Commit Graph

52 Commits

Author SHA1 Message Date
Edward Tomasz Napierala
8bb6c72e63 Get rid unneccessary useless calls to lseek(2) from getgrent(3).
Looks like this:

 fstatat(AT_FDCWD,"/etc/nsswitch.conf",{ mode=-rw-r--r-- ,inode=2167001,size=390,blksize=32768 },0x0) = 0 (0x0)
 open("/etc/group",O_RDONLY|O_CLOEXEC,0666)      = 3 (0x3)
 fstat(3,{ mode=-rw-r--r-- ,inode=2166927,size=919,blksize=32768 }) = 0 (0x0)
-lseek(3,0x0,SEEK_CUR)                           = 0 (0x0)
-lseek(3,0x0,SEEK_SET)                           = 0 (0x0)
 read(3,"# $FreeBSD: release/10.0.0/etc/g"...,32768) = 919 (0x397)
 close(3)                                        = 0 (0x0)

Reviewed by:	kib
Approved by:	re (gjb)
MFC after:	2 weeks
Sponsored by:	DARPA, AFRL
Differential Revision:	https://reviews.freebsd.org/D17571
2018-10-16 18:17:07 +00:00
Kirk McKusick
8557409f20 In the C library, the setting up of the group array by various
utilities is done by calling gr_addgid() for each group to be
added (usually found by traversing /etc/group) then calling the
setgroups() system call after the group set has been created.
The gr_addgid() function (helpfully?) deduplicates the addition
of group members. So, if you call it to add a group member that
already exists, it is just dropped. Because group[0] is the
effective group-ID and is over-written when a setgid program
is run, The value in group[0] is usually duplicated so that
group value is not lost when a setgid program is run.

Historically this happened because the group value indicated
in the password file also appears in /etc/group (e.g., if you
are group staff in the password file, you will also appear in
the staff line in /etc/group). But, with the addition of the
deduplication, the attempt to add group staff was lost because
it already appeared in group[0]. So, the fix is to deduplicate
starting from group[1] which allows a duplicate of the entry in
group[0], but not in later entries.

There is some confusion about the setgroups system call because in
BSD it has (always) set the entire group including the egid group
(in group[0]). However, in Linux, it skips over group[0] and starts
setting from group[1]. See this comment from linux_setgroups:

      /*
       * cr_groups[0] holds egid. Setting the whole set from
       * the supplied set will cause egid to be changed too.
       * Keep cr_groups[0] unchanged to prevent that.
       */

To make it clear what the BSD setgroups system call does, I
added the following paragraph to the setgroups(2) manual page:

   The first entry of the group array (gidset[0]) is used as the effective
   group-ID for the process.  This entry is over-written when a setgid
   program is run.  To avoid losing access to the privileges of the
   gidset[0] entry, it should be duplicated later in the group array.
   By convention, this happens because the group value indicated in the
   password file also appears in /etc/group.  The group value in the
   password file is placed in gidset[0] and that value then gets added a
   second time when the /etc/group file is scanned to create the group set.

Reported by: Paul McMath  paulm at tetrardus.net
Reviewed by: kib
MFC after:   2 weeks
2018-01-23 22:18:45 +00:00
Pedro F. Giffuni
d915a14ef0 libc: further adoption of SPDX licensing ID tags.
Mainly focus on files that use BSD 2-Clause license, however the tool I
was using mis-identified many licenses so this was mostly a manual - error
prone - task.

The Software Package Data Exchange (SPDX) group provides a specification
to make it easier for automated tools to detect and summarize well known
opensource licenses. We are gradually adopting the specification, noting
that the tags are considered only advisory and do not, in any way,
superceed or replace the license texts.
2017-11-25 17:12:48 +00:00
Ed Schouten
9c24291370 Fix up setgrent(3) to have a POSIX-compliant prototype.
Just like with freelocale(3), I haven't been able to find any piece of
code that actually makes use of this function's return value, both in
base and in ports. The reason for this is that FreeBSD seems to be the
only operating system to have such a prototype. This is why I'm deciding
to not use symbol versioning for this.

