From d6c575e303520ffdcee1590a4181410024d5f917 Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Tue, 27 Dec 2016 17:59:38 +0100 Subject: nss: when we encounter an invalid user/group name or UID/GID, don't return EINVAL It's not our business to validate invalid user/group names or UID/GID. Ideally, libc would filter these out, but they don't, hence we have to filter, but let's not propagate this as error, but simply as "not found" to the caller. User name rules are pretty vaguely defined, and the rules defined by POSIX clash with reality quite heavily (for example, utmp doesn't offer enough room for user name length, and /usr/bin/chown permits separating user/group names by a single dot, even though POSIX allows dots being used in user/group names themselves.) We enforce stricter rules than POSIX for good reason, and hence in doing so we should not categorically return EINVAL on stuff we don't consider valid, but other components might. Fixes: #4983 --- src/nss-mymachines/nss-mymachines.c | 12 ++++-------- 1 file changed, 4 insertions(+), 8 deletions(-) (limited to 'src/nss-mymachines/nss-mymachines.c') diff --git a/src/nss-mymachines/nss-mymachines.c b/src/nss-mymachines/nss-mymachines.c index 895f61c462..fac37faea5 100644 --- a/src/nss-mymachines/nss-mymachines.c +++ b/src/nss-mymachines/nss-mymachines.c @@ -512,10 +512,8 @@ enum nss_status _nss_mymachines_getpwuid_r( BLOCK_SIGNALS(NSS_SIGNALS_BLOCK); - if (!uid_is_valid(uid)) { - r = -EINVAL; - goto fail; - } + if (!uid_is_valid(uid)) + goto not_found; /* We consider all uids < 65536 host uids */ if (uid < HOST_UID_LIMIT) @@ -686,10 +684,8 @@ enum nss_status _nss_mymachines_getgrgid_r( BLOCK_SIGNALS(NSS_SIGNALS_BLOCK); - if (!gid_is_valid(gid)) { - r = -EINVAL; - goto fail; - } + if (!gid_is_valid(gid)) + goto not_found; /* We consider all gids < 65536 host gids */ if (gid < HOST_GID_LIMIT) -- cgit v1.2.3-54-g00ecf