From: Jun T <takimoto-j@kba.biglobe.ne.jp>
To: zsh-workers@zsh.org
Subject: Re: [BUG] With --disable-dynamic-nss, not all functions calls are protected
Date: Fri, 17 Sep 2021 17:45:37 +0900 [thread overview]
Message-ID: <CA976032-11EE-47F2-B507-0F162D6515EB@kba.biglobe.ne.jp> (raw)
In-Reply-To: <799F2EE5-EB83-49FB-9E5F-6C20CAB4CA6B@kba.biglobe.ne.jp>
[-- Attachment #1: Type: text/plain, Size: 5923 bytes --]
> 2021/09/17 10:23, Jun T <takimoto-j@kba.biglobe.ne.jp> wrote:
>
> I guess the problem is getlogin() called from createparamtable().
Yes, this can be confirmed by statically linking a test program
(just call getlogin() and exit). I _hope_ there are no other places
where NSS-functions are indirectly called.
Revised the Axel's patch (also attached a file):
params.c:
do not call getlogin()
Modules/parameter.c:
Special parameter $usergroups can't be supported without NSS.
So the possibilities are:
(1) issue an error message when user try to use $usergroups
(2) do not issue an error but the parameter exists
(3) remove the parameter (remove from the table partab[])
The patch below uses (1), but I have no idea which is the best.
hashnameddir.c, options.c, utils.c:
HAVE_xxx --> USE_xxx (same as the Axel's patch)
Modules/{stat.c,files.c}:
These (and tcp.c, zftp.c) use NSS but are not patched since they are
disabled by default in static build.
diff --git a/Src/Modules/parameter.c b/Src/Modules/parameter.c
index ef9148d7b..b44555323 100644
--- a/Src/Modules/parameter.c
+++ b/Src/Modules/parameter.c
@@ -2011,6 +2011,9 @@ scanpmdissaliases(HashTable ht, ScanFunc func, int flags)
/**/
static Groupset get_all_groups(void)
{
+#ifdef DISABLE_DYNAMIC_NSS
+ return NULL;
+#else
Groupset gs = zhalloc(sizeof(*gs));
Groupmap gaptr;
gid_t *list, *lptr, egid;
@@ -2063,6 +2066,7 @@ static Groupset get_all_groups(void)
}
return gs;
+#endif /* DISABLE_DYNAMIC_NSS */
}
/* Standard hash element lookup. */
@@ -2081,7 +2085,11 @@ getpmusergroups(UNUSED(HashTable ht), const char *name)
pm->gsu.s = &nullsetscalar_gsu;
if (!gs) {
+#ifdef DISABLE_DYNAMIC_NSS
+ zerr("parameter 'usergroups' not available: NSS is disabled");
+#else
zerr("failed to retrieve groups for user: %e", errno);
+#endif
pm->u.str = dupstring("");
pm->node.flags |= (PM_UNSET|PM_SPECIAL);
return &pm->node;
@@ -2113,7 +2121,11 @@ scanpmusergroups(UNUSED(HashTable ht), ScanFunc func, int flags)
Groupmap gaptr;
if (!gs) {
+#ifdef DISABLE_DYNAMIC_NSS
+ zerr("parameter 'usergroups' not available: NSS is disabled");
+#else
zerr("failed to retrieve groups for user: %e", errno);
+#endif
return;
}
diff --git a/Src/hashnameddir.c b/Src/hashnameddir.c
index bed43d025..cbd1344ef 100644
--- a/Src/hashnameddir.c
+++ b/Src/hashnameddir.c
@@ -178,7 +178,7 @@ fillnameddirtable(UNUSED(HashTable ht))
/* Using NIS or NIS+ didn't add any user directories. This seems
* fishy, so we fall back to using getpwent(). If we don't have
* that, we only use the passwd file. */
-#ifdef HAVE_GETPWENT
+#ifdef USE_GETPWENT
struct passwd *pw;
setpwent();
@@ -190,7 +190,7 @@ fillnameddirtable(UNUSED(HashTable ht))
endpwent();
usepwf = 0;
-#endif /* HAVE_GETPWENT */
+#endif /* USE_GETPWENT */
}
if (usepwf) {
/* Don't forget the non-NIS matches from the flat passwd file */
@@ -229,7 +229,7 @@ fillnameddirtable(UNUSED(HashTable ht))
adduserdir(pw->pw_name, pw->pw_dir, ND_USERNAME, 1);
endpwent();
-#endif /* HAVE_GETPWENT */
+#endif /* USE_GETPWENT */
#endif
allusersadded = 1;
}
diff --git a/Src/options.c b/Src/options.c
index 783022591..a1fe918fc 100644
--- a/Src/options.c
+++ b/Src/options.c
@@ -811,7 +811,7 @@ dosetopt(int optno, int value, int force, char *new_opts)
return -1;
}
-# ifdef HAVE_INITGROUPS
+# ifdef USE_INITGROUPS
/* Set the supplementary groups list.
