OpenE2K/glibc
2
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
5ffc980589
glibc/nss/nsswitch.h
Stephen Gallagher ced8f89336 NSS: Implement group merging support. 
https://sourceware.org/glibc/wiki/Proposals/GroupMerging

== Justification ==
It is common today for users to rely on centrally-managed user stores for
handling their user accounts. However, much software existing today does
not have an innate understanding of such accounts. Instead, they commonly
rely on membership in known groups for managing access-control (for
example the "wheel" group on Fedora and RHEL systems or the "adm" group
on Debian-derived systems). In the present incarnation of nsswitch, the
only way to have such groups managed by a remote user store such as
FreeIPA or Active Directory would be to manually remove the groups from
/etc/group on the clients so that nsswitch would then move past nss_files
and into the SSSD, nss-ldap or other remote user database.

== Solution ==
With this patch, a new action is introduced for nsswitch:
NSS_ACTION_MERGE. To take advantage of it, one will add [SUCCESS=merge]
between two database entries in the nsswitch.conf file. When a group is
located in the first of the two group entries, processing will continue
on to the next one. If the group is also found in the next entry (and the
group name and GID are an exact match), the member list of the second
entry will be added to the group object to be returned.

== Implementation ==
After each DL_LOOKUP_FN() returns, the next action is checked. If the
function returned NSS_STATUS_SUCCESS and the next action is
NSS_ACTION_MERGE, a copy of the result buffer is saved for the next pass
through the loop. If on this next pass through the loop the database
returns another instance of a group matching both the group name and GID,
the member list is added to the previous list and it is returned as a
single object. If the following database does not contain the same group,
then the original is copied back into the destination buffer.

This patch implements merge functionality only for the group database.
For other databases, there is a default implementation that will return
the EINVAL errno if a merge is requested. The merge functionality can be
implemented for other databases at a later time if such is needed. Each
database must provide a unique implementation of the deep-copy and merge
functions.

If [SUCCESS=merge] is present in nsswitch.conf for a glibc version that
does not support it, glibc will process results up until that operation,
at which time it will return results if it has found them or else will
simply return an error. In practical terms, this ends up behaving like
the remainder of the nsswitch.conf line does not exist.

== Iterators ==
This feature does not modify the iterator functionality from its current
behavior. If getgrnam() or getgrgid() is called, glibc will iterate
through all entries in the `group` line in nsswitch.conf and display the
list of members without attempting to merge them. This is consistent with
the behavior of nss_files where if two separate lines are specified for
the same group in /etc/groups, getgrnam()/getgrgid() will display both.
Clients are already expected to handle this gracefully.

== No Premature Optimizations ==
The following is a list of places that might be eligible for
optimization, but were not overengineered for this initial contribution:
 * Any situation where a merge may occur will result in one malloc() of
   the same size as the input buffer.
 * Any situation where a merge does occur will result in a second
   malloc() to hold the list of pointers to member name strings.
 * The list of members is simply concatenated together and is not tested
   for uniqueness (which is identical to the behavior for nss_files,
   which will simply return identical values if they both exist on the
   line in the file. This could potentially be optimized to reduce space
   usage in the buffer, but it is both complex and computationally
   expensive to do so.

== Testing ==
I performed testing by running the getent utility against my newly-built
glibc and configuring /etc/nsswitch.conf with the following entry:
group: group:      files [SUCCESS=merge] sss

In /etc/group I included the line:
wheel10:sgallagh

I then configured my local SSSD using the id_provider=local to respond
with:
wheel:*:10:localuser,localuser2

I then ran `getent group wheel` against the newly-built glibc in
multiple situations and received the expected output as described
above:
 * When SSSD was running.
 * When SSSD was configured in nsswitch.conf but the daemon was not
   running.
 * When SSSD was configured in nsswitch.conf but nss_sss.so.2 was not
   installed on the system.
 * When the order of 'sss' and 'files' was reversed.
 * All of the above with the [SUCCESS=merge] removed (to ensure no
   regressions).
 * All of the above with `getent group 10`.
 * All of the above with `getent group` with and without
   `enumerate=true` set in SSSD.
 * All of the above with and without nscd enabled on the system.
2016-04-29 22:18:21 -04:00