It does seem that the pw(8) utility depends on the function's typing and
already had a switch in place to toggle between the FreeBSD and POSIX
variant of this function. Clean this up by always expecting the POSIX
variant.

There is also a single port that has a couple of local declarations of
setgrent(3) that need to be patched up. This is in the process of being
fixed.

PR:		211394 (exp-run)
2016-07-31 08:05:15 +00:00
Enji Cooper
7f756b1159 Remove a set but unused variable in __getgroupmembership to fix a gcc 4.9+ warning
MFC after: 1 week
Sponsored by: EMC / Isilon Storage Division
2015-10-30 05:50:05 +00:00
Enji Cooper
3e973f9b6d Fix compiling with gcc [4.2.1] after r287797 when MK_HESOID == no and
MK_NIS == no by converting `i` back to an int, and instead cast the loop
comparison to `int`

The loop comparison is iterating the len(ns_dtab)-1, because
the last element is the sentinel tuple { NULL, NULL, NULL, }, so when
both HESOID and NIS are off, len(ns_dtab)-1 == 1 - 1 == 0, and the loop
is skipped because the expression is tautologically false

While here, convert `(sizeof(x) / sizeof(x[0]))` to `nitems(x)`

Tested with: clang 3.7.0, gcc 4.2.1, and gcc 4.9.4 [*] with MK_NIS={no,yes}
             and by running bash -lc 'id -u && id -g && id'

* gcc 4.9.4 needs another patch in order for the compile to succeed
  with -Werror with lib/libc/gen/getgrent.c

Reported by: jhibbits
2015-10-25 07:42:56 +00:00
Craig Rodrigues
55b6b759c8 Use ANSI C prototypes. Eliminates -Wold-style-definition warnings. 2015-09-20 20:23:16 +00:00
Craig Rodrigues
e0b54d0140 Add declarations to eliminate -Wmissing-prototypes warnings 2015-09-20 03:58:27 +00:00
Craig Rodrigues
e263ec16a9 Use unsigned variables in a few places.
Eliminates gcc 4.9 warnings.
2015-09-14 18:59:01 +00:00
Pedro F. Giffuni
a69a20fa13 Fix small memleaks in nis_passwd() and nis_group().
These only occur upon error.

Code Review:	https://reviews.freebsd.org/D1849
Reviewed by:	delphij

CID:	1016715
CID:	1016717
2015-02-20 01:02:32 +00:00
Pedro F. Giffuni
1a4161a15d Reverse one of the initializations from r278804.
It does no harm but this is not needed after the
correction in r278805 and I prefer to keep this
code very similar to it's original state.
2015-02-15 21:03:49 +00:00
Pedro F. Giffuni
b78ceb0a58 Mismatch in r278804. 2015-02-15 18:02:05 +00:00
Pedro F. Giffuni
09cc2762fa More tidy-ups on uninitialized scalar variable
As a followup to r278363, there is one more case where
stayopen can be accessed uninitialized, but even after
swapping arguments, access is possible in some other
cases so prevent it completely by initializing stayopen.

CID:	1018729
CID:	1018732
2015-02-15 16:50:21 +00:00
Pedro F. Giffuni
eb77fbdcec Protect uninitialized scalar variable from being accessed
In a couple of cases a variable "stayopen" can be checked
unitialized. This is of no danger as the complementary
condition is false but prevent the access by switching
the checks.

CID:	1018729
CID:	1018732
2015-02-07 19:51:34 +00:00
Jilles Tjoelker
1084b38bea libc: Make various internal file descriptors close-on-exec.
These are obtained via fopen().
2012-12-10 17:56:51 +00:00
Michael Bushkov
a59d6a8724 Implementing 'fallback' nsswitch source. 'fallback' source is used
when particular function can't be found in nsswitch-module. For
example, getgrouplist(3) will use module-supplied 'getgroupmembership'
function (which can work in an optimal way for such source as LDAP) and
will fall back to the stanard iterate-through-all-groups implementation
otherwise.

