diff options
Diffstat (limited to 'nscd')
-rw-r--r-- | nscd/connections.c | 55 | ||||
-rw-r--r-- | nscd/nscd.c | 14 | ||||
-rw-r--r-- | nscd/nscd.h | 4 | ||||
-rw-r--r-- | nscd/selinux.c | 30 |
4 files changed, 45 insertions, 58 deletions
diff --git a/nscd/connections.c b/nscd/connections.c index 632635845b..9c096e2e05 100644 --- a/nscd/connections.c +++ b/nscd/connections.c @@ -431,7 +431,7 @@ void nscd_init (void) { /* Secure mode and unprivileged mode are incompatible */ - if (server_user != NULL && secure_in_use) + if (server_user != NULL) { dbg_log (_("Cannot run nscd in secure mode as unprivileged user")); exit (4); @@ -1060,29 +1060,28 @@ cannot handle old request version %d; current version is %d"), case GETSTAT: case SHUTDOWN: case INVALIDATE: - if (! secure_in_use) - { - /* Get the callers credentials. */ + { + /* Get the callers credentials. */ #ifdef SO_PEERCRED - struct ucred caller; - socklen_t optlen = sizeof (caller); + struct ucred caller; + socklen_t optlen = sizeof (caller); - if (getsockopt (fd, SOL_SOCKET, SO_PEERCRED, &caller, &optlen) < 0) - { - char buf[256]; + if (getsockopt (fd, SOL_SOCKET, SO_PEERCRED, &caller, &optlen) < 0) + { + char buf[256]; - dbg_log (_("error getting callers id: %s"), - strerror_r (errno, buf, sizeof (buf))); - break; - } + dbg_log (_("error getting callers id: %s"), + strerror_r (errno, buf, sizeof (buf))); + break; + } - uid = caller.uid; + uid = caller.uid; #else - /* Some systems have no SO_PEERCRED implementation. They don't - care about security so we don't as well. */ - uid = 0; + /* Some systems have no SO_PEERCRED implementation. They don't + care about security so we don't as well. */ + uid = 0; #endif - } + } /* Accept shutdown, getstat and invalidate only from root. For the stat call also allow the user specified in the config file. */ @@ -1376,25 +1375,7 @@ nscd_run (void *p) #ifdef SO_PEERCRED pid_t pid = 0; - if (secure_in_use) - { - struct ucred caller; - socklen_t optlen = sizeof (caller); - - if (getsockopt (fd, SOL_SOCKET, SO_PEERCRED, &caller, &optlen) < 0) - { - dbg_log (_("error getting callers id: %s"), - strerror_r (errno, buf, sizeof (buf))); - goto close_and_out; - } - - if (req.type < GETPWBYNAME || req.type > LASTDBREQ - || serv2db[req.type]->secure) - uid = caller.uid; - - pid = caller.pid; - } - else if (__builtin_expect (debug_level > 0, 0)) + if (__builtin_expect (debug_level > 0, 0)) { struct ucred caller; socklen_t optlen = sizeof (caller); diff --git a/nscd/nscd.c b/nscd/nscd.c index 3c65e20a60..2941cbdc15 100644 --- a/nscd/nscd.c +++ b/nscd/nscd.c @@ -1,4 +1,4 @@ -/* Copyright (c) 1998-2003, 2004, 2005 Free Software Foundation, Inc. +/* Copyright (c) 1998-2003, 2004, 2005, 2006 Free Software Foundation, Inc. This file is part of the GNU C Library. Contributed by Thorsten Kukuk <kukuk@suse.de>, 1998. @@ -70,7 +70,6 @@ int disabled_passwd; int disabled_group; int go_background = 1; -int secure_in_use; static const char *conffile = _PATH_NSCDCONF; time_t start_time; @@ -370,16 +369,7 @@ parse_opt (int key, char *arg, struct argp_state *state) break; case 'S': -#if 0 - if (strcmp (arg, "passwd,yes") == 0) - secure_in_use = dbs[pwddb].secure = 1; - else if (strcmp (arg, "group,yes") == 0) - secure_in_use = dbs[grpdb].secure = 1; - else if (strcmp (arg, "hosts,yes") == 0) - secure_in_use = dbs[hstdb].secure = 1; -#else error (0, 0, _("secure services not implemented anymore")); -#endif break; default: @@ -398,7 +388,7 @@ print_version (FILE *stream, struct argp_state *state) Copyright (C) %s Free Software Foundation, Inc.\n\ This is free software; see the source for copying conditions. There is NO\n\ warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.\n\ -"), "2005"); +"), "2006"); fprintf (stream, gettext ("Written by %s.\n"), "Thorsten Kukuk and Ulrich Drepper"); } diff --git a/nscd/nscd.h b/nscd/nscd.h index 3859d95d01..ed686bea7e 100644 --- a/nscd/nscd.h +++ b/nscd/nscd.h @@ -68,7 +68,6 @@ struct database_dyn const char *db_filename; time_t file_mtime; size_t suggested_module; - int secure; unsigned long int postimeout; /* In seconds. */ unsigned long int negtimeout; /* In seconds. */ @@ -122,9 +121,6 @@ extern int nthreads; /* Maximum number of threads to use. */ extern int max_nthreads; -/* Tables for which we cache data with uid. */ -extern int secure_in_use; /* Is one of the above 1? */ - /* User name to run server processes as. */ extern const char *server_user; diff --git a/nscd/selinux.c b/nscd/selinux.c index a15e522958..138d96d23a 100644 --- a/nscd/selinux.c +++ b/nscd/selinux.c @@ -27,6 +27,7 @@ #include <stdio.h> #include <stdlib.h> #include <syslog.h> +#include <unistd.h> #include <selinux/av_permissions.h> #include <selinux/avc.h> #include <selinux/flask.h> @@ -114,11 +115,28 @@ static int audit_fd = -1; static void log_callback (const char *fmt, ...) { - va_list ap; + if (audit_fd >= 0) + { + va_list ap; + va_start (ap, fmt); + + char *buf; + int e = vasprintf (&buf, fmt, ap); + if (e < 0) + { + buf = alloca (BUFSIZ); + vsnprintf (buf, BUFSIZ, fmt, ap); + } + + /* FIXME: need to attribute this to real user, using getuid for now */ + audit_log_user_avc_message (audit_fd, AUDIT_USER_AVC, buf, NULL, NULL, + NULL, getuid ()); - va_start (ap, fmt); - audit_log_avc (audit_fd, AUDIT_USER_AVC, fmt, ap); - va_end (ap); + if (e >= 0) + free (buf); + + va_end (ap); + } } /* Initialize the connection to the audit system */ @@ -126,7 +144,9 @@ static void audit_init (void) { audit_fd = audit_open (); - if (audit_fd < 0) + if (audit_fd < 0 + /* If kernel doesn't support audit, bail out */ + && errno != EINVAL && errno != EPROTONOSUPPORT && errno != EAFNOSUPPORT) dbg_log (_("Failed opening connection to the audit subsystem: %m")); } #endif /* HAVE_LIBAUDIT */ |