeof("*") /* pw_passwd */ + sizeof("") /* pw_gecos */ +
- sizeof("/") /* pw_dir */ + sizeof(_PATH_BSHELL);
+ home_len + 1 /* pw_dir */ + shell_len + 1 /* pw_shell */;
for (i = 0; i < 2; i++) {
- item = emalloc(len);
- zero_bytes(item, sizeof(*item) + sizeof(*pw));
- pw = (struct passwd *) ((char *)item + sizeof(*item));
- pw->pw_uid = (uid_t) atoi(user + 1);
+ pwitem = ecalloc(1, len);
+ pw = &pwitem->pw;
+ pw->pw_uid = uid;
pw->pw_gid = gid;
- pw->pw_name = (char *)pw + sizeof(struct passwd);
- memcpy(pw->pw_name, user, namelen + 1);
- pw->pw_passwd = pw->pw_name + namelen + 1;
+ pw->pw_name = (char *)(pwitem + 1);
+ memcpy(pw->pw_name, user, name_len + 1);
+ pw->pw_passwd = pw->pw_name + name_len + 1;
memcpy(pw->pw_passwd, "*", 2);
pw->pw_gecos = pw->pw_passwd + 2;
pw->pw_gecos[0] = '\0';
pw->pw_dir = pw->pw_gecos + 1;
- memcpy(pw->pw_dir, "/", 2);
- pw->pw_shell = pw->pw_dir + 2;
- memcpy(pw->pw_shell, _PATH_BSHELL, sizeof(_PATH_BSHELL));
+ memcpy(pw->pw_dir, home, home_len + 1);
+ pw->pw_shell = pw->pw_dir + home_len + 1;
+ memcpy(pw->pw_shell, shell, shell_len + 1);
- item->refcnt = 1;
- item->d.pw = pw;
+ pwitem->cache.refcnt = 1;
+ pwitem->cache.d.pw = pw;
if (i == 0) {
- /* Store by uid, overwriting cached version. */
- item->k.uid = pw->pw_uid;
- if ((node = rbinsert(pwcache_byuid, item)) != NULL) {
- pw_delref_item(node->data);
- node->data = item;
+ /* Store by uid if it doesn't already exist. */
+ pwitem->cache.k.uid = pw->pw_uid;
+ if ((node = rbinsert(pwcache_byuid, &pwitem->cache)) != NULL) {
+ /* Already exists, free the item we created. */
+ efree(pwitem);
+ pwitem = (struct cache_item_pw *) node->data;
}
} else {
- /* Store by name, overwriting cached version. */
- item->k.name = pw->pw_name;
- if ((node = rbinsert(pwcache_byname, item)) != NULL) {
- pw_delref_item(node->data);
- node->data = item;
+ /* Store by name if it doesn't already exist. */
+ pwitem->cache.k.name = pw->pw_name;
+ if ((node = rbinsert(pwcache_byname, &pwitem->cache)) != NULL) {
+ /* Already exists, free the item we created. */
+ efree(pwitem);
+ pwitem = (struct cache_item_pw *) node->data;
}
}
}
- item->refcnt++;
- return pw;
+ pwitem->cache.refcnt++;
+ debug_return_ptr(&pwitem->pw);
+}
+
+/*
+ * Take a uid in string form "#123" and return a faked up passwd struct.
+ */
+struct passwd *
+sudo_fakepwnam(const char *user, gid_t gid)
+{
+ uid_t uid;
+
+ uid = (uid_t) atoi(user + 1);
+ return sudo_mkpwent(user, uid, gid, NULL, NULL);
}
void
sudo_setpwent(void)
{
+ debug_decl(sudo_setpwent, SUDO_DEBUG_NSS)
+
setpwent();
if (pwcache_byuid == NULL)
pwcache_byuid = rbcreate(cmp_pwuid);
if (pwcache_byname == NULL)
pwcache_byname = rbcreate(cmp_pwnam);
+
+ debug_return;
}
void
sudo_freepwcache(void)
{
+ debug_decl(sudo_freepwcache, SUDO_DEBUG_NSS)
+
if (pwcache_byuid != NULL) {
- rbdestroy(pwcache_byuid, pw_delref_item);
+ rbdestroy(pwcache_byuid, sudo_pw_delref_item);
pwcache_byuid = NULL;
}
if (pwcache_byname != NULL) {
- rbdestroy(pwcache_byname, pw_delref_item);
+ rbdestroy(pwcache_byname, sudo_pw_delref_item);
pwcache_byname = NULL;
}
+
+ debug_return;
}
void
sudo_endpwent(void)
{
+ debug_decl(sudo_endpwent, SUDO_DEBUG_NSS)
+
endpwent();
sudo_freepwcache();
+
+ debug_return;
}
/*
return ci1->k.gid - ci2->k.gid;
}
-/*
- * Dynamically allocate space for a struct item plus the key and data
- * elements. If name is non-NULL it is used as the key, else the
- * gid is the key. Fills in datum from struct group.