PR:		ports/114655
Submitted by:	Michael Hanselmann <freebsd AT hansmi DOT ch>
Reviewed by:	brooks (mentor)
2007-12-12 10:08:03 +00:00
Maxim Konovalov
0ba6effc8c o Don't fseek() on closed file.
Submitted by:	pgollucci@p6m7g8.com, Mark Costlow
MFC after:	3 weeks
2006-09-18 09:34:48 +00:00
Maxim Konovalov
0ec15b18a2 o compat_group() and files_group() are more complicated than I thought
in rev. 1.34.  Mainly I missed the fact that the buffer is used for two
purposes:

1) storing a group line from the group file;

2) __gr_parse_entry() parses the buffer and tries to put the group
members to the remaining part of the buffer and can fail if there
is no enough room for them.

Re-arrange the buffer size checks to account the latter case.

Submitted by:	Kirk R Webb
MFC after:	2 weeks
2006-07-14 17:45:33 +00:00
Maxim Konovalov
d230fe5161 o Record a file offset for a last successfully parsed group file line.
If the initial buffer size (1KB) for the given group line is not big
enough, reset the offset.  It helps to do not miss this line when
getrg() reallocates the larger buffer and tries to parse the line again.

PR:		bin/52433, kern/55031, bin/83696, misc/97640, misc/98111
Submitted by:	bsw71@mail.ru, Philip M. Gollucci, Justin Erenkrantz
Glanced at:	nectar
MFC after:	1 month
2006-06-01 15:45:06 +00:00
Hajimu UMEMOTO
06a99fe36f - Extend the nsswitch to support Services, Protocols and Rpc
databases.
- Make nsswitch support caching.

Submitted by:	Michael Bushkov <bushman__at__rsu.ru>
Sponsored by:	Google Summer of Code 2005
2006-04-28 12:03:38 +00:00
Tim Kientzle
9b8f137b2d getgrent() and friends should set errno if there is an error.
Also, clarify the manpage description of when errno is set and
explain that clients should set errno=0 first if they want useful
error information.
2004-05-17 22:15:49 +00:00
Jacques Vidrine
d05090827f Back out the `hiding' of strlcpy and strlcat. Several people
vocally objected to this safety belt.
2003-05-01 19:03:14 +00:00
Jacques Vidrine
5723e501ab `Hide' strlcpy and strlcat (using the namespace.h / __weak_reference
technique) so that we don't wind up calling into an application's
version if the application defines them.

Inspired by:	qpopper's interfering and buggy version of strlcpy
2003-04-29 21:13:50 +00:00
Jacques Vidrine
c14d379de1 When using `compat' mode, be sure to re-dispatch setpwent, endpwent,
setgrent, and endgrent also.  (The previous NSS implementation used to
simply twiddle the internal data of the various modules directly.)

A symptom (group list set incorrectly in sshd) was
Reported by:	Glenn Johnson <gjohnson@srrc.ars.usda.gov>

Sponsored by:	DARPA, Network Associates Laboratories
2003-04-25 18:25:19 +00:00
Jacques Vidrine
5460b1abd2 ``Strong typing is a crutch for people with weak memories.''
Correct a bug that should have wreaked havoc everywhere, but for
some reason only bit unlucky people who use `-march' optimizations.
The compiler cannot assist one in distinguishing between the two
function calls below.

   int nsdispatch(void *, ...);
   void *discard;

   nsdispatch(&discard, ...);  /* correct .. no, really! */
   nsdispatch(discard, ...);   /* Boom                   */

Robin provided me with a debugging environment in which I could see
what was going on.

