lists.arthurdejong.org
RSS feed

nss-pam-ldapd commit: r1723 - in nss-pam-ldapd: . nslcd pynslcd

[Date Prev][Date Next] [Thread Prev][Thread Next]

nss-pam-ldapd commit: r1723 - in nss-pam-ldapd: . nslcd pynslcd

Author: arthur
Date: Fri Jul 20 14:27:19 2012
New Revision: 1723
URL: http://arthurdejong.org/viewvc/nss-pam-ldapd?revision=1723&view=revision

Log:
on startup have the gid option default to the primary group of the specified 
user and load the user's supplementary groups

Modified:
   nss-pam-ldapd/configure.ac
   nss-pam-ldapd/nslcd/cfg.c
   nss-pam-ldapd/nslcd/cfg.h
   nss-pam-ldapd/nslcd/nslcd.c
   nss-pam-ldapd/pynslcd/pynslcd.py

Modified: nss-pam-ldapd/configure.ac
==============================================================================
--- nss-pam-ldapd/configure.ac  Fri Jul 20 13:00:35 2012        (r1722)
+++ nss-pam-ldapd/configure.ac  Fri Jul 20 14:27:19 2012        (r1723)
@@ -575,7 +575,7 @@
   AC_SEARCH_LIBS(dlopen,dl)
 
   # check for availability of functions
-  AC_CHECK_FUNCS(setgroups)
+  AC_CHECK_FUNCS(initgroups setgroups)
   AC_CHECK_FUNCS(getpeereid)
   AC_CHECK_FUNCS(getpeerucred)
   AC_CHECK_FUNCS(__nss_configure_lookup)

Modified: nss-pam-ldapd/nslcd/cfg.c
==============================================================================
--- nss-pam-ldapd/nslcd/cfg.c   Fri Jul 20 13:00:35 2012        (r1722)
+++ nss-pam-ldapd/nslcd/cfg.c   Fri Jul 20 14:27:19 2012        (r1723)
@@ -87,6 +87,7 @@
   int i;
   memset(cfg,0,sizeof(struct ldap_config));
   cfg->ldc_threads=5;
+  cfg->ldc_uidname=NULL;
   cfg->ldc_uid=NOUID;
   cfg->ldc_gid=NOGID;
   cfg->ldc_ignorecase=0;
@@ -441,7 +442,7 @@
 
 static void get_uid(const char *filename,int lnr,
                     const char *keyword,char **line,
-                    uid_t *var)
+                    uid_t *var,gid_t *gid,char **str)
 {
   /* TODO: refactor to have less overhead */
   char token[32];
@@ -452,12 +453,24 @@
   errno=0;
   *var=strtouid(token,&tmp,10);
   if ((*token!='\0')&&(*tmp=='\0')&&(errno==0)&&(strchr(token,'-')==NULL))
+  {
+    /* get the name and gid from the passwd database */
+    pwent=getpwuid(*var);
+    if ((gid!=NULL)&&(*gid!=NOGID))
+      *gid=pwent->pw_gid;
+    if (str!=NULL)
+      *str=strdup(pwent->pw_name);
     return;
+  }
   /* find by name */
   pwent=getpwnam(token);
   if (pwent!=NULL)
   {
     *var=pwent->pw_uid;
+    if ((gid!=NULL)&&(*gid!=NOGID))
+      *gid=pwent->pw_gid;
+    if (str!=NULL)
+      *str=strdup(token);
     return;
   }
   /* log an error */
@@ -883,7 +896,7 @@
     }
     else if (strcasecmp(keyword,"uid")==0)
     {
-      get_uid(filename,lnr,keyword,&line,&cfg->ldc_uid);
+      
get_uid(filename,lnr,keyword,&line,&cfg->ldc_uid,&cfg->ldc_gid,&cfg->ldc_uidname);
       get_eol(filename,lnr,keyword,&line);
     }
     else if (strcasecmp(keyword,"gid")==0)
@@ -1153,7 +1166,7 @@
     }
     else if (strcasecmp(keyword,"nss_min_uid")==0)
     {
-      get_uid(filename,lnr,keyword,&line,&cfg->ldc_nss_min_uid);
+      get_uid(filename,lnr,keyword,&line,&cfg->ldc_nss_min_uid,NULL,NULL);
       get_eol(filename,lnr,keyword,&line);
     }
     else if (strcasecmp(keyword,"validnames")==0)

