From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on inbox.vuxu.org X-Spam-Level: X-Spam-Status: No, score=-3.3 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, MAILING_LIST_MULTI,RCVD_IN_DNSWL_MED,UNPARSEABLE_RELAY autolearn=ham autolearn_force=no version=3.4.4 Received: (qmail 22046 invoked from network); 17 Sep 2021 08:46:06 -0000 Received: from zero.zsh.org (2a02:898:31:0:48:4558:7a:7368) by inbox.vuxu.org with ESMTPUTF8; 17 Sep 2021 08:46:06 -0000 ARC-Seal: i=1; cv=none; a=rsa-sha256; d=zsh.org; s=rsa-20210803; t=1631868366; b=G+N7zDII7IMWGdnjWZqt/xp007QQ+QHvkxvedS6zknZLaBLiEliAzfoutbizjZpLri3StdBNRh GpBgAjIF7mRA6VaYvi/7JdEOA+NCky6Di+Mqv1vhl4ywl+dQUyvwN/Lv2aXFjWtsnH+v7DKrHl aMfBh9Jmjo8jt5IwtLOtotMaHMS1qOcWikBtTSPvI0oIGnU9RgD9y4xhkg3R9IQLMfn4G/xgQP nd9L5LDg3IM5bGLblqCmgZGxd/Ce1388FJWrad4aEcO+ohcez5vZIB6kKUmwSY40KiwUsQ53zu DhFkz60Rf/RxjN2Xp2kXxQcsA7baieY5cH1pzH2SRhPSZQ==; ARC-Authentication-Results: i=1; zsh.org; iprev=pass (snd01010-bg.im.kddi.ne.jp) smtp.remote-ip=27.86.113.26; dmarc=none header.from=kba.biglobe.ne.jp; arc=none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed; d=zsh.org; s=rsa-20210803; t=1631868366; bh=0q6AIgKAQrFjJuafxH2I+zPIvYO33fxiE+jMKY2R3ms=; h=List-Archive:List-Owner:List-Post:List-Unsubscribe:List-Subscribe:List-Help: List-Id:Sender:Message-ID:In-Reply-To:To:References:Date:Subject: MIME-Version:Content-Type:From:DKIM-Signature; b=QOVxVFjG3oF4PiRypZndG6c/SYt/12EybLjVaWiiT26RMPvlC6IkijJArXMa944M6Pwj/WbeLq ubAtW2Wza7tLOu06jO8JMIgFdMenmFRU+0RuMLgcwRUYolE2gt+qItHYaR+BbQKZv/Yu6Lkm/z plcHny6ZxTZwjL19mDhbQA/kh17ahMljC56kx5iOp6U9WabetFaSTwzBnLE3MPxCx1ItL70sbV kd3WWC/mvPahxZ7aObsaa06P7oZo0NQ9TJCU9YF1RbPwjNTSrMf9aSeg37toqNbIOMjExnKwjf /ZxMWyOTF5ME5ywe7anni5L1sIFIA+xZe0ki4nzE2wnCzA==; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=zsh.org; s=rsa-20210803; h=List-Archive:List-Owner:List-Post:List-Unsubscribe: List-Subscribe:List-Help:List-Id:Sender:Message-Id:In-Reply-To:To:References: Date:Subject:Mime-Version:Content-Type:From:Reply-To:Cc: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID; bh=F64dIPkfQhP+Jk1hljxvaM/NM3RKPcVlTe5dw2a3GMI=; b=D5YnbW5eolPHZRGF9zhL4lCaPN DbKXrBVwb6NoSXeIBzqjiNqpIQE3jJHwXU3CzueA+eVbump6IVjuWGiKADHrEzZV/DagIUraGqp3A BLlZtcMUD3T/pJb7USMSFrmMNHPH0mXzUsscc1mILYog2TTkyVmy/cyw81D2bwUh5l3b48MnDR/K2 7JDs7uQX99LJaC+QzKkJi1e6Kj2hw5tRG4Z4lM6W8ltxEfUedhgUwW7W/4yYxUrvWCr8vbE0sqvh5 uZ22dlIUMiJK1kmexhVUAWSqjvOHsYzWOYMIhdhNyIUSeCcrP4PIcQ1JNKusw/hmawLPpKbjX51Yj V//wcXOQ==; Received: from authenticated user by zero.zsh.org with local id 1mR9VV-000PzG-JX; Fri, 17 Sep 2021 08:46:05 +0000 Authentication-Results: zsh.org; iprev=pass (snd01010-bg.im.kddi.ne.jp) smtp.remote-ip=27.86.113.26; dmarc=none header.from=kba.biglobe.ne.jp; arc=none Received: from snd01010-bg.im.kddi.ne.jp ([27.86.113.26]:17761 helo=dfmta1006.biglobe.ne.jp) by zero.zsh.org with esmtps (TLS1.3:TLS_AES_256_GCM_SHA384:256) id 1mR9VA-000Pfv-L0; Fri, 17 Sep 2021 08:45:46 +0000 Received: from mail.biglobe.ne.jp by omta1006.biglobe.ne.jp with ESMTP id <20210917084537990.DAWP.16380.mail.biglobe.ne.jp@biglobe.ne.jp> for ; Fri, 17 Sep 2021 17:45:37 +0900 From: Jun T Content-Type: multipart/mixed; boundary="Apple-Mail=_1F6F4AE3-2053-4BEC-A2D5-18DB17677C61" Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.21\)) Subject: Re: [BUG] With --disable-dynamic-nss, not all functions calls are protected Date: Fri, 17 Sep 2021 17:45:37 +0900 References: <20210908011251.GA2387366@zira.vinc17.org> <20210915143102.pw5uup7bvufi7wse@sym.noone.org> <887BC7E8-0D19-4D16-BFE6-9AE8EA5E9040@kba.biglobe.ne.jp> <20210916121056.p4zainnlnoi74yiw@sym.noone.org> <799F2EE5-EB83-49FB-9E5F-6C20CAB4CA6B@kba.biglobe.ne.jp> To: zsh-workers@zsh.org In-Reply-To: <799F2EE5-EB83-49FB-9E5F-6C20CAB4CA6B@kba.biglobe.ne.jp> Message-Id: X-Mailer: Apple Mail (2.3445.104.21) X-Biglobe-Sender: takimoto-j@kba.biglobe.ne.jp X-Seq: 49422 Archived-At: X-Loop: zsh-workers@zsh.org Errors-To: zsh-workers-owner@zsh.org Precedence: list Precedence: bulk Sender: zsh-workers-request@zsh.org X-no-archive: yes List-Id: List-Help: List-Subscribe: List-Unsubscribe: List-Post: List-Owner: List-Archive: --Apple-Mail=_1F6F4AE3-2053-4BEC-A2D5-18DB17677C61 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii > 2021/09/17 10:23, Jun T wrote: >=20 > I guess the problem is getlogin() called from createparamtable(). Yes, this can be confirmed by statically linking a test program (just call getlogin() and exit). I _hope_ there are no other places where NSS-functions are indirectly called. Revised the Axel's patch (also attached a file): params.c: do not call getlogin() Modules/parameter.c: Special parameter $usergroups can't be supported without NSS. So the possibilities are: (1) issue an error message when user try to use $usergroups (2) do not issue an error but the parameter exists (3) remove the parameter (remove from the table partab[]) The patch below uses (1), but I have no idea which is the best. hashnameddir.c, options.c, utils.c: HAVE_xxx --> USE_xxx (same as the Axel's patch) Modules/{stat.c,files.c}: These (and tcp.c, zftp.c) use NSS but are not patched since they are disabled by default in static build. diff --git a/Src/Modules/parameter.c b/Src/Modules/parameter.c index ef9148d7b..b44555323 100644 --- a/Src/Modules/parameter.c +++ b/Src/Modules/parameter.c @@ -2011,6 +2011,9 @@ scanpmdissaliases(HashTable ht, ScanFunc func, int = flags) /**/ static Groupset get_all_groups(void) { +#ifdef DISABLE_DYNAMIC_NSS + return NULL; +#else Groupset gs =3D zhalloc(sizeof(*gs)); Groupmap gaptr; gid_t *list, *lptr, egid; @@ -2063,6 +2066,7 @@ static Groupset get_all_groups(void) } =20 return gs; +#endif /* DISABLE_DYNAMIC_NSS */ } =20 /* Standard hash element lookup. */ @@ -2081,7 +2085,11 @@ getpmusergroups(UNUSED(HashTable ht), const char = *name) pm->gsu.s =3D &nullsetscalar_gsu; =20 if (!gs) { +#ifdef DISABLE_DYNAMIC_NSS + zerr("parameter 'usergroups' not available: NSS is disabled"); +#else zerr("failed to retrieve groups for user: %e", errno); +#endif pm->u.str =3D dupstring(""); pm->node.flags |=3D (PM_UNSET|PM_SPECIAL); return &pm->node; @@ -2113,7 +2121,11 @@ scanpmusergroups(UNUSED(HashTable ht), ScanFunc = func, int flags) Groupmap gaptr; =20 if (!gs) { +#ifdef DISABLE_DYNAMIC_NSS + zerr("parameter 'usergroups' not available: NSS is disabled"); +#else zerr("failed to retrieve groups for user: %e", errno); +#endif return; } =20 diff --git a/Src/hashnameddir.c b/Src/hashnameddir.c index bed43d025..cbd1344ef 100644 --- a/Src/hashnameddir.c +++ b/Src/hashnameddir.c @@ -178,7 +178,7 @@ fillnameddirtable(UNUSED(HashTable ht)) /* Using NIS or NIS+ didn't add any user directories. This = seems * fishy, so we fall back to using getpwent(). If we don't = have * that, we only use the passwd file. */ -#ifdef HAVE_GETPWENT +#ifdef USE_GETPWENT struct passwd *pw; =20 setpwent(); @@ -190,7 +190,7 @@ fillnameddirtable(UNUSED(HashTable ht)) =20 endpwent(); usepwf =3D 0; -#endif /* HAVE_GETPWENT */ +#endif /* USE_GETPWENT */ } if (usepwf) { /* Don't forget the non-NIS matches from the flat passwd = file */ @@ -229,7 +229,7 @@ fillnameddirtable(UNUSED(HashTable ht)) adduserdir(pw->pw_name, pw->pw_dir, ND_USERNAME, 1); =20 endpwent(); -#endif /* HAVE_GETPWENT */ +#endif /* USE_GETPWENT */ #endif allusersadded =3D 1; } diff --git a/Src/options.c b/Src/options.c index 783022591..a1fe918fc 100644 --- a/Src/options.c +++ b/Src/options.c @@ -811,7 +811,7 @@ dosetopt(int optno, int value, int force, char = *new_opts) return -1; } =20 -# ifdef HAVE_INITGROUPS +# ifdef USE_INITGROUPS /* Set the supplementary groups list. * * Note that on macOS, FreeBSD, and possibly some other = platforms, diff --git a/Src/params.c b/Src/params.c index 4f6b361f9..704aad588 100644 --- a/Src/params.c +++ b/Src/params.c @@ -843,9 +843,12 @@ createparamtable(void) setsparam("HOST", ztrdup_metafy(hostnam)); zfree(hostnam, 256); =20 - setsparam("LOGNAME", - ztrdup_metafy((str =3D getlogin()) && *str ? - str : cached_username)); + setsparam("LOGNAME", ztrdup_metafy( +#ifndef DISABLE_DYNAMIC_NSS + (str =3D getlogin()) && *str ? str : +#endif + cached_username + )); =20 #if !defined(HAVE_PUTENV) && !defined(USE_SET_UNSET_ENV) /* Copy the environment variables we are inheriting to dynamic * @@ -4430,7 +4433,7 @@ usernamegetfn(UNUSED(Param pm)) void usernamesetfn(UNUSED(Param pm), char *x) { -#if defined(HAVE_SETUID) && defined(HAVE_GETPWNAM) +#if defined(HAVE_SETUID) && defined(USE_GETPWNAM) struct passwd *pswd; =20 if (x && (pswd =3D getpwnam(x)) && (pswd->pw_uid !