typedef char authdb_t[16];
# endif
-/* The empty string means to access all defined administrative domains. */
+/* The empty string means to access all defined authentication registries. */
static authdb_t old_registry;
# if defined(HAVE_DECL_SETAUTHDB) && !HAVE_DECL_SETAUTHDB
# endif
/*
- * Look up administrative domain for user (SYSTEM in /etc/security/user) and
+ * Look up authentication registry for user (SYSTEM in /etc/security/user) and
* set it as the default for the process. This ensures that password and
* group lookups are made against the correct source (files, NIS, LDAP, etc).
* Does not modify errno even on error since callers do not check rval.
*/
int
-aix_setauthdb_v1(char *user)
+aix_getauthregistry_v1(char *user, char *saved_registry)
{
- char *registry;
int serrno = errno;
int rval = -1;
- debug_decl(aix_setauthdb, SUDO_DEBUG_UTIL)
+ debug_decl(aix_getauthregistry, SUDO_DEBUG_UTIL)
+ saved_registry[0] = '\0';
if (user != NULL) {
+ char *registry;
+
if (setuserdb(S_READ) != 0) {
sudo_warn(U_("unable to open userdb"));
goto done;
}
- if (getuserattr(user, S_REGISTRY, ®istry, SEC_CHAR) == 0) {
- if (setauthdb(registry, old_registry) != 0) {
- sudo_warn(U_("unable to switch to registry \"%s\" for %s"),
- registry, user);
- goto done;
+ rval = getuserattr(user, S_REGISTRY, ®istry, SEC_CHAR);
+ if (rval == 0) {
+ /* sizeof(authdb_t) is guaranteed to be 16 */
+ if (strlcpy(saved_registry, registry, 16) >= 16) {
+ sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO,
+ "registry for user %s too long: %s", user, registry);
}
+ sudo_debug_printf(SUDO_DEBUG_INFO,
+ "%s: saved authentication registry for user %s is %s",
+ __func__, user, saved_registry);
}
enduserdb();
+ } else {
+ /* Get the process-wide registry. */
+ rval = getauthdb(saved_registry);
}
- rval = 0;
done:
errno = serrno;
debug_return_int(rval);
}
/*
- * Restore the saved administrative domain, if any.
+ * Set the specified authentication registry for user (SYSTEM in
+ * /etc/security/user) and set it as the default for the process.
+ * This ensures that password and group lookups are made against
+ * the correct source (files, NIS, LDAP, etc).
+ * If registry is NULL, look it up based on the user name.
+ * Does not modify errno even on error since callers do not check rval.
+ */
+int
+aix_setauthdb_v1(char *user)
+{
+ return aix_setauthdb_v2(user, NULL);
+}
+
+int
+aix_setauthdb_v2(char *user, char *registry)
+{
+ authdb_t regbuf;
+ int serrno = errno;
+ int rval = -1;
+ debug_decl(aix_setauthdb, SUDO_DEBUG_UTIL)
+
+ if (user != NULL) {
+ /* Look up authentication registry if one is not provided. */
+ if (registry == NULL) {
+ if (aix_getauthregistry(user, regbuf) != 0)
+ goto done;
+ registry = regbuf;
+ }
+ rval = setauthdb(registry, old_registry);
+ if (rval != 0) {
+ sudo_warn(U_("unable to switch to registry \"%s\" for %s"),
+ registry, user);
+ } else {
+ sudo_debug_printf(SUDO_DEBUG_INFO,
+ "%s: setting authentication registry to %s",
+ __func__, registry);
+ }
+ }
+done:
+ errno = serrno;
+ debug_return_int(rval);
+}
+
+/*
+ * Restore the saved authentication registry, if any.
* Does not modify errno even on error since callers do not check rval.
*/
int
if (setauthdb(old_registry, NULL) != 0) {
sudo_warn(U_("unable to restore registry"));
rval = -1;
- }
+ } else {
+ sudo_debug_printf(SUDO_DEBUG_INFO,
+ "%s: setting authentication registry to %s",
+ __func__, old_registry);
+}
errno = serrno;
debug_return_int(rval);
}
free(info);
#ifdef HAVE_SETAUTHDB
- /* set administrative domain */
- if (aix_setauthdb(user) != 0)
+ /* set authentication registry */
+ if (aix_setauthdb(user, NULL) != 0)
debug_return_int(-1);
#endif
#define cmp_grnam cmp_pwnam
+/*
+ * AIX has the concept of authentication registries (files, NIS, LDAP, etc).
+ * This allows you to have separate ID <-> name mappings based on which
+ * authentication registries the user was looked up in.
+ * We store the registry as part of the key and use it when matching.
+ */
+#ifdef HAVE_SETAUTHDB
+# define getauthregistry(u, r) aix_getauthregistry((u), (r))
+#else
+# define getauthregistry(u, r) ((r)[0] = '\0')
+#endif
+
/*
* Compare by uid.