Modified: nss-pam-ldapd/nslcd/cfg.h
==============================================================================
--- nss-pam-ldapd/nslcd/cfg.h   Fri Jul 20 13:00:35 2012        (r1722)
+++ nss-pam-ldapd/nslcd/cfg.h   Fri Jul 20 14:27:19 2012        (r1723)
@@ -85,6 +85,8 @@
 {
   /* the number of threads to start */
   int ldc_threads;
+  /* the user name specified in the uid option */
+  char *ldc_uidname;
   /* the user id nslcd should be run as */
   uid_t ldc_uid;
   /* the group id nslcd should be run as */

Modified: nss-pam-ldapd/nslcd/nslcd.c
==============================================================================
--- nss-pam-ldapd/nslcd/nslcd.c Fri Jul 20 13:00:35 2012        (r1722)
+++ nss-pam-ldapd/nslcd/nslcd.c Fri Jul 20 14:27:19 2012        (r1723)
@@ -42,9 +42,7 @@
 #include <sys/stat.h>
 #include <sys/socket.h>
 #include <sys/un.h>
-#ifdef HAVE_GRP_H
 #include <grp.h>
-#endif /* HAVE_GRP_H */
 #ifdef HAVE_NSS_H
 #include <nss.h>
 #endif /* HAVE_NSS_H */
@@ -741,15 +739,28 @@
   }
   /* create socket */
   nslcd_serversocket=create_socket(NSLCD_SOCKET);
+  if ((nslcd_cfg->ldc_gid!=NOGID)&&(nslcd_cfg->ldc_uidname!=NULL))
+  {
+#ifdef HAVE_INITGROUPS
+    /* load supplementary groups */
+    if (initgroups(nslcd_cfg->ldc_uidname,nslcd_cfg->ldc_gid)<0)
+      log_log(LOG_WARNING,"cannot initgroups(\"%s\",%d) (ignored): %s",
+              nslcd_cfg->ldc_uidname,nslcd_cfg->ldc_gid,strerror(errno));
+    else
+      log_log(LOG_DEBUG,"initgroups(\"%s\",%d) done",
+              nslcd_cfg->ldc_uidname,nslcd_cfg->ldc_gid);
+#else /* not HAVE_INITGROUPS */
 #ifdef HAVE_SETGROUPS
-  /* drop all supplemental groups */
-  if (setgroups(0,NULL)<0)
-    log_log(LOG_WARNING,"cannot setgroups(0,NULL) (ignored): 
%s",strerror(errno));
-  else
-    log_log(LOG_DEBUG,"setgroups(0,NULL) done");
-#else /* HAVE_SETGROUPS */
-  log_log(LOG_DEBUG,"setgroups() not available");
+    /* just drop all supplemental groups */
+    if (setgroups(0,NULL)<0)
+      log_log(LOG_WARNING,"cannot setgroups(0,NULL) (ignored): 
%s",strerror(errno));
+    else
+      log_log(LOG_DEBUG,"setgroups(0,NULL) done");
+#else /* not HAVE_SETGROUPS */
+    log_log(LOG_DEBUG,"neither initgroups() or setgroups() available");
 #endif /* not HAVE_SETGROUPS */
+#endif /* not HAVE_INITGROUPS */
+  }
   /* change to nslcd gid */
   if (nslcd_cfg->ldc_gid!=NOGID)
   {

Modified: nss-pam-ldapd/pynslcd/pynslcd.py
==============================================================================
--- nss-pam-ldapd/pynslcd/pynslcd.py    Fri Jul 20 13:00:35 2012        (r1722)
+++ nss-pam-ldapd/pynslcd/pynslcd.py    Fri Jul 20 14:27:19 2012        (r1723)
@@ -326,19 +326,18 @@
         try:
             # create socket
             nslcd_serversocket = create_socket()
-            # drop all supplemental groups
-            try:
-                os.setgroups(())
-            except OSError, e:
-                logging.warning('cannot setgroups(()) (ignored): %s', e)
-            # change to nslcd gid
-            if cfg.gid is not None:
-                import grp
-                os.setgid(grp.getgrnam(cfg.gid).gr_gid)
-            # change to nslcd uid
+            # load supplementary groups
             if cfg.uid is not None:
                 import pwd
+                import grp
                 u = pwd.getpwnam(cfg.uid)
+                if cfg.gid is None:
+                    gid = u.pw_gid
+                else:
+                    gid = grp.getgrnam(cfg.gid).gr_gid
+                # set supplementary groups, gid and uid
+                os.initgroups(u.pw_name, gid)
+                os.setgid(gid)
                 os.setuid(u.pw_uid)
                 os.environ['HOME'] = u.pw_dir
             logging.info('accepting connections')
-- 
To unsubscribe send an email to
nss-pam-ldapd-commits-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-commits/