Badness when using CPUTYPE was
Reported by:	"Robin P. Blanchard" <Robin.Blanchard@gactr.uga.edu>
Reported by:	nork

Sponsored by:	DARPA, Network Associates Laboratories
2003-04-22 22:19:05 +00:00
Jacques Vidrine
43652a6ba6 Repair a bug in which a faulty group entry (one with only 2 colons)
would result in an incorrectly terminated grouplist.

login(1) crashes
Reported by:	Morten Rodal <morten@rodal.no>,
		Matthias Schuendehuette <msch@snafu.de>
2003-04-20 01:12:00 +00:00
Jacques Vidrine
1b467db206 The default if nsswitch.conf(5) is not present is supposed to be the
hated `compat' source, not `files'.

Reported by:	Philip Paeps <philip@paeps.cx>
Sponsored by:	DARPA, Network Associates Laboratories
2003-04-18 01:00:37 +00:00
Jacques Vidrine
05f98035ee = Implement thread-safe versions of the getpwent(3) and getgrent(3)
family of functions using the new nsdispatch(3) core.  Remove
  arbitrary size limits when using the thread-safe versions.

= Re-implement the traditional getpwent(3)/getgrent(3) functions on
  top of the thread-safe versions.

= Update the on-disk format of the hashed version of the passwd(5)
  databases to allow for versioned entries.  The legacy version is
  `3'.  (Don't ask.)

= Add support for version `4' entries in the passwd(5) database.
  Entries in this format are identical to version 3 entries except
  that all integers are stored as 32-bit integers in network byte
  order (big endian).

= pwd_mkdb is updated to generate both version 3 and version 4
  entries.

Sponsored by:	DARPA, Network Associates Laboratories
2003-04-17 14:15:26 +00:00
Robert Drehmel
916560b152 If realloc(3) fails in copyline(), do not make matters worse by
leaving without deallocating `data' thereby creating a memory leak.
2003-03-19 14:01:35 +00:00
Tim J. Robbins
f2bc7cd262 Remove unused variable: sz. 2003-01-04 00:24:35 +00:00
David E. O'Brien
b231cb3945 * Remove __P and convert to ANSI prototypes.
* Remove 'register'.  (some functions had 7+ register functions...)
* Fix SCM ID's.
2002-02-01 01:32:19 +00:00
Bruce Evans
56bcbf00e2 Fixed world breakage due to missing include of <sys/cdefs.h> in previous
commit.

Fixed related style bugs:
basename.c: misplaced '#if 0'
dirname.c: misplaced '#if 0'
getgrent.c: missing '#if 0', and tab lossage in vendor id (the previous
            commit fixed the complete corruption of the vendor id but
	    lost a tab)
getpwent.c: missing '#if 0'
2002-01-31 12:58:36 +00:00
David E. O'Brien
135b57f906 Fix FreeBSD IDs. 2002-01-30 21:36:57 +00:00
Jacques Vidrine
b048419e0d Fix mostly harmless typo:
if (data);
            free(data);

Discovered by:	emacs cc-mode
2000-12-17 21:10:41 +00:00
Jacques Vidrine
248aee623c Add nsswitch support. By creating an /etc/nsswitch.conf file, you can
configure FreeBSD so that various databases such as passwd and group can be
looked up using flat files, NIS, or Hesiod.

= Hesiod has been added to libc (see hesiod(3)).

= A library routine for parsing nsswitch.conf and invoking callback
  functions as specified has been added to libc (see nsdispatch(3)).

= The following C library functions have been modified to use nsdispatch:
    . getgrent, getgrnam, getgrgid
    . getpwent, getpwnam, getpwuid
    . getusershell
    . getaddrinfo
    . gethostbyname, gethostbyname2, gethostbyaddr
    . getnetbyname, getnetbyaddr
    . getipnodebyname, getipnodebyaddr, getnodebyname, getnodebyaddr

= host.conf has been removed from src/etc.  rc.network has been modified
  to warn that host.conf is no longer used at boot time.  In addition, if
  there is a host.conf but no nsswitch.conf, the latter is created at boot
  time from the former.