214 lines
7.0 KiB
C
Raw Blame History

/* Copyright (C) 1996-2016 Free Software Foundation, Inc.
This file is part of the GNU C Library.
The GNU C Library is free software; you can redistribute it and/or
modify it under the terms of the GNU Lesser General Public
License as published by the Free Software Foundation; either
version 2.1 of the License, or (at your option) any later version.
The GNU C Library is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
Lesser General Public License for more details.
You should have received a copy of the GNU Lesser General Public
License along with the GNU C Library; if not, see
<http://www.gnu.org/licenses/>. */
#ifndef _NSSWITCH_H
#define _NSSWITCH_H 1
/* This is an *internal* header. */
#include <arpa/nameser.h>
#include <netinet/in.h>
#include <nss.h>
#include <resolv.h>
#include <search.h>
#include <dlfcn.h>
#include <stdbool.h>
/* Actions performed after lookup finished. */
typedef enum
{
NSS_ACTION_CONTINUE,
NSS_ACTION_RETURN,
NSS_ACTION_MERGE
} lookup_actions;
typedef struct service_library
{
/* Name of service (`files', `dns', `nis', ...). */
const char *name;
/* Pointer to the loaded shared library. */
void *lib_handle;
/* And the link to the next entry. */
struct service_library *next;
} service_library;
/* For mapping a function name to a function pointer. It is known in
nsswitch.c:nss_lookup_function that a string pointer for the lookup key
is the first member. */
typedef struct
{
const char *fct_name;
void *fct_ptr;
} known_function;
typedef struct service_user
{
/* And the link to the next entry. */
struct service_user *next;
/* Action according to result. */
lookup_actions actions[5];
/* Link to the underlying library object. */
service_library *library;
/* Collection of known functions. */
void *known;
/* Name of the service (`files', `dns', `nis', ...). */
char name[0];
} service_user;
/* To access the action based on the status value use this macro. */
#define nss_next_action(ni, status) ((ni)->actions[2 + status])
typedef struct name_database_entry
{
/* And the link to the next entry. */
struct name_database_entry *next;
/* List of service to be used. */
service_user *service;
/* Name of the database. */
char name[0];
} name_database_entry;
typedef struct name_database
{
/* List of all known databases. */
name_database_entry *entry;
/* List of libraries with service implementation. */
service_library *library;
} name_database;
/* Indices into DATABASES in nsswitch.c and __NSS_DATABASE_CUSTOM. */
enum
{
#define DEFINE_DATABASE(arg) NSS_DBSIDX_##arg,
#include "databases.def"
#undef DEFINE_DATABASE
NSS_DBSIDX_max
};
/* Flags whether custom rules for database is set. */
extern bool __nss_database_custom[NSS_DBSIDX_max];
/* Warning for NSS functions, which don't require dlopen if glibc
was built with --enable-static-nss. */
#ifdef DO_STATIC_NSS
# define nss_interface_function(name)
#else
# define nss_interface_function(name) static_link_warning (name)
#endif
/* Interface functions for NSS. */
/* Get the data structure representing the specified database.
If there is no configuration for this database in the file,
parse a service list from DEFCONFIG and use that. More
than one function can use the database. */
extern int __nss_database_lookup (const char *database,
const char *alternative_name,
const char *defconfig, service_user **ni);
libc_hidden_proto (__nss_database_lookup)
/* Put first function with name FCT_NAME for SERVICE in FCTP. The
position is remembered in NI. The function returns a value < 0 if
an error occurred or no such function exists. */
extern int __nss_lookup (service_user **ni, const char *fct_name,
const char *fct2_name, void **fctp);
libc_hidden_proto (__nss_lookup)
/* Determine the next step in the lookup process according to the
result STATUS of the call to the last function returned by
`__nss_lookup' or `__nss_next'. NI specifies the last function
examined. The function return a value > 0 if the process should
stop with the last result of the last function call to be the
result of the entire lookup. The returned value is 0 if there is
another function to use and < 0 if an error occurred.
If ALL_VALUES is nonzero, the return value will not be > 0 as long as
there is a possibility the lookup process can ever use following
services. In other words, only if all four lookup results have
the action RETURN associated the lookup process stops before the
natural end. */
extern int __nss_next2 (service_user **ni, const char *fct_name,
const char *fct2_name, void **fctp, int status,
int all_values) attribute_hidden;
libc_hidden_proto (__nss_next2)
extern int __nss_next (service_user **ni, const char *fct_name, void **fctp,
int status, int all_values);
/* Search for the service described in NI for a function named FCT_NAME
and return a pointer to this function if successful. */
extern void *__nss_lookup_function (service_user *ni, const char *fct_name);
libc_hidden_proto (__nss_lookup_function)
/* Called by NSCD to disable recursive calls and enable special handling
when used in nscd. */
struct traced_file;
extern void __nss_disable_nscd (void (*) (size_t, struct traced_file *));
typedef int (*db_lookup_function) (service_user **, const char *, const char *,
void **)
internal_function;
typedef enum nss_status (*setent_function) (int);
typedef enum nss_status (*endent_function) (void);
typedef enum nss_status (*getent_function) (void *, char *, size_t,
int *, int *);
typedef int (*getent_r_function) (void *, char *, size_t,
void **result, int *);
extern void __nss_setent (const char *func_name,
db_lookup_function lookup_fct,
service_user **nip, service_user **startp,
service_user **last_nip, int stayon,
int *stayon_tmp, int res);
extern void __nss_endent (const char *func_name,
db_lookup_function lookup_fct,
service_user **nip, service_user **startp,
service_user **last_nip, int res);
extern int __nss_getent_r (const char *getent_func_name,
const char *setent_func_name,
db_lookup_function lookup_fct,
service_user **nip, service_user **startp,
service_user **last_nip, int *stayon_tmp,
int res,
void *resbuf, char *buffer, size_t buflen,
void **result, int *h_errnop);
extern void *__nss_getent (getent_r_function func,
void **resbuf, char **buffer, size_t buflen,
size_t *buffer_size, int *h_errnop);
struct hostent;
extern int __nss_hostname_digits_dots (const char *name,
struct hostent *resbuf, char **buffer,
size_t *buffer_size, size_t buflen,
struct hostent **result,
enum nss_status *status, int af,
int *h_errnop);
libc_hidden_proto (__nss_hostname_digits_dots)
/* Maximum number of aliases we allow. */
#define MAX_NR_ALIASES 48
#define MAX_NR_ADDRS 48
#endif /* nsswitch.h */
Reference in New Issue View Git Blame Copy Permalink