From a1c542bfc5684d914cf2af2c3ec9d5432d0b01dc Mon Sep 17 00:00:00 2001 From: Ulrich Drepper Date: Fri, 11 Jun 1999 20:58:21 +0000 Subject: Update. 1999-06-11 Thorsten Kukuk * nscd/nscd.c: Add -S options for separate caching of data for every user. So one user couldn't see the data another user has gotten with his credentials. * nscd/nscd.h: Add new prototypes. * nscd/cache.c: Compare owner of cache entry if in secure mode. * nscd/connections.c: Check on shutdown if caller really was root. In secure mode get uid of caller. * nscd/grpcache.c: Add support for new secure group mode. * nscd/hstcache.c: Add support for new secure hosts mode. * nscd/pwdcache.c: Add support for new secure passwd mode. --- nscd/pwdcache.c | 40 +++++++++++++++++++++++++++++++--------- 1 file changed, 31 insertions(+), 9 deletions(-) (limited to 'nscd/pwdcache.c') diff --git a/nscd/pwdcache.c b/nscd/pwdcache.c index 5bf89a75ba..a66cf4fe3d 100644 --- a/nscd/pwdcache.c +++ b/nscd/pwdcache.c @@ -1,5 +1,5 @@ /* Cache handling for passwd lookup. - Copyright (C) 1998 Free Software Foundation, Inc. + Copyright (C) 1998, 1999 Free Software Foundation, Inc. This file is part of the GNU C Library. Contributed by Ulrich Drepper , 1998. @@ -84,7 +84,7 @@ struct passwddata static void cache_addpw (struct database *db, int fd, request_header *req, void *key, - struct passwd *pwd) + struct passwd *pwd, uid_t owner) { ssize_t total; ssize_t written; @@ -112,7 +112,7 @@ cache_addpw (struct database *db, int fd, request_header *req, void *key, pthread_rwlock_rdlock (&db->lock); cache_add (req->type, copy, req->key_len, &iov_notfound, - sizeof (notfound), (void *) -1, 0, t, db); + sizeof (notfound), (void *) -1, 0, t, db, owner); pthread_rwlock_unlock (&db->lock); } @@ -175,9 +175,9 @@ cache_addpw (struct database *db, int fd, request_header *req, void *key, /* We have to add the value for both, byname and byuid. */ cache_add (GETPWBYNAME, data->strdata, pw_name_len, data, - total, data, 0, t, db); + total, data, 0, t, db, owner); - cache_add (GETPWBYUID, cp, n, data, total, data, 1, t, db); + cache_add (GETPWBYUID, cp, n, data, total, data, 1, t, db, owner); pthread_rwlock_unlock (&db->lock); } @@ -192,7 +192,8 @@ cache_addpw (struct database *db, int fd, request_header *req, void *key, void -addpwbyname (struct database *db, int fd, request_header *req, void *key) +addpwbyname (struct database *db, int fd, request_header *req, + void *key, uid_t c_uid) { /* Search for the entry matching the key. Please note that we don't look again in the table whether the dataset is now available. We @@ -202,10 +203,17 @@ addpwbyname (struct database *db, int fd, request_header *req, void *key) char *buffer = alloca (buflen); struct passwd resultbuf; struct passwd *pwd; + uid_t oldeuid; if (debug_level > 0) dbg_log (_("Haven't found \"%s\" in password cache!"), key); + if (secure[pwddb]) + { + oldeuid = geteuid (); + seteuid (c_uid); + } + while (getpwnam_r (key, &resultbuf, buffer, buflen, &pwd) != 0 && errno == ERANGE) { @@ -214,12 +222,16 @@ addpwbyname (struct database *db, int fd, request_header *req, void *key) buffer = alloca (buflen); } - cache_addpw (db, fd, req, key, pwd); + if (secure[pwddb]) + seteuid (c_uid); + + cache_addpw (db, fd, req, key, pwd, c_uid); } void -addpwbyuid (struct database *db, int fd, request_header *req, void *key) +addpwbyuid (struct database *db, int fd, request_header *req, + void *key, uid_t c_uid) { /* Search for the entry matching the key. Please note that we don't look again in the table whether the dataset is now available. We @@ -230,10 +242,17 @@ addpwbyuid (struct database *db, int fd, request_header *req, void *key) struct passwd resultbuf; struct passwd *pwd; uid_t uid = atol (key); + uid_t oldeuid = 0; if (debug_level > 0) dbg_log (_("Haven't found \"%d\" in password cache!"), uid); + if (secure[pwddb]) + { + oldeuid = geteuid (); + seteuid (c_uid); + } + while (getpwuid_r (uid, &resultbuf, buffer, buflen, &pwd) != 0 && errno == ERANGE) { @@ -242,5 +261,8 @@ addpwbyuid (struct database *db, int fd, request_header *req, void *key) buffer = alloca (buflen); } - cache_addpw (db, fd, req, key, pwd); + if (secure[pwddb]) + seteuid (oldeuid); + + cache_addpw (db, fd, req, key, pwd, c_uid); } -- cgit v1.2.3