getspent.c revision 66e150d7d3c0cb2de3c45c74612784ffd3e73de6
/*
* CDDL HEADER START
*
* The contents of this file are subject to the terms of the
* Common Development and Distribution License (the "License").
* You may not use this file except in compliance with the License.
*
* You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
* See the License for the specific language governing permissions
* and limitations under the License.
*
* When distributing Covered Code, include this CDDL HEADER in each
* file and include the License file at usr/src/OPENSOLARIS.LICENSE.
* If applicable, add the following below this CDDL HEADER, with the
* fields enclosed by brackets "[]" replaced with your own identifying
* information: Portions Copyright [yyyy] [name of copyright owner]
*
* CDDL HEADER END
*/
/*
* Copyright 2008 Sun Microsystems, Inc. All rights reserved.
* Use is subject to license terms.
*/
/*
* nisplus/getspent.c: implementations of getspnam(), getspent(), setspent(),
* endspent() for NIS+. We keep the shadow information in a column
* ("shadow") of the same table that stores vanilla passwd information.
*/
#include <shadow.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <thread.h>
#include "nisplus_common.h"
#include "nisplus_tables.h"
extern int key_secretkey_is_set_g();
/*
* bugid 4301477:
* We lock NIS+/getspnam() so there is only one at a time,
* So applications which link with libthread can now call
* getspnam() (or UNIX pam_authenticate() which calls getspnam)
* in a Secure NIS+ environment (as per CERT Advisory 96.10).
* threaded, note dtlogin is now linked with libthread (bugid 4263325)
* which is why this bug exists (Note thr_main() check was removed)
*/
static nss_status_t
void *a;
{
const char *username;
char *save_buf;
/* part of fix for bugid 4301477 */
(void) mutex_lock(&one_lane);
/*
* There is a dirty little private protocol with the nis_object2str()
* routine below: it gives us back a uid in the argp->key.uid
* field. Since "key" is a union, and we're using key.name,
*
* NSS2: be->flag is used to indicate *NP* case since we
* may not have the shadow passwd available at this point
* if called by nscd's switch.
*/
/*
* passwd.org_dir may have its access rights set up so that
* the passwd field can only be read by the user whom
* the entry describes. If we get an *NP* in the password
* field we should try to get it again as the user. If not,
* we return now.
*/
/* fix for bugid 4301477 DELETED if (_thr_main() != -1) goto out; */
goto out;
/* Get our current euid and that of the entry */
/*
* If the entry uid differs from our own euid, set our euid to
* the entry uid and try the lookup again.
*/
/*
* Do the second lookup only if secretkey is set for
* this euid, otherwise it will be pointless. Also,
* make sure we can allocate space to save the old
* results.
*/
if (key_secretkey_is_set_g(0, 0) &&
/* Save the old results in case the new lookup fails */
/* Do the lookup (this time as the user). */
username);
/* If it failed, restore the old results */
if (status != NSS_SUCCESS) {
buflen);
}
}
/* Set uid back */
}
out:
/* end of fix for bugid 4301477 unlock NIS+/getspnam() */
(void) mutex_unlock(&one_lane);
return (status);
}
/*
* place the results from the nis_object structure into argp->buf.result
* Returns NSS_STR_PARSE_{SUCCESS, ERANGE, PARSE}
*/
/*ARGSUSED*/
static int
int nobj;
{
int uidlen;
/*
* If we got more than one nis_object, we just ignore it.
* Although it should never have happened.
*
* ASSUMPTION: All the columns in the NIS+ tables are
* null terminated.
*/
return (NSS_STR_PARSE_PARSE);
}
/* name: user name */
/* passwd */
/* uid */
return (NSS_STR_PARSE_PARSE);
/*
* See discussion of private protocol in getbynam() above.
* Note that we also end up doing this if we're called from
* _nss_nisplus_getent(), but that's OK -- when we're doing
* enumerations we don't care what's in the argp->key union.
*/
}
/*
* shadow information
*
* We will be lenient to no shadow field or a shadow field
* with less than the desired number of ":" separated longs.
* XXX - should we be more strict ?
*/
return (NSS_STR_PARSE_PARSE);
/* exclude trailing null from length */
} else {
return (NSS_STR_PARSE_ERANGE);
}
#ifdef DEBUG
#endif /* DEBUG */
return (NSS_STR_PARSE_SUCCESS);
}
static nisplus_backend_op_t sp_ops[] = {
};
/*ARGSUSED*/
{
return (_nss_nisplus_constr(sp_ops,
}