- */
-struct cache_item *
-make_gritem(const struct group *gr, const char *name)
-{
- char *cp;
- size_t nsize, psize, nmem, total, len;
- struct cache_item *item;
- struct group *newgr;
-
- /* Allocate in one big chunk for easy freeing. */
- nsize = psize = nmem = 0;
- total = sizeof(struct cache_item) + sizeof(struct group);
- FIELD_SIZE(gr, gr_name, nsize);
- FIELD_SIZE(gr, gr_passwd, psize);
- if (gr->gr_mem) {
- for (nmem = 0; gr->gr_mem[nmem] != NULL; nmem++)
- total += strlen(gr->gr_mem[nmem]) + 1;
- nmem++;
- total += sizeof(char *) * nmem;
- }
- if (name != NULL)
- total += strlen(name) + 1;
-
- if ((item = malloc(total)) == NULL)
- return NULL;
- cp = (char *) item + sizeof(struct cache_item);
-
- /*
- * Copy in group contents and make strings relative to space
- * at the end of the buffer. Note that gr_mem must come
- * immediately after struct group to guarantee proper alignment.
- */
- newgr = (struct group *)cp;
- memcpy(newgr, gr, sizeof(struct group));
- cp += sizeof(struct group);
- if (gr->gr_mem) {
- newgr->gr_mem = (char **)cp;
- cp += sizeof(char *) * nmem;
- for (nmem = 0; gr->gr_mem[nmem] != NULL; nmem++) {
- len = strlen(gr->gr_mem[nmem]) + 1;
- memcpy(cp, gr->gr_mem[nmem], len);
- newgr->gr_mem[nmem] = cp;
- cp += len;
- }
- newgr->gr_mem[nmem] = NULL;
- }
- FIELD_COPY(gr, newgr, gr_passwd, psize);
- FIELD_COPY(gr, newgr, gr_name, nsize);
-
- /* Set key and datum. */
- if (name != NULL) {
- memcpy(cp, name, strlen(name) + 1);
- item->k.name = cp;
- } else {
- item->k.gid = gr->gr_gid;
- }
- item->d.gr = newgr;
- item->refcnt = 1;
-
- return item;
-}
-
void
-gr_addref(struct group *gr)
+sudo_gr_addref(struct group *gr)
{
+ debug_decl(sudo_gr_addref, SUDO_DEBUG_NSS)
ptr_to_item(gr)->refcnt++;
+ debug_return;
}
static void
-gr_delref_item(void *v)
+sudo_gr_delref_item(void *v)
{
struct cache_item *item = v;
+ debug_decl(sudo_gr_delref_item, SUDO_DEBUG_NSS)
if (--item->refcnt == 0)
efree(item);
+
+ debug_return;
}
void
-gr_delref(struct group *gr)
+sudo_gr_delref(struct group *gr)
{
- gr_delref_item(ptr_to_item(gr));
+ debug_decl(sudo_gr_delref, SUDO_DEBUG_NSS)
+ sudo_gr_delref_item(ptr_to_item(gr));
+ debug_return;
}
/*
{
struct cache_item key, *item;
struct rbnode *node;
+ debug_decl(sudo_getgrgid, SUDO_DEBUG_NSS)
key.k.gid = gid;
if ((node = rbfind(grcache_bygid, &key)) != NULL) {
/*
* Cache group db entry if it exists or a negative response if not.
