nss: use secure_getenv for behaviour-modifying booleans (#6817)
Follow up for fe102d6ab1
.
This commit is contained in:
parent
fe102d6ab1
commit
71e0acccfd
|
@ -769,6 +769,16 @@ int getenv_bool(const char *p) {
|
||||||
return parse_boolean(e);
|
return parse_boolean(e);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
int getenv_bool_secure(const char *p) {
|
||||||
|
const char *e;
|
||||||
|
|
||||||
|
e = secure_getenv(p);
|
||||||
|
if (!e)
|
||||||
|
return -ENXIO;
|
||||||
|
|
||||||
|
return parse_boolean(e);
|
||||||
|
}
|
||||||
|
|
||||||
int serialize_environment(FILE *f, char **environment) {
|
int serialize_environment(FILE *f, char **environment) {
|
||||||
char **e;
|
char **e;
|
||||||
|
|
||||||
|
|
|
@ -61,6 +61,7 @@ char *strv_env_get_n(char **l, const char *name, size_t k, unsigned flags) _pure
|
||||||
char *strv_env_get(char **x, const char *n) _pure_;
|
char *strv_env_get(char **x, const char *n) _pure_;
|
||||||
|
|
||||||
int getenv_bool(const char *p);
|
int getenv_bool(const char *p);
|
||||||
|
int getenv_bool_secure(const char *p);
|
||||||
|
|
||||||
int serialize_environment(FILE *f, char **environment);
|
int serialize_environment(FILE *f, char **environment);
|
||||||
int deserialize_environment(char ***environment, const char *line);
|
int deserialize_environment(char ***environment, const char *line);
|
||||||
|
|
|
@ -435,7 +435,7 @@ enum nss_status _nss_mymachines_getpwnam_r(
|
||||||
if (!machine_name_is_valid(machine))
|
if (!machine_name_is_valid(machine))
|
||||||
goto not_found;
|
goto not_found;
|
||||||
|
|
||||||
if (getenv_bool("SYSTEMD_NSS_BYPASS_BUS") > 0)
|
if (getenv_bool_secure("SYSTEMD_NSS_BYPASS_BUS") > 0)
|
||||||
/* Make sure we can't deadlock if we are invoked by dbus-daemon. This way, it won't be able to resolve
|
/* Make sure we can't deadlock if we are invoked by dbus-daemon. This way, it won't be able to resolve
|
||||||
* these UIDs, but that should be unproblematic as containers should never be able to connect to a bus
|
* these UIDs, but that should be unproblematic as containers should never be able to connect to a bus
|
||||||
* running on the host. */
|
* running on the host. */
|
||||||
|
@ -519,7 +519,7 @@ enum nss_status _nss_mymachines_getpwuid_r(
|
||||||
if (uid < HOST_UID_LIMIT)
|
if (uid < HOST_UID_LIMIT)
|
||||||
goto not_found;
|
goto not_found;
|
||||||
|
|
||||||
if (getenv_bool("SYSTEMD_NSS_BYPASS_BUS") > 0)
|
if (getenv_bool_secure("SYSTEMD_NSS_BYPASS_BUS") > 0)
|
||||||
goto not_found;
|
goto not_found;
|
||||||
|
|
||||||
r = sd_bus_open_system(&bus);
|
r = sd_bus_open_system(&bus);
|
||||||
|
@ -613,7 +613,7 @@ enum nss_status _nss_mymachines_getgrnam_r(
|
||||||
if (!machine_name_is_valid(machine))
|
if (!machine_name_is_valid(machine))
|
||||||
goto not_found;
|
goto not_found;
|
||||||
|
|
||||||
if (getenv_bool("SYSTEMD_NSS_BYPASS_BUS") > 0)
|
if (getenv_bool_secure("SYSTEMD_NSS_BYPASS_BUS") > 0)
|
||||||
goto not_found;
|
goto not_found;