Obtained from:	NetBSD
2000-09-06 18:16:48 +00:00
Warner Losh
e8420087b0 Replace memory leaking instances of realloc with non-leaking reallocf.
In some cases replace if (a == null) a = malloc(x); else a =
realloc(a, x); with simple reallocf(a, x).  Per ANSI-C, this is
guaranteed to be the same thing.

I've been running these on my system here w/o ill effects for some
time.  However, the CTM-express is at part 6 of 34 for the CAM
changes, so I've not been able to do a build world with the CAM in the
tree with these changes.  Shouldn't impact anything, but...
1998-09-16 04:17:47 +00:00
Wolfram Schneider
4ccb26e49a Allow comments in group database.
The character `#' introduces a comment. Leading spaces and tabs are
ignored: '^[ \t]*#.*\n$'

Count an empty line - only spaces, tabs or newline - also as a comment.
(to be compatibel with password database comments). '^[ \t]*\n$'
1997-03-08 16:21:40 +00:00
Bill Paul
1d2493ff77 Small yet significant tweaks/cleanups:
- getpwent:
  o adjunctbuf should be NUL terminated after copying
  o _pw_breakout_yp() needs to know the length of the buffer returned
    from YP so it can properly NUL terminate its local buffer.

- getgrent:
  o YP buffers should be YPMAXRECORD + 2 bytes long and NUL terminated.
    (Previously they were hardcoded to 1024 bytes.)

- getnetgrent:
  o YP data should be copied with snprintf(), not sprintf()

These are 2.2 candidates. I will wait a few days to make sure these don't
break anything and then, if there are no objections, move them to the 2.2
branch.
1996-12-27 19:28:46 +00:00
Wolfram Schneider
ebddb6b4fe Use dynamic allocated buffers instead static buffers. No member or
line length limit anymore - now 500 members or 5000 members are
possible. For security group lines longer than 256K will be count as
an error. 256K should be enough for 65536 users.

Support comments (lines that begin with a #) if compiled with
option -DGROUP_IGNORE_COMMENTS.

Fortunately it seems that all system utilities which use getgrent()
functions are dynamically linked executables. So you need only
rebuild libc.so.3.0 if you want this change. Note: if you have
an old X server which depend on libc.so.2.* you should rebuild
libc.so.2.* too.

Not a 2.2 candidate.
1996-12-25 21:51:24 +00:00
Bill Paul
73418074a9 Add a missing #ifdef YP/#endif pair so that this module will
compile without -DYP.

Pointed out by: Wolfram Schneider
1996-12-21 18:36:44 +00:00
Bill Paul
78cf917e3d Apply patch to fix +group YP overrides and prevent SEGV on badly
formatted groups (foo:*).
1996-09-05 12:27:24 +00:00
Poul-Henning Kamp
8b10240709 Minor cleanup, mostly unused vars and missing #includes. 1995-10-22 14:37:11 +00:00
Bill Paul
eb6c139019 Some NIS bug stomping:
- In some cases, we don't properly resolve _all_ possible group memberships.
  If a user is a member of both local and NIS groups, we sometimes lose some
  of the membership info from NIS. (Reported by: Thorsten Kukuk
  <kukuk@uni-paderborn.de>)

- Make NIS +groupname overrides actually work the way the SunOS group(5)
  man page says they should (make them work for all cases: getgrent(),
  getgrnam() and getgrgid()).

- When not compiled with -DYP, grscan() should ignore entries that
  begin with a '+'. When compiled _with_ -DYP, grscan() should ignore
  +groupname entries that don't refer to real NIS groups.

- Remove redundant redeclaration of fgets(), strsep() and index() inside
  grscan(). We already #include all the right header files for these.