*/
- if ((key.d.gr = getgrgid(gid)) != NULL) {
- item = make_gritem(key.d.gr, NULL);
- if (rbinsert(grcache_bygid, item) != NULL)
- errorx(1, "unable to cache gid %u (%s), already exists",
- (unsigned int) gid, key.d.gr->gr_name);
- } else {
- item = emalloc(sizeof(*item));
+ item = sudo_make_gritem(gid, NULL);
+ if (item == NULL) {
+ item = ecalloc(1, sizeof(*item));
item->refcnt = 1;
item->k.gid = gid;
- item->d.gr = NULL;
- if (rbinsert(grcache_bygid, item) != NULL)
- errorx(1, "unable to cache gid %u, already exists",
- (unsigned int) gid);
+ /* item->d.gr = NULL; */
}
+ if (rbinsert(grcache_bygid, item) != NULL)
+ fatalx(_("unable to cache gid %u, already exists"),
+ (unsigned int) gid);
done:
item->refcnt++;
- return item->d.gr;
+ debug_return_ptr(item->d.gr);
}
/*
struct cache_item key, *item;
struct rbnode *node;
size_t len;
+ debug_decl(sudo_getgrnam, SUDO_DEBUG_NSS)
key.k.name = (char *) name;
if ((node = rbfind(grcache_byname, &key)) != NULL) {
/*
* Cache group db entry if it exists or a negative response if not.
*/
- if ((key.d.gr = getgrnam(name)) != NULL) {
- item = make_gritem(key.d.gr, name);
- if (rbinsert(grcache_byname, item) != NULL)
- errorx(1, "unable to cache group %s, already exists", name);
- } else {
+ item = sudo_make_gritem((gid_t)-1, name);
+ if (item == NULL) {
len = strlen(name) + 1;
- item = emalloc(sizeof(*item) + len);
+ item = ecalloc(1, sizeof(*item) + len);
item->refcnt = 1;
item->k.name = (char *) item + sizeof(*item);
memcpy(item->k.name, name, len);
- item->d.gr = NULL;
- if (rbinsert(grcache_byname, item) != NULL)
- errorx(1, "unable to cache group %s, already exists", name);
+ /* item->d.gr = NULL; */
}
+ if (rbinsert(grcache_byname, item) != NULL)
+ fatalx(_("unable to cache group %s, already exists"), name);
done:
item->refcnt++;
- return item->d.gr;
+ debug_return_ptr(item->d.gr);
}
/*
struct group *
sudo_fakegrnam(const char *group)
{
- struct cache_item *item;
+ struct cache_item_gr *gritem;
struct group *gr;
struct rbnode *node;
- size_t len, namelen;
+ size_t len, name_len;
int i;
+ debug_decl(sudo_fakegrnam, SUDO_DEBUG_NSS)
- namelen = strlen(group);
- len = sizeof(*item) + sizeof(*gr) + namelen + 1;
+ name_len = strlen(group);
+ len = sizeof(*gritem) + name_len + 1;
for (i = 0; i < 2; i++) {
- item = emalloc(len);
- zero_bytes(item, sizeof(*item) + sizeof(*gr));
- gr = (struct group *) ((char *)item + sizeof(*item));
+ gritem = ecalloc(1, len);
+ gr = &gritem->gr;
gr->gr_gid = (gid_t) atoi(group + 1);
- gr->gr_name = (char *)gr + sizeof(struct group);
- memcpy(gr->gr_name, group, namelen + 1);
+ gr->gr_name = (char *)(gritem + 1);
+ memcpy(gr->gr_name, group, name_len + 1);
- item->refcnt = 1;
- item->d.gr = gr;
+ gritem->cache.refcnt = 1;
+ gritem->cache.d.gr = gr;
if (i == 0) {
- /* Store by gid, overwriting cached version. */
- item->k.gid = gr->gr_gid;
- if ((node = rbinsert(grcache_bygid, item)) != NULL) {
- gr_delref_item(node->data);
- node->data = item;
+ /* Store by gid if it doesn't already exist. */
+ gritem->cache.k.gid = gr->gr_gid;
+ if ((node = rbinsert(grcache_bygid, &gritem->cache)) != NULL) {
+ /* Already exists, free the item we created. */
+ efree(gritem);
+ gritem = (struct cache_item_gr *) node->data;
}
} else {
/* Store by name, overwriting cached version. */
- item->k.name = gr->gr_name;
- if ((node = rbinsert(grcache_byname, item)) != NULL) {
