From a1c542bfc5684d914cf2af2c3ec9d5432d0b01dc Mon Sep 17 00:00:00 2001 From: Ulrich Drepper Date: Fri, 11 Jun 1999 20:58:21 +0000 Subject: Update. 1999-06-11 Thorsten Kukuk * nscd/nscd.c: Add -S options for separate caching of data for every user. So one user couldn't see the data another user has gotten with his credentials. * nscd/nscd.h: Add new prototypes. * nscd/cache.c: Compare owner of cache entry if in secure mode. * nscd/connections.c: Check on shutdown if caller really was root. In secure mode get uid of caller. * nscd/grpcache.c: Add support for new secure group mode. * nscd/hstcache.c: Add support for new secure hosts mode. * nscd/pwdcache.c: Add support for new secure passwd mode. --- nscd/grpcache.c | 38 ++++++++++++++++++++++++++++++-------- 1 file changed, 30 insertions(+), 8 deletions(-) (limited to 'nscd/grpcache.c') diff --git a/nscd/grpcache.c b/nscd/grpcache.c index 1c6b1aff3f..d8848f3e00 100644 --- a/nscd/grpcache.c +++ b/nscd/grpcache.c @@ -77,7 +77,7 @@ struct groupdata static void cache_addgr (struct database *db, int fd, request_header *req, void *key, - struct group *grp) + struct group *grp, uid_t owner) { ssize_t total; ssize_t written; @@ -105,7 +105,7 @@ cache_addgr (struct database *db, int fd, request_header *req, void *key, pthread_rwlock_rdlock (&db->lock); cache_add (req->type, copy, req->key_len, &iov_notfound, - sizeof (notfound), (void *) -1, 0, t, db); + sizeof (notfound), (void *) -1, 0, t, db, owner); pthread_rwlock_unlock (&db->lock); } @@ -177,9 +177,9 @@ cache_addgr (struct database *db, int fd, request_header *req, void *key, /* We have to add the value for both, byname and byuid. */ cache_add (GETGRBYNAME, gr_name, gr_name_len, data, - total, data, 0, t, db); + total, data, 0, t, db, owner); - cache_add (GETGRBYGID, cp, n, data, total, data, 1, t, db); + cache_add (GETGRBYGID, cp, n, data, total, data, 1, t, db, owner); pthread_rwlock_unlock (&db->lock); } @@ -194,7 +194,8 @@ cache_addgr (struct database *db, int fd, request_header *req, void *key, void -addgrbyname (struct database *db, int fd, request_header *req, void *key) +addgrbyname (struct database *db, int fd, request_header *req, + void *key, uid_t uid) { /* Search for the entry matching the key. Please note that we don't look again in the table whether the dataset is now available. We @@ -204,10 +205,17 @@ addgrbyname (struct database *db, int fd, request_header *req, void *key) char *buffer = alloca (buflen); struct group resultbuf; struct group *grp; + uid_t oldeuid = 0; if (debug_level > 0) dbg_log (_("Haven't found \"%s\" in group cache!"), key); + if (secure[grpdb]) + { + oldeuid = geteuid (); + seteuid (uid); + } + while (getgrnam_r (key, &resultbuf, buffer, buflen, &grp) != 0 && errno == ERANGE) { @@ -216,12 +224,16 @@ addgrbyname (struct database *db, int fd, request_header *req, void *key) buffer = alloca (buflen); } - cache_addgr (db, fd, req, key, grp); + if (secure[grpdb]) + seteuid (oldeuid); + + cache_addgr (db, fd, req, key, grp, uid); } void -addgrbygid (struct database *db, int fd, request_header *req, void *key) +addgrbygid (struct database *db, int fd, request_header *req, + void *key, uid_t uid) { /* Search for the entry matching the key. Please note that we don't look again in the table whether the dataset is now available. We @@ -232,10 +244,17 @@ addgrbygid (struct database *db, int fd, request_header *req, void *key) struct group resultbuf; struct group *grp; gid_t gid = atol (key); + uid_t oldeuid = 0; if (debug_level > 0) dbg_log (_("Haven't found \"%d\" in group cache!"), gid); + if (secure[grpdb]) + { + oldeuid = geteuid (); + seteuid (uid); + } + while (getgrgid_r (gid, &resultbuf, buffer, buflen, &grp) != 0 && errno == ERANGE) { @@ -244,5 +263,8 @@ addgrbygid (struct database *db, int fd, request_header *req, void *key) buffer = alloca (buflen); } - cache_addgr (db, fd, req, key, grp); + if (secure[grpdb]) + seteuid (oldeuid); + + cache_addgr (db, fd, req, key, grp, uid); } -- cgit v1.2.1