*/
{
const struct cache_item *ci1 = (const struct cache_item *) v1;
const struct cache_item *ci2 = (const struct cache_item *) v2;
+ if (ci1->k.uid == ci2->k.uid)
+ return strcmp(ci1->registry, ci2->registry);
return ci1->k.uid - ci2->k.uid;
}
{
const struct cache_item *ci1 = (const struct cache_item *) v1;
const struct cache_item *ci2 = (const struct cache_item *) v2;
- return strcmp(ci1->k.name, ci2->k.name);
+ int rval = strcmp(ci1->k.name, ci2->k.name);
+ if (rval == 0)
+ rval = strcmp(ci1->registry, ci2->registry);
+ return rval;
}
void
debug_decl(sudo_getpwuid, SUDOERS_DEBUG_NSS)
key.k.uid = uid;
+ getauthregistry(IDtouser(uid), key.registry);
if ((node = rbfind(pwcache_byuid, &key)) != NULL) {
item = node->data;
- sudo_debug_printf(SUDO_DEBUG_DEBUG, "%s: uid %u -> user %s (cache hit)",
- __func__, (unsigned int)uid, item->d.pw->pw_name);
+ sudo_debug_printf(SUDO_DEBUG_DEBUG,
+ "%s: uid %u [%s] -> user %s [%s] (cache hit)", __func__,
+ (unsigned int)uid, key.registry, item->d.pw->pw_name,
+ item->registry);
goto done;
}
/*
* Cache passwd db entry if it exists or a negative response if not.
*/
#ifdef HAVE_SETAUTHDB
- aix_setauthdb(IDtouser(uid));
+ aix_setauthdb(IDtouser(uid), key.registry);
#endif
item = sudo_make_pwitem(uid, NULL);
#ifdef HAVE_SETAUTHDB
item->k.uid = uid;
/* item->d.pw = NULL; */
}
+ strlcpy(item->registry, key.registry, sizeof(item->registry));
switch (rbinsert(pwcache_byuid, item, NULL)) {
case 1:
/* should not happen */
item->refcnt = 0;
break;
}
- sudo_debug_printf(SUDO_DEBUG_DEBUG, "%s: uid %u -> user %s (cached)",
- __func__, (unsigned int)uid,
- item->d.pw ? item->d.pw->pw_name : "unknown");
+ sudo_debug_printf(SUDO_DEBUG_DEBUG,
+ "%s: uid %u [%s] -> user %s [%s] (cached)", __func__,
+ (unsigned int)uid, key.registry,
+ item->d.pw ? item->d.pw->pw_name : "unknown", item->registry);
done:
item->refcnt++;
debug_return_ptr(item->d.pw);
debug_decl(sudo_getpwnam, SUDOERS_DEBUG_NSS)
key.k.name = (char *) name;
+ getauthregistry((char *) name, key.registry);
if ((node = rbfind(pwcache_byname, &key)) != NULL) {
item = node->data;
- sudo_debug_printf(SUDO_DEBUG_DEBUG, "%s: user %s -> uid %u (cache hit)",
- __func__, name, (unsigned int)item->d.pw->pw_uid);
+ sudo_debug_printf(SUDO_DEBUG_DEBUG,
+ "%s: user %s [%s] -> uid %u [%s] (cache hit)", __func__, name,
+ key.registry, (unsigned int)item->d.pw->pw_uid, item->registry);
goto done;
}
/*
* Cache passwd db entry if it exists or a negative response if not.
