rpms/nss_ldap/devel nss_ldap-257-initgroups-minimum_uid.patch, NONE, 1.1

Nalin Somabhai Dahyabhai (nalin) fedora-extras-commits at redhat.com
Thu Sep 20 19:06:57 UTC 2007 

Author: nalin

Update of /cvs/pkgs/rpms/nss_ldap/devel
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv24992

Added Files:
	nss_ldap-257-initgroups-minimum_uid.patch 
Log Message:
- attempt at implementing a minimum UID for initgroups, so that I can avoid
  maintaining a list of excluded users for evar


nss_ldap-257-initgroups-minimum_uid.patch:

--- NEW FILE nss_ldap-257-initgroups-minimum_uid.patch ---
diff -ur nss_ldap/ldap-grp.c nss_ldap/ldap-grp.c
--- nss_ldap/ldap-grp.c	2007-08-03 00:51:09.000000000 -0400
+++ nss_ldap/ldap-grp.c	2007-09-20 14:32:14.000000000 -0400
@@ -1068,6 +1069,13 @@
       return NSS_NOTFOUND;
     }
 
+  if (_nss_ldap_test_initgroups_minimum_uid(LA_STRING (a)))
+    {
+      debug ("<== " NSS_LDAP_INITGROUPS_FUNCTION " (user id below configured minimum)");
+      return NSS_NOTFOUND;
+    }
+
+
   lia.backlink = _nss_ldap_test_config_flag (NSS_LDAP_FLAGS_INITGROUPS_BACKLINK);
 
   if (lia.backlink != 0)
diff -ur nss_ldap/ldap-nss.c nss_ldap/ldap-nss.c
--- nss_ldap/ldap-nss.c	2007-09-20 14:35:18.000000000 -0400
+++ nss_ldap/ldap-nss.c	2007-09-20 14:33:01.000000000 -0400
@@ -44,6 +44,7 @@
 #include <syslog.h>
 #include <signal.h>
 #include <fcntl.h>
+#include <pwd.h>
 #include <sys/time.h>
 #include <sys/socket.h>
 #include <sys/param.h>
@@ -4245,6 +4246,33 @@
 }
 
 int
+_nss_ldap_test_initgroups_minimum_uid (const char *user)
+{
+  struct passwd passwd, *pwd;
+  char *buf = NULL;
+  size_t size = 0x40;
+  uid_t uid;
+  NSS_STATUS status;
+
+  do {
+    if ((buf = malloc(size)) == NULL)
+      return 0;
+    pwd = NULL;
+    errno = 0;
+    status = getpwnam_r(user, &passwd, buf, size, &pwd);
+    uid = passwd.pw_uid;
+    free(buf);
+    if ((status != 0) && (errno == ERANGE))
+      size *= 2;
+    if ((status == 0) && (pwd == &passwd))
+      return (uid < __config->ldc_initgroups_minimum_uid);
+    if (size > 0x40000)
+      return 0;
+  } while ((status != 0) && (errno == ERANGE));
+  return 0;
+}
+
+int
 _nss_ldap_get_ld_errno (char **m, char **s)
 {
 #ifdef HAVE_LDAP_GET_OPTION
diff -ur nss_ldap/ldap-nss.h nss_ldap/ldap-nss.h
--- nss_ldap/ldap-nss.h	2007-09-20 14:35:18.000000000 -0400
+++ nss_ldap/ldap-nss.h	2007-09-20 14:33:24.000000000 -0400
@@ -390,6 +390,7 @@
   time_t ldc_mtime;
 
   char **ldc_initgroups_ignoreusers;
+  int ldc_initgroups_minimum_uid;
 };
 
 typedef struct ldap_config ldap_config_t;
@@ -897,6 +898,7 @@
 
 int _nss_ldap_test_config_flag (unsigned int flag);
 int _nss_ldap_test_initgroups_ignoreuser (const char *user);
+int _nss_ldap_test_initgroups_minimum_uid (const char *user);
 int _nss_ldap_get_ld_errno (char **m, char **s);
 
 #endif /* _LDAP_NSS_LDAP_LDAP_NSS_H */
diff -ur nss_ldap/util.c nss_ldap/util.c
--- nss_ldap/util.c	2007-09-20 14:35:18.000000000 -0400
+++ nss_ldap/util.c	2007-09-20 14:29:49.000000000 -0400
@@ -660,6 +660,7 @@
   result->ldc_reconnect_maxsleeptime = LDAP_NSS_MAXSLEEPTIME;
   result->ldc_reconnect_maxconntries = LDAP_NSS_MAXCONNTRIES;
   result->ldc_initgroups_ignoreusers = NULL;
+  result->ldc_initgroups_minimum_uid = 0;
 
   for (i = 0; i <= LM_NONE; i++)
     {
@@ -1137,6 +1138,10 @@
 	      break;
 	    }
 	}
+      else if (!strcasecmp (k, NSS_LDAP_KEY_INITGROUPS_MINIMUM_UID))
+	{
+	  result->ldc_initgroups_minimum_uid = atoi (v);
+	}
       else if (!strcasecmp (k, NSS_LDAP_KEY_CONNECT_POLICY))
         {
 	  if (!strcasecmp (v, "oneshot"))
diff -ur nss_ldap/util.h nss_ldap/util.h
--- nss_ldap/util.h	2007-09-20 14:35:18.000000000 -0400
+++ nss_ldap/util.h	2007-09-20 14:25:28.000000000 -0400
@@ -83,6 +83,7 @@
 #define NSS_LDAP_KEY_PAGESIZE		"pagesize"
 #define NSS_LDAP_KEY_INITGROUPS		"nss_initgroups"
 #define NSS_LDAP_KEY_INITGROUPS_IGNOREUSERS	"nss_initgroups_ignoreusers"
+#define NSS_LDAP_KEY_INITGROUPS_MINIMUM_UID	"nss_initgroups_minimum_uid"
 
 /* more reconnect policy fine-tuning */
 #define NSS_LDAP_KEY_RECONNECT_TRIES		"nss_reconnect_tries"
--- nss_ldap/nss_ldap.5	2007-08-03 00:51:09.000000000 -0400
+++ nss_ldap/nss_ldap.5	2007-09-20 14:44:59.000000000 -0400
@@ -442,9 +442,17 @@
 .B nss_ldap
 implementation of
 .BR initgroups(3)
-to return NSS_STATUS_NOTFOUND if called with a listed users as
+to return NSS_STATUS_NOTFOUND if called with one of the listed users as
 its argument.
 .TP
+.B nss_initgroups_minimum_uid <uid>
+This option directs the
+.B nss_ldap
+implementation of
+.BR initgroups(3)
+to return NSS_STATUS_NOTFOUND if called with a users whose user ID
+is below the specified value.
+.TP
 .B nss_srv_domain <domain>
 This option determines the DNS domain used for performing SRV
 lookups.

More information about the fedora-extras-commits mailing list