nss-systemd: tweak checks when we consult PID 1 for dynamic UID/GID lookups

Instead of contacting PID 1 for dynamic UID/GID lookups for all UIDs/GIDs that do not qualify as "system" do the more precise check instead: check if they actually qualify for the "dynamic" range.
2017-12-02 13:07:18 +01:00 · 2017-12-02 13:07:18 +01:00 · 8343827793
parent 4e72397b00
commit 8343827793
2 changed files with 6 additions and 3 deletions
--- a/src/basic/user-util.h
+++ b/src/basic/user-util.h
@ -64,6 +64,10 @@ static inline bool uid_is_dynamic(uid_t uid) {
        return DYNAMIC_UID_MIN <= uid && uid <= DYNAMIC_UID_MAX;
 }

+static inline bool gid_is_dynamic(gid_t gid) {
+        return uid_is_dynamic((uid_t) gid);
+}
+
 static inline bool uid_is_system(uid_t uid) {
        return uid <= SYSTEM_UID_MAX;
 }
--- a/src/nss-systemd/nss-systemd.c
+++ b/src/nss-systemd/nss-systemd.c
@ -251,7 +251,7 @@ enum nss_status _nss_systemd_getpwuid_r(
                }
        }

-        if (uid_is_system(uid))
+        if (!uid_is_dynamic(uid))
                goto not_found;

        if (getenv_bool_secure("SYSTEMD_NSS_DYNAMIC_BYPASS") > 0)
@ -463,7 +463,7 @@ enum nss_status _nss_systemd_getgrgid_r(
                }
        }

-        if (gid_is_system(gid))
+        if (!gid_is_dynamic(gid))
                goto not_found;

        if (getenv_bool_secure("SYSTEMD_NSS_DYNAMIC_BYPASS") > 0)
@ -500,7 +500,6 @@ enum nss_status _nss_systemd_getgrgid_r(

 direct_lookup:
        if (bypass > 0) {
-
                r = direct_lookup_uid(gid, &direct);
                if (r == -ENOENT)
                        goto not_found;