[388] | 1 | #include <pthread.h>
|
---|
| 2 | #include <byteswap.h>
|
---|
| 3 | #include <string.h>
|
---|
| 4 | #include <unistd.h>
|
---|
| 5 | #include "pwf.h"
|
---|
| 6 | #include "nscd.h"
|
---|
| 7 |
|
---|
| 8 | static char *itoa(char *p, uint32_t x)
|
---|
| 9 | {
|
---|
| 10 | // number of digits in a uint32_t + NUL
|
---|
| 11 | p += 11;
|
---|
| 12 | *--p = 0;
|
---|
| 13 | do {
|
---|
| 14 | *--p = '0' + x % 10;
|
---|
| 15 | x /= 10;
|
---|
| 16 | } while (x);
|
---|
| 17 | return p;
|
---|
| 18 | }
|
---|
| 19 |
|
---|
| 20 | int __getpw_a(const char *name, uid_t uid, struct passwd *pw, char **buf, size_t *size, struct passwd **res)
|
---|
| 21 | {
|
---|
| 22 | FILE *f;
|
---|
| 23 | int cs;
|
---|
| 24 | int rv = 0;
|
---|
| 25 |
|
---|
| 26 | *res = 0;
|
---|
| 27 |
|
---|
| 28 | pthread_setcancelstate(PTHREAD_CANCEL_DISABLE, &cs);
|
---|
| 29 |
|
---|
| 30 | f = fopen("/etc/passwd", "rbe");
|
---|
| 31 | if (!f) {
|
---|
| 32 | rv = errno;
|
---|
| 33 | goto done;
|
---|
| 34 | }
|
---|
| 35 |
|
---|
| 36 | while (!(rv = __getpwent_a(f, pw, buf, size, res)) && *res) {
|
---|
| 37 | if (name && !strcmp(name, (*res)->pw_name)
|
---|
| 38 | || !name && (*res)->pw_uid == uid)
|
---|
| 39 | break;
|
---|
| 40 | }
|
---|
| 41 | fclose(f);
|
---|
| 42 |
|
---|
| 43 | if (!*res && (rv == 0 || rv == ENOENT || rv == ENOTDIR)) {
|
---|
| 44 | int32_t req = name ? GETPWBYNAME : GETPWBYUID;
|
---|
| 45 | const char *key;
|
---|
| 46 | int32_t passwdbuf[PW_LEN] = {0};
|
---|
| 47 | size_t len = 0;
|
---|
| 48 | char uidbuf[11] = {0};
|
---|
| 49 |
|
---|
| 50 | if (name) {
|
---|
| 51 | key = name;
|
---|
| 52 | } else {
|
---|
| 53 | /* uid outside of this range can't be queried with the
|
---|
| 54 | * nscd interface, but might happen if uid_t ever
|
---|
| 55 | * happens to be a larger type (this is not true as of
|
---|
| 56 | * now)
|
---|
| 57 | */
|
---|
| 58 | if(uid < 0 || uid > UINT32_MAX) {
|
---|
| 59 | rv = 0;
|
---|
| 60 | goto done;
|
---|
| 61 | }
|
---|
| 62 | key = itoa(uidbuf, uid);
|
---|
| 63 | }
|
---|
| 64 |
|
---|
| 65 | f = __nscd_query(req, key, passwdbuf, sizeof passwdbuf, (int[]){0});
|
---|
| 66 | if (!f) { rv = errno; goto done; }
|
---|
| 67 |
|
---|
| 68 | if(!passwdbuf[PWFOUND]) { rv = 0; goto cleanup_f; }
|
---|
| 69 |
|
---|
| 70 | /* A zero length response from nscd is invalid. We ignore
|
---|
| 71 | * invalid responses and just report an error, rather than
|
---|
| 72 | * trying to do something with them.