|
||||||
|
|
||||||
r = sd_bus_open_system(&bus);
|
r = sd_bus_open_system(&bus);
|
||||||
|
@ -691,7 +691,7 @@ enum nss_status _nss_mymachines_getgrgid_r(
|
||||||
if (gid < HOST_GID_LIMIT)
|
if (gid < HOST_GID_LIMIT)
|
||||||
goto not_found;
|
goto not_found;
|
||||||
|
|
||||||
if (getenv_bool("SYSTEMD_NSS_BYPASS_BUS") > 0)
|
if (getenv_bool_secure("SYSTEMD_NSS_BYPASS_BUS") > 0)
|
||||||
goto not_found;
|
goto not_found;
|
||||||
|
|
||||||
r = sd_bus_open_system(&bus);
|
r = sd_bus_open_system(&bus);
|
||||||
|
|
|
@ -129,7 +129,7 @@ enum nss_status _nss_systemd_getpwnam_r(
|
||||||
goto not_found;
|
goto not_found;
|
||||||
|
|
||||||
/* Synthesize entries for the root and nobody users, in case they are missing in /etc/passwd */
|
/* Synthesize entries for the root and nobody users, in case they are missing in /etc/passwd */
|
||||||
if (getenv_bool("SYSTEMD_NSS_BYPASS_SYNTHETIC") <= 0) {
|
if (getenv_bool_secure("SYSTEMD_NSS_BYPASS_SYNTHETIC") <= 0) {
|
||||||
if (streq(name, root_passwd.pw_name)) {
|
if (streq(name, root_passwd.pw_name)) {
|
||||||
*pwd = root_passwd;
|
*pwd = root_passwd;
|
||||||
*errnop = 0;
|
*errnop = 0;
|
||||||
|
@ -143,10 +143,10 @@ enum nss_status _nss_systemd_getpwnam_r(
|
||||||
}
|
}
|
||||||
|
|
||||||
/* Make sure that we don't go in circles when allocating a dynamic UID by checking our own database */
|
/* Make sure that we don't go in circles when allocating a dynamic UID by checking our own database */
|
||||||
if (getenv_bool("SYSTEMD_NSS_DYNAMIC_BYPASS") > 0)
|
if (getenv_bool_secure("SYSTEMD_NSS_DYNAMIC_BYPASS") > 0)
|
||||||
goto not_found;
|
goto not_found;
|
||||||
|
|
||||||
if (getenv_bool("SYSTEMD_NSS_BYPASS_BUS") > 0) {
|
if (getenv_bool_secure("SYSTEMD_NSS_BYPASS_BUS") > 0) {
|
||||||
|
|
||||||
/* Access the dynamic UID allocation directly if we are called from dbus-daemon, see above. */
|
/* Access the dynamic UID allocation directly if we are called from dbus-daemon, see above. */
|
||||||
r = direct_lookup_name(name, (uid_t*) &translated);
|
r = direct_lookup_name(name, (uid_t*) &translated);
|
||||||
|
@ -233,7 +233,7 @@ enum nss_status _nss_systemd_getpwuid_r(
|
||||||
goto not_found;
|
goto not_found;
|
||||||
|
|
||||||
/* Synthesize data for the root user and for nobody in case they are missing from /etc/passwd */
|
/* Synthesize data for the root user and for nobody in case they are missing from /etc/passwd */
|
||||||
if (getenv_bool("SYSTEMD_NSS_BYPASS_SYNTHETIC") <= 0) {
|
if (getenv_bool_secure("SYSTEMD_NSS_BYPASS_SYNTHETIC") <= 0) {
|
||||||
if (uid == root_passwd.pw_uid) {
|
if (uid == root_passwd.pw_uid) {
|
||||||
*pwd = root_passwd;
|
*pwd = root_passwd;
|
||||||
*errnop = 0;
|
*errnop = 0;
|
||||||
|
@ -249,10 +249,10 @@ enum nss_status _nss_systemd_getpwuid_r(
|
||||||
if (uid <= SYSTEM_UID_MAX)
|
if (uid <= SYSTEM_UID_MAX)
|
||||||
goto not_found;
|
goto not_found;
|
||||||
|
|
||||||
if (getenv_bool("SYSTEMD_NSS_DYNAMIC_BYPASS") > 0)
|