*
* Note that on macOS, FreeBSD, and possibly some other platforms,
diff --git a/Src/params.c b/Src/params.c
index 4f6b361f9..704aad588 100644
--- a/Src/params.c
+++ b/Src/params.c
@@ -843,9 +843,12 @@ createparamtable(void)
setsparam("HOST", ztrdup_metafy(hostnam));
zfree(hostnam, 256);
- setsparam("LOGNAME",
- ztrdup_metafy((str = getlogin()) && *str ?
- str : cached_username));
+ setsparam("LOGNAME", ztrdup_metafy(
+#ifndef DISABLE_DYNAMIC_NSS
+ (str = getlogin()) && *str ? str :
+#endif
+ cached_username
+ ));
#if !defined(HAVE_PUTENV) && !defined(USE_SET_UNSET_ENV)
/* Copy the environment variables we are inheriting to dynamic *
@@ -4430,7 +4433,7 @@ usernamegetfn(UNUSED(Param pm))
void
usernamesetfn(UNUSED(Param pm), char *x)
{
-#if defined(HAVE_SETUID) && defined(HAVE_GETPWNAM)
+#if defined(HAVE_SETUID) && defined(USE_GETPWNAM)
struct passwd *pswd;
if (x && (pswd = getpwnam(x)) && (pswd->pw_uid != cached_uid)) {
@@ -4447,7 +4450,7 @@ usernamesetfn(UNUSED(Param pm), char *x)
cached_uid = pswd->pw_uid;
}
}
-#endif /* HAVE_SETUID && HAVE_GETPWNAM */
+#endif /* HAVE_SETUID && USE_GETPWNAM */
zsfree(x);
}
diff --git a/Src/utils.c b/Src/utils.c
index c32741ca7..a74c8bd2c 100644
--- a/Src/utils.c
+++ b/Src/utils.c
@@ -1119,7 +1119,7 @@ char *cached_username;
char *
get_username(void)
{
-#ifdef HAVE_GETPWUID
+#ifdef USE_GETPWUID
struct passwd *pswd;
uid_t current_uid;
@@ -1132,9 +1132,9 @@ get_username(void)
else
cached_username = ztrdup("");
}
-#else /* !HAVE_GETPWUID */
+#else /* !USE_GETPWUID */
cached_uid = getuid();
-#endif /* !HAVE_GETPWUID */
+#endif /* !USE_GETPWUID */
return cached_username;
}
@@ -1310,7 +1310,7 @@ getnameddir(char *name)
return str;
}
-#ifdef HAVE_GETPWNAM
+#ifdef USE_GETPWNAM
{
/* Retrieve an entry from the password table/database for this user. */
struct passwd *pw;
@@ -1326,7 +1326,7 @@ getnameddir(char *name)
return dupstring(pw->pw_dir);
}
}
-#endif /* HAVE_GETPWNAM */
+#endif /* USE_GETPWNAM */
/* There are no more possible sources of directory names, so give up. */
return NULL;
[-- Attachment #2: nss.patch --]
[-- Type: application/octet-stream, Size: 4757 bytes --]
diff --git a/Src/Modules/parameter.c b/Src/Modules/parameter.c
index ef9148d7b..b44555323 100644
--- a/Src/Modules/parameter.c
+++ b/Src/Modules/parameter.c
@@ -2011,6 +2011,9 @@ scanpmdissaliases(HashTable ht, ScanFunc func, int flags)
/**/
static Groupset get_all_groups(void)
{
+#ifdef DISABLE_DYNAMIC_NSS