|
---|
| 73 | */
|
---|
| 74 | if (!passwdbuf[PWNAMELEN] || !passwdbuf[PWPASSWDLEN]
|
---|
| 75 | || !passwdbuf[PWGECOSLEN] || !passwdbuf[PWDIRLEN]
|
---|
| 76 | || !passwdbuf[PWSHELLLEN]) {
|
---|
| 77 | rv = EIO;
|
---|
| 78 | goto cleanup_f;
|
---|
| 79 | }
|
---|
| 80 |
|
---|
| 81 | if ((passwdbuf[PWNAMELEN]|passwdbuf[PWPASSWDLEN]
|
---|
| 82 | |passwdbuf[PWGECOSLEN]|passwdbuf[PWDIRLEN]
|
---|
| 83 | |passwdbuf[PWSHELLLEN]) >= SIZE_MAX/8) {
|
---|
| 84 | rv = ENOMEM;
|
---|
| 85 | goto cleanup_f;
|
---|
| 86 | }
|
---|
| 87 |
|
---|
| 88 | len = passwdbuf[PWNAMELEN] + passwdbuf[PWPASSWDLEN]
|
---|
| 89 | + passwdbuf[PWGECOSLEN] + passwdbuf[PWDIRLEN]
|
---|
| 90 | + passwdbuf[PWSHELLLEN];
|
---|
| 91 |
|
---|
| 92 | if (len > *size || !*buf) {
|
---|
| 93 | char *tmp = realloc(*buf, len);
|
---|
| 94 | if (!tmp) {
|
---|
| 95 | rv = errno;
|
---|
| 96 | goto cleanup_f;
|
---|
| 97 | }
|
---|
| 98 | *buf = tmp;
|
---|
| 99 | *size = len;
|
---|
| 100 | }
|
---|
| 101 |
|
---|
| 102 | if (!fread(*buf, len, 1, f)) {
|
---|
| 103 | rv = ferror(f) ? errno : EIO;
|
---|
| 104 | goto cleanup_f;
|
---|
| 105 | }
|
---|
| 106 |
|
---|
| 107 | pw->pw_name = *buf;
|
---|
| 108 | pw->pw_passwd = pw->pw_name + passwdbuf[PWNAMELEN];
|
---|
| 109 | pw->pw_gecos = pw->pw_passwd + passwdbuf[PWPASSWDLEN];
|
---|
| 110 | pw->pw_dir = pw->pw_gecos + passwdbuf[PWGECOSLEN];
|
---|
| 111 | pw->pw_shell = pw->pw_dir + passwdbuf[PWDIRLEN];
|
---|
| 112 | pw->pw_uid = passwdbuf[PWUID];
|
---|
| 113 | pw->pw_gid = passwdbuf[PWGID];
|
---|
| 114 |
|
---|
| 115 | /* Don't assume that nscd made sure to null terminate strings.
|
---|
| 116 | * It's supposed to, but malicious nscd should be ignored
|
---|
| 117 | * rather than causing a crash.
|
---|
| 118 | */
|
---|
| 119 | if (pw->pw_passwd[-1] || pw->pw_gecos[-1] || pw->pw_dir[-1]
|
---|
| 120 | || pw->pw_shell[passwdbuf[PWSHELLLEN]-1]) {
|
---|
| 121 | rv = EIO;
|
---|
| 122 | goto cleanup_f;
|
---|
| 123 | }
|
---|
| 124 |
|
---|
| 125 | if (name && strcmp(name, pw->pw_name)
|
---|
| 126 | || !name && uid != pw->pw_uid) {
|
---|
| 127 | rv = EIO;
|
---|
| 128 | goto cleanup_f;
|
---|
| 129 | }
|
---|
| 130 |
|
---|
| 131 |
|
---|
| 132 | *res = pw;
|
---|
| 133 | cleanup_f:
|
---|
| 134 | fclose(f);
|
---|
| 135 | goto done;
|
---|
| 136 | }
|
---|
| 137 |
|
---|
| 138 | done:
|
---|
| 139 | pthread_setcancelstate(cs, 0);
|
---|
| 140 | if (rv) errno = rv;
|
---|
| 141 | return rv;
|
---|
| 142 | }
|
---|