Note: -groupname exclusion as specified in the Sun documentation still
isn't supported. This'll be a 2.2 addition. Right now I just want this
stuff to work.
1995-10-06 21:29:01 +00:00
Bill Paul
400b841301 getgrent.c: adjust _nextypgroup() slightly so that it continues processing
the group map after encountering a badly formatted entry.

getpwent.c: same as above for _nextyppass(), and also turn a couple of
sprintf()s into snprintf()s to avoid potential buffer overruns. (The
other day I nearly went mad because of a username in my NIS database
that's actually 9 characters long instead of 8. Stuffing a 9-character
username into an 8-character buffer can do some strange things.)

(This reminds me: I hope somebody's planning to fix the buffer overrun
security hole in syslog(3) before 2.1 ships.)
1995-09-05 19:52:59 +00:00
Bill Paul
d454389cc2 getpwent.c: turn the code that checks the override caches into a
seperate function to avoid duplication. Also fix getpwent() a
small bit to properly handle the case where the magic NIS '+'
entry appears before the end of the password file.

getgrent.c: be a little more SunOS-ish. Make it look like the NIS
group map is 'inserted' at the the point(s) where the magic NIS '+'
entry/entries appear.

getgrent: fix a file descriptor leak: remember to close the netgroup
file after we determine that we're using NIS-only innetgr() lookups.
1995-09-02 04:08:55 +00:00
Bill Paul
e0ee807b3d Fix for a potential problem reported by a user I bumped into on IRC
last night:

_gr_breakout_yp() doesn't check for badly formatted NIS group entries.
For example, a bogus entry like this:

bootp::user1,user2,user3

will lead to a null pointer dereference and a SEGV (note that the GID
field is missing -- this results in one of the strsep(&result, ":")
returning NULL). The symtpom of this problem is programs dumping
core left and right the moment you add a + entry to /etc/group.
Note that while this is similar to an earlier bug, it's caused by a
different set of circumstances.

The fix is to check for the NULL pointers and have _gr_breakout_yp()
punt and return a failure code if it catches one. This is more or
less the behavior of SunOS: if a bad NIS group entry is encountered,
it's silently ignored. I don't think our standard (non-NIS) group
parsing code behaves the same way. It doesn't crash though, so I'm
citing the 'it ain't broken, don't fix it' rule and leaving it alone.

I'll probably have to add similar checks to _pw_breakout_yp() in
getpwent.c to ward off the same problems. It's rare that bad NIS
map entries like this occur, but we should handle them gracefully
when they do.
1995-06-26 14:59:46 +00:00
Rodney W. Grimes
6c06b4e2aa Remove trailing whitespace. 1995-05-30 05:51:47 +00:00
Bill Paul
04adcdacbf Small fix for the following problems:
- If you take the wheel entry out of /etc/group and turn on NIS,
the '+:*::' line is incorrectly flagged as the entry for wheel (the
empty gid section is translated to 0), hence getgrgid() returns '+'
as the name of the group instead of 'wheel.'

- Using just '+:' as the 'turn on NIS' switch in /etc/group makes
getgrgid() dump core because of a null pointer dereference. (Last
time I was in here, I foolishly assumed that fixing the core dump
problems with getgrnam() and getgrent() would fix getgrgid() too.
Silly me.)
1995-04-29 17:14:50 +00:00
Bill Paul
958f4e365d getpwent.c: fix problem with emacs dumping core when NIS is enabled. Also
add #includes for YP headers when compiling with -DYP to avoid some implicit
declarations.

getgrent.c & getnetgrent.c: add some #includes to avoid implicit declarations
of YP functions.
1995-04-04 05:36:16 +00:00
Bill Paul
89047c9c7c Fix 'putting +: in /etc/group causes many programs to dump core' bug
by heading off possible null pointer dereferences in grscan(). Also
change getgrnam() slightly to properly handle the change: if grscan()
returns an rval of 1 and leaves a '+' in the gr_name field and YP is
enabled, poll the YP group.byname map before giving up. This should
insure that we make every effort to find a match in the local and
YP group databases before bailing out.
1995-03-18 05:03:10 +00:00