+ return NULL;
+#else
Groupset gs = zhalloc(sizeof(*gs));
Groupmap gaptr;
gid_t *list, *lptr, egid;
@@ -2063,6 +2066,7 @@ static Groupset get_all_groups(void)
}
return gs;
+#endif /* DISABLE_DYNAMIC_NSS */
}
/* Standard hash element lookup. */
@@ -2081,7 +2085,11 @@ getpmusergroups(UNUSED(HashTable ht), const char *name)
pm->gsu.s = &nullsetscalar_gsu;
if (!gs) {
+#ifdef DISABLE_DYNAMIC_NSS
+ zerr("parameter 'usergroups' not available: NSS is disabled");
+#else
zerr("failed to retrieve groups for user: %e", errno);
+#endif
pm->u.str = dupstring("");
pm->node.flags |= (PM_UNSET|PM_SPECIAL);
return &pm->node;
@@ -2113,7 +2121,11 @@ scanpmusergroups(UNUSED(HashTable ht), ScanFunc func, int flags)
Groupmap gaptr;
if (!gs) {
+#ifdef DISABLE_DYNAMIC_NSS
+ zerr("parameter 'usergroups' not available: NSS is disabled");
+#else
zerr("failed to retrieve groups for user: %e", errno);
+#endif
return;
}
diff --git a/Src/hashnameddir.c b/Src/hashnameddir.c
index bed43d025..cbd1344ef 100644
--- a/Src/hashnameddir.c
+++ b/Src/hashnameddir.c
@@ -178,7 +178,7 @@ fillnameddirtable(UNUSED(HashTable ht))
/* Using NIS or NIS+ didn't add any user directories. This seems
* fishy, so we fall back to using getpwent(). If we don't have
* that, we only use the passwd file. */
-#ifdef HAVE_GETPWENT
+#ifdef USE_GETPWENT
struct passwd *pw;
setpwent();
@@ -190,7 +190,7 @@ fillnameddirtable(UNUSED(HashTable ht))
endpwent();
usepwf = 0;
-#endif /* HAVE_GETPWENT */
+#endif /* USE_GETPWENT */
}
if (usepwf) {
/* Don't forget the non-NIS matches from the flat passwd file */
@@ -229,7 +229,7 @@ fillnameddirtable(UNUSED(HashTable ht))
adduserdir(pw->pw_name, pw->pw_dir, ND_USERNAME, 1);
endpwent();
-#endif /* HAVE_GETPWENT */
+#endif /* USE_GETPWENT */
#endif
allusersadded = 1;
}
diff --git a/Src/options.c b/Src/options.c
index 783022591..a1fe918fc 100644
--- a/Src/options.c
+++ b/Src/options.c
@@ -811,7 +811,7 @@ dosetopt(int optno, int value, int force, char *new_opts)
return -1;
}
-# ifdef HAVE_INITGROUPS
+# ifdef USE_INITGROUPS
/* Set the supplementary groups list.
*
* Note that on macOS, FreeBSD, and possibly some other platforms,
diff --git a/Src/params.c b/Src/params.c
index 4f6b361f9..704aad588 100644
--- a/Src/params.c
+++ b/Src/params.c
@@ -843,9 +843,12 @@ createparamtable(void)
setsparam("HOST", ztrdup_metafy(hostnam));
zfree(hostnam, 256);
- setsparam("LOGNAME",
- ztrdup_metafy((str = getlogin()) && *str ?