- gr_delref_item(node->data);
- node->data = item;
+ gritem->cache.k.name = gr->gr_name;
+ if ((node = rbinsert(grcache_byname, &gritem->cache)) != NULL) {
+ /* Already exists, free the item we created. */
+ efree(gritem);
+ gritem = (struct cache_item_gr *) node->data;
}
}
}
- item->refcnt++;
- return gr;
+ gritem->cache.refcnt++;
+ debug_return_ptr(&gritem->gr);
+}
+
+void
+sudo_grlist_addref(struct group_list *grlist)
+{
+ debug_decl(sudo_gr_addref, SUDO_DEBUG_NSS)
+ ptr_to_item(grlist)->refcnt++;
+ debug_return;
+}
+
+static void
+sudo_grlist_delref_item(void *v)
+{
+ struct cache_item *item = v;
+ debug_decl(sudo_gr_delref_item, SUDO_DEBUG_NSS)
+
+ if (--item->refcnt == 0)
+ efree(item);
+
+ debug_return;
+}
+
+void
+sudo_grlist_delref(struct group_list *grlist)
+{
+ debug_decl(sudo_gr_delref, SUDO_DEBUG_NSS)
+ sudo_grlist_delref_item(ptr_to_item(grlist));
+ debug_return;
}
void
sudo_setgrent(void)
{
+ debug_decl(sudo_setgrent, SUDO_DEBUG_NSS)
+
setgrent();
if (grcache_bygid == NULL)
grcache_bygid = rbcreate(cmp_grgid);
if (grcache_byname == NULL)
grcache_byname = rbcreate(cmp_grnam);
+ if (grlist_cache == NULL)
+ grlist_cache = rbcreate(cmp_grnam);
+
+ debug_return;
}
void
sudo_freegrcache(void)
{
+ debug_decl(sudo_freegrcache, SUDO_DEBUG_NSS)
+
if (grcache_bygid != NULL) {
- rbdestroy(grcache_bygid, gr_delref_item);
+ rbdestroy(grcache_bygid, sudo_gr_delref_item);
grcache_bygid = NULL;
}
if (grcache_byname != NULL) {
- rbdestroy(grcache_byname, gr_delref_item);
+ rbdestroy(grcache_byname, sudo_gr_delref_item);
grcache_byname = NULL;
}
+ if (grlist_cache != NULL) {
+ rbdestroy(grlist_cache, sudo_grlist_delref_item);
+ grlist_cache = NULL;
+ }
+
+ debug_return;
}
void
sudo_endgrent(void)
{
+ debug_decl(sudo_endgrent, SUDO_DEBUG_NSS)
+
endgrent();
sudo_freegrcache();
+
+ debug_return;
}
-int
-user_in_group(struct passwd *pw, const char *group)
+struct group_list *
+sudo_get_grlist(struct passwd *pw)
{
-#ifdef HAVE_MBR_CHECK_MEMBERSHIP
- uuid_t gu, uu;
- int ismember;
-#else
- char **gr_mem;
- int i;
-#endif
- struct group *grp;
- int retval = FALSE;
-
-#ifdef HAVE_SETAUTHDB
- aix_setauthdb(pw->pw_name);
-#endif
- /* A group name that begins with a '#' may be a gid. */
- if ((grp = sudo_getgrnam(group)) == NULL && *group == '#')
- grp = sudo_getgrgid(atoi(group + 1));
-#ifdef HAVE_SETAUTHDB
- aix_restoreauthdb();
-#endif
- if (grp == NULL)
- goto done;
+ struct cache_item key, *item;
+ struct rbnode *node;
+ size_t len;
+ debug_decl(sudo_get_grlist, SUDO_DEBUG_NSS)
- /* check against user's primary (passwd file) gid */
- if (grp->gr_gid == pw->pw_gid) {
- retval = TRUE;
+ key.k.name = pw->pw_name;
+ if ((node = rbfind(grlist_cache, &key)) != NULL) {
+ item = (struct cache_item *) node->data;
goto done;
}
-
-#ifdef HAVE_MBR_CHECK_MEMBERSHIP
- /* If we are matching the invoking user use the stashed uuid. */
- if (strcmp(pw->pw_name, user_name) == 0) {
- if (mbr_gid_to_uuid(grp->gr_gid, gu) == 0 &&
- mbr_check_membership(user_uuid, gu, &ismember) == 0 && ismember) {
- retval = TRUE;
- goto done;
- }
- } else {
- if (mbr_uid_to_uuid(pw->pw_uid, uu) == 0 &&
- mbr_gid_to_uuid(grp->gr_gid, gu) == 0 &&
- mbr_check_membership(uu, gu, &ismember) == 0 && ismember) {
- retval = TRUE;
- goto done;
- }
+ /*
+ * Cache group db entry if it exists or a negative response if not.
