From cf3bdcfeba48ffef71f1f59e092c4fb9275dcb3a Mon Sep 17 00:00:00 2001
From: Lennart Poettering <lennart@poettering.net>
Date: Wed, 10 Feb 2016 22:58:41 +0100
Subject: nss-mymachines: never resolve unmapped UIDs/GIDs

Don't ever permit successful user or group lookups if no UID/GID mapping is
actually applied. THis way, we can be sure that nss-mymachines cannot be used
to insert invalid cache entries into nscd's cache.

https://bugzilla.redhat.com/show_bug.cgi?id=1285339
---
 src/nss-mymachines/nss-mymachines.c | 20 ++++++++++++++++++--
 1 file changed, 18 insertions(+), 2 deletions(-)

(limited to 'src/nss-mymachines')

diff --git a/src/nss-mymachines/nss-mymachines.c b/src/nss-mymachines/nss-mymachines.c
index 78133a39bf..1582d702f8 100644
--- a/src/nss-mymachines/nss-mymachines.c
+++ b/src/nss-mymachines/nss-mymachines.c
@@ -38,6 +38,9 @@ NSS_GETHOSTBYNAME_PROTOTYPES(mymachines);
 NSS_GETPW_PROTOTYPES(mymachines);
 NSS_GETGR_PROTOTYPES(mymachines);
 
+#define HOST_UID_LIMIT ((uid_t) UINT32_C(0x10000))
+#define HOST_GID_LIMIT ((gid_t) UINT32_C(0x10000))
+
 static int count_addresses(sd_bus_message *m, int af, unsigned *ret) {
         unsigned c = 0;
         int r;
@@ -455,6 +458,10 @@ enum nss_status _nss_mymachines_getpwnam_r(
         if (r < 0)
                 goto fail;
 
+        /* Refuse to work if the mapped address is in the host UID range, or if there was no mapping at all. */
+        if (mapped < HOST_UID_LIMIT || mapped == uid)
+                goto not_found;
+
         l = strlen(name);
         if (buflen < l+1) {
                 *errnop = ENOMEM;
@@ -504,7 +511,7 @@ enum nss_status _nss_mymachines_getpwuid_r(
         }
 
         /* We consider all uids < 65536 host uids */
-        if (uid < 0x10000)
+        if (uid < HOST_UID_LIMIT)
                 goto not_found;
 
         r = sd_bus_open_system(&bus);
@@ -531,6 +538,9 @@ enum nss_status _nss_mymachines_getpwuid_r(
         if (r < 0)
                 goto fail;
 
+        if (mapped == uid)
+                goto not_found;
+
         if (snprintf(buffer, buflen, "vu-%s-" UID_FMT, machine, (uid_t) mapped) >= (int) buflen) {
                 *errnop = ENOMEM;
                 return NSS_STATUS_TRYAGAIN;
@@ -619,6 +629,9 @@ enum nss_status _nss_mymachines_getgrnam_r(
         if (r < 0)
                 goto fail;
 
+        if (mapped < HOST_GID_LIMIT || mapped == gid)
+                goto not_found;
+
         l = sizeof(char*) + strlen(name) + 1;
         if (buflen < l) {
                 *errnop = ENOMEM;
@@ -666,7 +679,7 @@ enum nss_status _nss_mymachines_getgrgid_r(
         }
 
         /* We consider all gids < 65536 host gids */
-        if (gid < 0x10000)
+        if (gid < HOST_GID_LIMIT)
                 goto not_found;
 
         r = sd_bus_open_system(&bus);
@@ -693,6 +706,9 @@ enum nss_status _nss_mymachines_getgrgid_r(
         if (r < 0)
                 goto fail;
 
+        if (mapped == gid)
+                goto not_found;
+
         if (buflen < sizeof(char*) + 1) {
                 *errnop = ENOMEM;
                 return NSS_STATUS_TRYAGAIN;
-- 
cgit v1.2.3-54-g00ecf