- str : cached_username));
+ setsparam("LOGNAME", ztrdup_metafy(
+#ifndef DISABLE_DYNAMIC_NSS
+ (str = getlogin()) && *str ? str :
+#endif
+ cached_username
+ ));
#if !defined(HAVE_PUTENV) && !defined(USE_SET_UNSET_ENV)
/* Copy the environment variables we are inheriting to dynamic *
@@ -4430,7 +4433,7 @@ usernamegetfn(UNUSED(Param pm))
void
usernamesetfn(UNUSED(Param pm), char *x)
{
-#if defined(HAVE_SETUID) && defined(HAVE_GETPWNAM)
+#if defined(HAVE_SETUID) && defined(USE_GETPWNAM)
struct passwd *pswd;
if (x && (pswd = getpwnam(x)) && (pswd->pw_uid != cached_uid)) {
@@ -4447,7 +4450,7 @@ usernamesetfn(UNUSED(Param pm), char *x)
cached_uid = pswd->pw_uid;
}
}
-#endif /* HAVE_SETUID && HAVE_GETPWNAM */
+#endif /* HAVE_SETUID && USE_GETPWNAM */
zsfree(x);
}
diff --git a/Src/utils.c b/Src/utils.c
index c32741ca7..a74c8bd2c 100644
--- a/Src/utils.c
+++ b/Src/utils.c
@@ -1119,7 +1119,7 @@ char *cached_username;
char *
get_username(void)
{
-#ifdef HAVE_GETPWUID
+#ifdef USE_GETPWUID
struct passwd *pswd;
uid_t current_uid;
@@ -1132,9 +1132,9 @@ get_username(void)
else
cached_username = ztrdup("");
}
-#else /* !HAVE_GETPWUID */
+#else /* !USE_GETPWUID */
cached_uid = getuid();
-#endif /* !HAVE_GETPWUID */
+#endif /* !USE_GETPWUID */
return cached_username;
}
@@ -1310,7 +1310,7 @@ getnameddir(char *name)
return str;
}
-#ifdef HAVE_GETPWNAM
+#ifdef USE_GETPWNAM
{
/* Retrieve an entry from the password table/database for this user. */
struct passwd *pw;
@@ -1326,7 +1326,7 @@ getnameddir(char *name)
return dupstring(pw->pw_dir);
}
}
-#endif /* HAVE_GETPWNAM */
+#endif /* USE_GETPWNAM */
/* There are no more possible sources of directory names, so give up. */
return NULL;
next prev parent reply other threads:[~2021-09-17 8:46 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-09-08 1:12 Vincent Lefevre
2021-09-15 14:31 ` Axel Beckert
2021-09-15 19:13 ` Bart Schaefer
2021-09-16 7:37 ` Jun T
2021-09-16 12:10 ` Axel Beckert
2021-09-16 16:48 ` Bart Schaefer
2021-09-16 18:21 ` Jun. T
2021-09-16 18:34 ` Axel Beckert
2021-09-16 22:01 ` Bart Schaefer
2021-09-17 1:23 ` Jun T
2021-09-17 8:45 ` Jun T [this message]
2021-09-17 13:44 ` Axel Beckert
2021-09-17 13:55 ` Roman Perepelitsa
2021-09-17 14:16 ` Axel Beckert
2021-09-17 15:02 ` Bart Schaefer
2021-09-21 0:53 ` Jun T
2021-09-21 3:38 ` Bart Schaefer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CA976032-11EE-47F2-B507-0F162D6515EB@kba.biglobe.ne.jp \
--to=takimoto-j@kba.biglobe.ne.jp \
--cc=zsh-workers@zsh.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.vuxu.org/mirror/zsh/
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).