aboutsummaryrefslogtreecommitdiff
path: root/nscd
diff options
context:
space:
mode:
Diffstat (limited to 'nscd')
-rw-r--r--nscd/connections.c55
-rw-r--r--nscd/nscd.c14
-rw-r--r--nscd/nscd.h4
-rw-r--r--nscd/selinux.c30
4 files changed, 45 insertions, 58 deletions
diff --git a/nscd/connections.c b/nscd/connections.c
index 632635845b..9c096e2e05 100644
--- a/nscd/connections.c
+++ b/nscd/connections.c
@@ -431,7 +431,7 @@ void
nscd_init (void)
{
/* Secure mode and unprivileged mode are incompatible */
- if (server_user != NULL && secure_in_use)
+ if (server_user != NULL)
{
dbg_log (_("Cannot run nscd in secure mode as unprivileged user"));
exit (4);
@@ -1060,29 +1060,28 @@ cannot handle old request version %d; current version is %d"),
case GETSTAT:
case SHUTDOWN:
case INVALIDATE:
- if (! secure_in_use)
- {
- /* Get the callers credentials. */
+ {
+ /* Get the callers credentials. */
#ifdef SO_PEERCRED
- struct ucred caller;
- socklen_t optlen = sizeof (caller);
+ struct ucred caller;
+ socklen_t optlen = sizeof (caller);
- if (getsockopt (fd, SOL_SOCKET, SO_PEERCRED, &caller, &optlen) < 0)
- {
- char buf[256];
+ if (getsockopt (fd, SOL_SOCKET, SO_PEERCRED, &caller, &optlen) < 0)
+ {
+ char buf[256];
- dbg_log (_("error getting callers id: %s"),
- strerror_r (errno, buf, sizeof (buf)));
- break;
- }
+ dbg_log (_("error getting callers id: %s"),
+ strerror_r (errno, buf, sizeof (buf)));
+ break;
+ }
- uid = caller.uid;
+ uid = caller.uid;
#else
- /* Some systems have no SO_PEERCRED implementation. They don't
- care about security so we don't as well. */
- uid = 0;
+ /* Some systems have no SO_PEERCRED implementation. They don't
+ care about security so we don't as well. */
+ uid = 0;
#endif
- }
+ }
/* Accept shutdown, getstat and invalidate only from root. For
the stat call also allow the user specified in the config file. */
@@ -1376,25 +1375,7 @@ nscd_run (void *p)
#ifdef SO_PEERCRED
pid_t pid = 0;
- if (secure_in_use)
- {
- struct ucred caller;
- socklen_t optlen = sizeof (caller);
-
- if (getsockopt (fd, SOL_SOCKET, SO_PEERCRED, &caller, &optlen) < 0)
- {
- dbg_log (_("error getting callers id: %s"),
- strerror_r (errno, buf, sizeof (buf)));
- goto close_and_out;
- }
-
- if (req.type < GETPWBYNAME || req.type > LASTDBREQ
- || serv2db[req.type]->secure)
- uid = caller.uid;
-
- pid = caller.pid;
- }
- else if (__builtin_expect (debug_level > 0, 0))
+ if (__builtin_expect (debug_level > 0, 0))
{
struct ucred caller;
socklen_t optlen = sizeof (caller);
diff --git a/nscd/nscd.c b/nscd/nscd.c
index 3c65e20a60..2941cbdc15 100644
--- a/nscd/nscd.c
+++ b/nscd/nscd.c
@@ -1,4 +1,4 @@
-/* Copyright (c) 1998-2003, 2004, 2005 Free Software Foundation, Inc.
+/* Copyright (c) 1998-2003, 2004, 2005, 2006 Free Software Foundation, Inc.
This file is part of the GNU C Library.
Contributed by Thorsten Kukuk <kukuk@suse.de>, 1998.
@@ -70,7 +70,6 @@ int disabled_passwd;
int disabled_group;
int go_background = 1;
-int secure_in_use;
static const char *conffile = _PATH_NSCDCONF;
time_t start_time;
@@ -370,16 +369,7 @@ parse_opt (int key, char *arg, struct argp_state *state)
break;
case 'S':
-#if 0
- if (strcmp (arg, "passwd,yes") == 0)
- secure_in_use = dbs[pwddb].secure = 1;
- else if (strcmp (arg, "group,yes") == 0)
- secure_in_use = dbs[grpdb].secure = 1;
- else if (strcmp (arg, "hosts,yes") == 0)
- secure_in_use = dbs[hstdb].secure = 1;
-#else
error (0, 0, _("secure services not implemented anymore"));
-#endif
break;
default:
@@ -398,7 +388,7 @@ print_version (FILE *stream, struct argp_state *state)
Copyright (C) %s Free Software Foundation, Inc.\n\
This is free software; see the source for copying conditions. There is NO\n\
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.\n\
-"), "2005");
+"), "2006");
fprintf (stream, gettext ("Written by %s.\n"),
"Thorsten Kukuk and Ulrich Drepper");
}
diff --git a/nscd/nscd.h b/nscd/nscd.h
index 3859d95d01..ed686bea7e 100644
--- a/nscd/nscd.h
+++ b/nscd/nscd.h
@@ -68,7 +68,6 @@ struct database_dyn
const char *db_filename;
time_t file_mtime;
size_t suggested_module;
- int secure;
unsigned long int postimeout; /* In seconds. */
unsigned long int negtimeout; /* In seconds. */
@@ -122,9 +121,6 @@ extern int nthreads;
/* Maximum number of threads to use. */
extern int max_nthreads;
-/* Tables for which we cache data with uid. */
-extern int secure_in_use; /* Is one of the above 1? */
-
/* User name to run server processes as. */
extern const char *server_user;
diff --git a/nscd/selinux.c b/nscd/selinux.c
index a15e522958..138d96d23a 100644
--- a/nscd/selinux.c
+++ b/nscd/selinux.c
@@ -27,6 +27,7 @@
#include <stdio.h>
#include <stdlib.h>
#include <syslog.h>
+#include <unistd.h>
#include <selinux/av_permissions.h>
#include <selinux/avc.h>
#include <selinux/flask.h>
@@ -114,11 +115,28 @@ static int audit_fd = -1;
static void
log_callback (const char *fmt, ...)
{
- va_list ap;
+ if (audit_fd >= 0)
+ {
+ va_list ap;
+ va_start (ap, fmt);
+
+ char *buf;
+ int e = vasprintf (&buf, fmt, ap);
+ if (e < 0)
+ {
+ buf = alloca (BUFSIZ);
+ vsnprintf (buf, BUFSIZ, fmt, ap);
+ }
+
+ /* FIXME: need to attribute this to real user, using getuid for now */
+ audit_log_user_avc_message (audit_fd, AUDIT_USER_AVC, buf, NULL, NULL,
+ NULL, getuid ());
- va_start (ap, fmt);
- audit_log_avc (audit_fd, AUDIT_USER_AVC, fmt, ap);
- va_end (ap);
+ if (e >= 0)
+ free (buf);
+
+ va_end (ap);
+ }
}
/* Initialize the connection to the audit system */
@@ -126,7 +144,9 @@ static void
audit_init (void)
{
audit_fd = audit_open ();
- if (audit_fd < 0)
+ if (audit_fd < 0
+ /* If kernel doesn't support audit, bail out */
+ && errno != EINVAL && errno != EPROTONOSUPPORT && errno != EAFNOSUPPORT)
dbg_log (_("Failed opening connection to the audit subsystem: %m"));
}
#endif /* HAVE_LIBAUDIT */