+ */
+ item = sudo_make_grlist_item(pw, NULL, NULL);
+ if (item == NULL) {
+ /* Should not happen. */
+ len = strlen(pw->pw_name) + 1;
+ item = ecalloc(1, sizeof(*item) + len);
+ item->refcnt = 1;
+ item->k.name = (char *) item + sizeof(*item);
+ memcpy(item->k.name, pw->pw_name, len);
+ /* item->d.grlist = NULL; */
}
-#else /* HAVE_MBR_CHECK_MEMBERSHIP */
-# ifdef HAVE_GETGROUPS
+ if (rbinsert(grlist_cache, item) != NULL)
+ fatalx(_("unable to cache group list for %s, already exists"),
+ pw->pw_name);
+done:
+ item->refcnt++;
+ debug_return_ptr(item->d.grlist);
+}
+
+void
+sudo_set_grlist(struct passwd *pw, char * const *groups, char * const *gids)
+{
+ struct cache_item key, *item;
+ struct rbnode *node;
+ debug_decl(sudo_set_grlist, SUDO_DEBUG_NSS)
+
/*
- * If we are matching the invoking or list user and that user has a
- * supplementary group vector, check it.
+ * Cache group db entry if it doesn't already exist
*/
- if (user_ngroups > 0 &&
- strcmp(pw->pw_name, list_pw ? list_pw->pw_name : user_name) == 0) {
- for (i = 0; i < user_ngroups; i++) {
- if (grp->gr_gid == user_groups[i]) {
- retval = TRUE;
+ key.k.name = pw->pw_name;
+ if ((node = rbfind(grlist_cache, &key)) == NULL) {
+ if ((item = sudo_make_grlist_item(pw, groups, gids)) == NULL)
+ fatalx(_("unable to parse groups for %s"), pw->pw_name);
+ if (rbinsert(grlist_cache, item) != NULL)
+ fatalx(_("unable to cache group list for %s, already exists"),
+ pw->pw_name);
+ }
+ debug_return;
+}
+
+bool
+user_in_group(struct passwd *pw, const char *group)
+{
+ struct group_list *grlist;
+ struct group *grp = NULL;
+ int i;
+ bool matched = false;
+ debug_decl(user_in_group, SUDO_DEBUG_NSS)
+
+ if ((grlist = sudo_get_grlist(pw)) != NULL) {
+ /*
+ * If it could be a sudo-style group ID check gids first.
+ */
+ if (group[0] == '#') {
+ gid_t gid = atoi(group + 1);
+ if (gid == pw->pw_gid) {
+ matched = true;
goto done;
}
- }
- } else
-# endif /* HAVE_GETGROUPS */
- {
- if (grp != NULL && grp->gr_mem != NULL) {
- for (gr_mem = grp->gr_mem; *gr_mem; gr_mem++) {
- if (strcmp(*gr_mem, pw->pw_name) == 0) {
- retval = TRUE;
+ for (i = 0; i < grlist->ngids; i++) {
+ if (gid == grlist->gids[i]) {
+ matched = true;
goto done;
}
}
}
- }
-#endif /* HAVE_MBR_CHECK_MEMBERSHIP */
+ /*
+ * Next check the supplementary group vector.
+ * It usually includes the password db group too.
+ */
+ for (i = 0; i < grlist->ngroups; i++) {
+ if (strcasecmp(group, grlist->groups[i]) == 0) {
+ matched = true;
+ goto done;
+ }
+ }
+
+ /* Finally check against user's primary (passwd file) group. */
+ if ((grp = sudo_getgrgid(pw->pw_gid)) != NULL) {
+ if (strcasecmp(group, grp->gr_name) == 0) {
+ matched = true;
+ goto done;
+ }
+ }
done:
- if (grp != NULL)
- gr_delref(grp);
- return retval;
+ if (grp != NULL)
+ sudo_gr_delref(grp);
+ sudo_grlist_delref(grlist);
+ }
+ debug_return_bool(matched);
}