=3D cached_uid)) = { @@ -4447,7 +4450,7 @@ usernamesetfn(UNUSED(Param pm), char *x) cached_uid =3D pswd->pw_uid; } } -#endif /* HAVE_SETUID && HAVE_GETPWNAM */ +#endif /* HAVE_SETUID && USE_GETPWNAM */ zsfree(x); } =20 diff --git a/Src/utils.c b/Src/utils.c index c32741ca7..a74c8bd2c 100644 --- a/Src/utils.c +++ b/Src/utils.c @@ -1119,7 +1119,7 @@ char *cached_username; char * get_username(void) { -#ifdef HAVE_GETPWUID +#ifdef USE_GETPWUID struct passwd *pswd; uid_t current_uid; =20 @@ -1132,9 +1132,9 @@ get_username(void) else cached_username =3D ztrdup(""); } -#else /* !HAVE_GETPWUID */ +#else /* !USE_GETPWUID */ cached_uid =3D getuid(); -#endif /* !HAVE_GETPWUID */ +#endif /* !USE_GETPWUID */ return cached_username; } =20 @@ -1310,7 +1310,7 @@ getnameddir(char *name) return str; } =20 -#ifdef HAVE_GETPWNAM +#ifdef USE_GETPWNAM { /* Retrieve an entry from the password table/database for this = user. */ struct passwd *pw; @@ -1326,7 +1326,7 @@ getnameddir(char *name) return dupstring(pw->pw_dir); } } -#endif /* HAVE_GETPWNAM */ +#endif /* USE_GETPWNAM */ =20 /* There are no more possible sources of directory names, so give = up. */ return NULL; --Apple-Mail=_1F6F4AE3-2053-4BEC-A2D5-18DB17677C61 Content-Disposition: attachment; filename=nss.patch Content-Type: application/octet-stream; x-unix-mode=0644; name="nss.patch" Content-Transfer-Encoding: 7bit diff --git a/Src/Modules/parameter.c b/Src/Modules/parameter.c index ef9148d7b..b44555323 100644 --- a/Src/Modules/parameter.c +++ b/Src/Modules/parameter.c @@ -2011,6 +2011,9 @@ scanpmdissaliases(HashTable ht, ScanFunc func, int flags) /**/ static Groupset get_all_groups(void) { +#ifdef DISABLE_DYNAMIC_NSS + return NULL; +#else Groupset gs = zhalloc(sizeof(*gs)); Groupmap gaptr; gid_t *list, *lptr, egid; @@ -2063,6 +2066,7 @@ static Groupset get_all_groups(void) } return gs; +#endif /* DISABLE_DYNAMIC_NSS */ } /* Standard hash element lookup. */ @@ -2081,7 +2085,11 @@ getpmusergroups(UNUSED(HashTable ht), const char *name) pm->gsu.s = &nullsetscalar_gsu; if (!gs) { +#ifdef DISABLE_DYNAMIC_NSS + zerr("parameter 'usergroups' not available: NSS is disabled"); +#else zerr("failed to retrieve groups for user: %e", errno); +#endif pm->u.str = dupstring(""); pm->node.flags |= (PM_UNSET|PM_SPECIAL); return &pm->node; @@ -2113,7 +2121,11 @@ scanpmusergroups(UNUSED(HashTable ht), ScanFunc func, int flags) Groupmap gaptr; if (!gs) { +#ifdef DISABLE_DYNAMIC_NSS + zerr("parameter 'usergroups' not available: NSS is disabled"); +#else zerr("failed to retrieve groups for user: %e", errno); +#endif return; } diff --git a/Src/hashnameddir.c b/Src/hashnameddir.c index bed43d025..cbd1344ef 100644 --- a/Src/hashnameddir.c +++ b/Src/hashnameddir.c @@ -178,7 +178,7 @@ fillnameddirtable(UNUSED(HashTable ht)) /* Using NIS or NIS+ didn't add any user directories. This seems * fishy, so we fall back to using getpwent(). If we don't have * that, we only use the passwd file. */ -#ifdef HAVE_GETPWENT +#ifdef USE_GETPWENT struct passwd *pw; setpwent(); @@ -190,7 +190,7 @@ fillnameddirtable(UNUSED(HashTable ht)) endpwent(); usepwf = 0; -#endif /* HAVE_GETPWENT */ +#endif /* USE_GETPWENT */ } if (usepwf) { /* Don't forget the non-NIS matches from the flat passwd file */ @@ -229,7 +229,7 @@ fillnameddirtable(UNUSED(HashTable ht)) adduserdir(pw->pw_name, pw->pw_dir, ND_USERNAME, 1); endpwent(); -#endif /* HAVE_GETPWENT */ +#endif /* USE_GETPWENT */ #endif allusersadded = 1; } diff --git a/Src/options.c b/Src/options.c index 783022591..a1fe918fc 100644 --- a/Src/options.c +++ b/Src/options.c @@ -811,7 +811,7 @@ dosetopt(int optno, int value, int force, char *new_opts) return -1; } -# ifdef HAVE_INITGROUPS +# ifdef USE_INITGROUPS /* Set the supplementary groups list. * * Note that on macOS, FreeBSD, and possibly some other platforms, diff --git a/Src/params.c b/Src/params.c index 4f6b361f9..704aad588 100644 --- a/Src/params.c +++ b/Src/params.c @@ -843,9 +843,12 @@ createparamtable(void) setsparam("HOST", ztrdup_metafy(hostnam)); zfree(hostnam, 256); - setsparam("LOGNAME", - ztrdup_metafy((str = getlogin()) && *str ? - str : cached_username)); + setsparam("LOGNAME", ztrdup_metafy( +#ifndef DISABLE_DYNAMIC_NSS + (str = getlogin()) && *str ? str : +#endif + cached_username + )); #if !defined(HAVE_PUTENV) && !defined(USE_SET_UNSET_ENV) /* Copy the environment variables we are inheriting to dynamic * @@ -4430,7 +4433,7 @@ usernamegetfn(UNUSED(Param pm)) void usernamesetfn(UNUSED(Param pm), char *x) { -#if defined(HAVE_SETUID) && defined(HAVE_GETPWNAM) +#if defined(HAVE_SETUID) && defined(USE_GETPWNAM) struct passwd *pswd; if (x && (pswd = getpwnam(x)) && (pswd->pw_uid != cached_uid)) { @@ -4447,7 +4450,7 @@ usernamesetfn(UNUSED(Param pm), char *x) cached_uid = pswd->pw_uid; } } -#endif /* HAVE_SETUID && HAVE_GETPWNAM */ +#endif /* HAVE_SETUID && USE_GETPWNAM */ zsfree(x); } diff --git a/Src/utils.c b/Src/utils.c index c32741ca7..a74c8bd2c 100644 --- a/Src/utils.c +++ b/Src/utils.c @@ -1119,7 +1119,7 @@ char *cached_username; char * get_username(void) { -#ifdef HAVE_GETPWUID +#ifdef USE_GETPWUID struct passwd *pswd; uid_t current_uid; @@ -1132,9 +1132,9 @@ get_username(void) else cached_username = ztrdup(""); } -#else /* !HAVE_GETPWUID */ +#else /* !USE_GETPWUID */ cached_uid = getuid(); -#endif /* !HAVE_GETPWUID */ +#endif /* !USE_GETPWUID */ return cached_username; } @@ -1310,7 +1310,7 @@ getnameddir(char *name) return str; } -#ifdef HAVE_GETPWNAM +#ifdef USE_GETPWNAM { /* Retrieve an entry from the password table/database for this user. */ struct passwd *pw; @@ -1326,7 +1326,7 @@ getnameddir(char *name) return dupstring(pw->pw_dir); } } -#endif /* HAVE_GETPWNAM */ +#endif /* USE_GETPWNAM */ /* There are no more possible sources of directory names, so give up. */ return NULL; --Apple-Mail=_1F6F4AE3-2053-4BEC-A2D5-18DB17677C61--