if (getenv_bool_secure("SYSTEMD_NSS_DYNAMIC_BYPASS") > 0)
|
||||||
goto not_found;
|
goto not_found;
|
||||||
|
|
||||||
if (getenv_bool("SYSTEMD_NSS_BYPASS_BUS") > 0) {
|
if (getenv_bool_secure("SYSTEMD_NSS_BYPASS_BUS") > 0) {
|
||||||
|
|
||||||
r = direct_lookup_uid(uid, &direct);
|
r = direct_lookup_uid(uid, &direct);
|
||||||
if (r == -ENOENT)
|
if (r == -ENOENT)
|
||||||
|
@ -335,7 +335,7 @@ enum nss_status _nss_systemd_getgrnam_r(
|
||||||
goto not_found;
|
goto not_found;
|
||||||
|
|
||||||
/* Synthesize records for root and nobody, in case they are missing form /etc/group */
|
/* Synthesize records for root and nobody, in case they are missing form /etc/group */
|
||||||
if (getenv_bool("SYSTEMD_NSS_BYPASS_SYNTHETIC") <= 0) {
|
if (getenv_bool_secure("SYSTEMD_NSS_BYPASS_SYNTHETIC") <= 0) {
|
||||||
if (streq(name, root_group.gr_name)) {
|
if (streq(name, root_group.gr_name)) {
|
||||||
*gr = root_group;
|
*gr = root_group;
|
||||||
*errnop = 0;
|
*errnop = 0;
|
||||||
|
@ -348,10 +348,10 @@ enum nss_status _nss_systemd_getgrnam_r(
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
if (getenv_bool("SYSTEMD_NSS_DYNAMIC_BYPASS") > 0)
|
if (getenv_bool_secure("SYSTEMD_NSS_DYNAMIC_BYPASS") > 0)
|
||||||
goto not_found;
|
goto not_found;
|
||||||
|
|
||||||
if (getenv_bool("SYSTEMD_NSS_BYPASS_BUS") > 0) {
|
if (getenv_bool_secure("SYSTEMD_NSS_BYPASS_BUS") > 0) {
|
||||||
|
|
||||||
/* Access the dynamic GID allocation directly if we are called from dbus-daemon, see above. */
|
/* Access the dynamic GID allocation directly if we are called from dbus-daemon, see above. */
|
||||||
r = direct_lookup_name(name, (uid_t*) &translated);
|
r = direct_lookup_name(name, (uid_t*) &translated);
|
||||||
|
@ -436,7 +436,7 @@ enum nss_status _nss_systemd_getgrgid_r(
|
||||||
goto not_found;
|
goto not_found;
|
||||||
|
|
||||||
/* Synthesize records for root and nobody, in case they are missing from /etc/group */
|
/* Synthesize records for root and nobody, in case they are missing from /etc/group */
|
||||||
if (getenv_bool("SYSTEMD_NSS_BYPASS_SYNTHETIC") <= 0) {
|
if (getenv_bool_secure("SYSTEMD_NSS_BYPASS_SYNTHETIC") <= 0) {
|
||||||
if (gid == root_group.gr_gid) {
|
if (gid == root_group.gr_gid) {
|
||||||
*gr = root_group;
|
*gr = root_group;
|
||||||
*errnop = 0;
|
*errnop = 0;
|
||||||
|
@ -452,10 +452,10 @@ enum nss_status _nss_systemd_getgrgid_r(
|
||||||
if (gid <= SYSTEM_GID_MAX)
|
if (gid <= SYSTEM_GID_MAX)
|
||||||
goto not_found;
|
goto not_found;
|
||||||
|
|
||||||
if (getenv_bool("SYSTEMD_NSS_DYNAMIC_BYPASS") > 0)
|
if (getenv_bool_secure("SYSTEMD_NSS_DYNAMIC_BYPASS") > 0)
|
||||||
goto not_found;
|
goto not_found;
|
||||||
|
|
||||||
if (getenv_bool("SYSTEMD_NSS_BYPASS_BUS") > 0) {
|
if (getenv_bool_secure("SYSTEMD_NSS_BYPASS_BUS") > 0) {
|
||||||
|
|
||||||
r = direct_lookup_uid(gid, &direct);
|
r = direct_lookup_uid(gid, &direct);
|
||||||
if (r == -ENOENT)
|
if (r == -ENOENT)
|
||||||
|
|
Loading…
Reference in a new issue