*/
#ifdef HAVE_SETAUTHDB
- aix_setauthdb((char *) name);
+ aix_setauthdb((char *) name, key.registry);
#endif
item = sudo_make_pwitem((uid_t)-1, name);
#ifdef HAVE_SETAUTHDB
memcpy(item->k.name, name, len);
/* item->d.pw = NULL; */
}
+ strlcpy(item->registry, key.registry, sizeof(item->registry));
switch (rbinsert(pwcache_byname, item, NULL)) {
case 1:
/* should not happen */
item->refcnt = 0;
break;
}
- sudo_debug_printf(SUDO_DEBUG_DEBUG, "%s: user %s -> uid %d (cached)",
- __func__, name, item->d.pw ? (int)item->d.pw->pw_uid : -1);
+ sudo_debug_printf(SUDO_DEBUG_DEBUG,
+ "%s: user %s [%s] -> uid %d [%s] (cached)", __func__, name,
+ key.registry, item->d.pw ? (int)item->d.pw->pw_uid : -1, item->registry);
done:
item->refcnt++;
debug_return_ptr(item->d.pw);
item->k.name = pw->pw_name;
pwcache = pwcache_byname;
}
+ getauthregistry(NULL, item->registry);
switch (rbinsert(pwcache, item, &node)) {
case 1:
/* Already exists. */
{
const struct cache_item *ci1 = (const struct cache_item *) v1;
const struct cache_item *ci2 = (const struct cache_item *) v2;
+ if (ci1->k.gid == ci2->k.gid)
+ return strcmp(ci1->registry, ci2->registry);
return ci1->k.gid - ci2->k.gid;
}
debug_decl(sudo_getgrgid, SUDOERS_DEBUG_NSS)
key.k.gid = gid;
+ getauthregistry(NULL, key.registry);
if ((node = rbfind(grcache_bygid, &key)) != NULL) {
item = node->data;
- sudo_debug_printf(SUDO_DEBUG_DEBUG, "%s: gid %u -> group %s (cache hit)",
- __func__, (unsigned int)gid, item->d.gr->gr_name);
+ sudo_debug_printf(SUDO_DEBUG_DEBUG,
+ "%s: gid %u [%s] -> group %s [%s] (cache hit)", __func__,
+ (unsigned int)gid, key.registry, item->d.gr->gr_name,
+ item->registry);
goto done;
}
/*
item->k.gid = gid;
/* item->d.gr = NULL; */
}
+ strlcpy(item->registry, key.registry, sizeof(item->registry));
switch (rbinsert(grcache_bygid, item, NULL)) {
case 1:
/* should not happen */
item->refcnt = 0;
break;
}
- sudo_debug_printf(SUDO_DEBUG_DEBUG, "%s: gid %u -> group %s (cached)",
- __func__, (unsigned int)gid,
- item->d.gr ? item->d.gr->gr_name : "unknown");
+ sudo_debug_printf(SUDO_DEBUG_DEBUG,
+ "%s: gid %u [%s] -> group %s [%s] (cached)", __func__,
+ (unsigned int)gid, key.registry,
+ item->d.gr ? item->d.gr->gr_name : "unknown", item->registry);
done:
item->refcnt++;
debug_return_ptr(item->d.gr);
debug_decl(sudo_getgrnam, SUDOERS_DEBUG_NSS)
key.k.name = (char *) name;
+ getauthregistry(NULL, key.registry);
if ((node = rbfind(grcache_byname, &key)) != NULL) {
item = node->data;
- sudo_debug_printf(SUDO_DEBUG_DEBUG, "%s: group %s -> gid %u (cache hit)",
- __func__, name, (unsigned int)item->d.gr->gr_gid);
+ sudo_debug_printf(SUDO_DEBUG_DEBUG,
+ "%s: group %s [%s] -> gid %u [%s] (cache hit)", __func__, name,
+ key.registry, (unsigned int)item->d.gr->gr_gid, item->registry);
goto done;
}
/*
memcpy(item->k.name, name, len);
/* item->d.gr = NULL; */
}
+ strlcpy(item->registry, key.registry, sizeof(item->registry));
switch (rbinsert(grcache_byname, item, NULL)) {
case 1:
/* should not happen */
item->refcnt = 0;
break;
}
- sudo_debug_printf(SUDO_DEBUG_DEBUG, "%s: group %s -> gid %d (cache hit)",
- __func__, name, item->d.gr ? (int)item->d.gr->gr_gid : -1);
+ sudo_debug_printf(SUDO_DEBUG_DEBUG,
+ "%s: group %s [%s] -> gid %d [%s] (cache hit)", __func__, name,
+ key.registry, item->d.gr ? (int)item->d.gr->gr_gid : -1, item->registry);
done:
item->refcnt++;
debug_return_ptr(item->d.gr);
gritem->cache.k.name = gr->gr_name;
grcache = grcache_byname;
}
+ getauthregistry(NULL, item->registry);
switch (rbinsert(grcache, item, &node)) {
case 1:
/* Already exists. */
debug_decl(sudo_get_grlist, SUDOERS_DEBUG_NSS)
key.k.name = pw->pw_name;
+ getauthregistry(pw->pw_name, key.registry);
if ((node = rbfind(grlist_cache, &key)) != NULL) {
item = node->data;
goto done;
/* Out of memory? */
debug_return_ptr(NULL);
}
+ strlcpy(item->registry, key.registry, sizeof(item->registry));
switch (rbinsert(grlist_cache, item, NULL)) {
case 1:
/* should not happen */
* Cache group db entry if it doesn't already exist
*/
key.k.name = pw->pw_name;
+ getauthregistry(NULL, key.registry);
if ((node = rbfind(grlist_cache, &key)) == NULL) {
if ((item = sudo_make_grlist_item(pw, groups, gids)) == NULL) {
sudo_warnx(U_("unable to parse groups for %s"), pw->pw_name);
debug_return_int(-1);
}
+ strlcpy(item->registry, key.registry, sizeof(item->registry));
switch (rbinsert(grlist_cache, item, NULL)) {
case 1:
sudo_warnx(U_("unable to cache group list for %s, already exists"),
projects / sudo / commitdiff