Commit Graph

384 Commits

Author SHA1 Message Date
Tomas Mraz
ee9e506af2 Make the group and user allocation more effective.
Previously, the allocation was optimized for an outdated
deployment style (that of /etc/group alongside nss_db). The issue
here is that this results in extremely poor performance when using
SSSD, Winbind or nss_ldap.

There were actually two serious bugs here that have been addressed:

1) Running getgrent() loops won't work in most SSSD or Winbind
environments, as full group enumeration is disabled by default.
This could easily result in auto-allocating a group that was
already in use. (This might result in a security issue as well, if
the shared GID is a privileged group).

2) For system groups, the loop was always iterating through the
complete SYS_GID_MIN->SYS_GID_MAX range. On SSSD and Winbind, this
means hundreds of round-trips to LDAP (unless the GIDs were
specifically configured to be ignored by the SSSD or winbindd).
To a user with a slow connection to their LDAP server, this would
appear as if groupadd -r was hung. (Though it would eventually
complete).

This patch changes the algorithm to be more favorable for LDAP
environments, at the expense of some performance when using nss_db.
Given that the DB is a local service, this should have a negligible
effect from a user's perspective.

With the new algorithm, we simply first iterate through all entries
in the local database with gr_next(), recording the IDs that are in
use. We then start from the highest presumed-available entry and
call getgrgid() to see if it is available. We continue this until
we come to the first unused GID. We then select that and return it.

If we make it through all the remaining IDs without finding a free
one, we start over from the beginning of the range and try to find
room in one of the gaps in the range.

The patch was originally written by Stephen Gallagher and applied
identically also to the user allocation by Tomáš Mráz.

Signed-off-by: Serge Hallyn <serge@hallyn.com>
2017-01-29 14:37:21 -06:00
Serge Hallyn
9e93c984f7 Merge pull request #17 from wking/includes-to-am-cppflags
*/Makefile.am: Replace INCLUDES with AM_CPPFLAGS
2016-12-07 00:01:54 -06:00
Serge Hallyn
ff2baed5db idmapping: add more checks for overflow
At this point they are redundant but should be safe.  Thanks to
Sebastian Krahmer for the first check.
2016-08-14 21:48:50 -05:00
Serge Hallyn
94da3dc5c8 also check upper for wrap 2016-08-14 21:48:45 -05:00
Serge Hallyn
7f5a14817d get_map_ranges: check for overflow
The kernel accepts u32 values, so make sure that userspace
is not passing large values.

Signed-off-by: Serge Hallyn <serge@hallyn.com>
2016-07-31 12:56:48 -05:00
W. Trevor King
c07397695a */Makefile.am: Replace INCLUDES with AM_CPPFLAGS
Catch up with Automake's [1], which was part of v1.6b, cut 2002-07-28
[2].  Avoids:

  $ autoreconf -v -f --install
  ...
  libmisc/Makefile.am:4: warning: 'INCLUDES' is the old name for 'AM_CPPFLAGS' (or '*_CPPFLAGS')
  ...
  src/Makefile.am:10: warning: 'INCLUDES' is the old name for 'AM_CPPFLAGS' (or '*_CPPFLAGS')
  ...

Consolidating with the earlier AM_CPPFLAGS avoids:

  $ autoreconf -v -f --install
  src/Makefile.am:72: warning: AM_CPPFLAGS multiply defined in condition TRUE ...
  src/Makefile.am:10: ... 'AM_CPPFLAGS' previously defined here
  autoreconf-2.69: Leaving directory `.'

[1]: http://git.savannah.gnu.org/cgit/automake.git/commit/?id=1415d22f6203206bc393fc4ea233123ba579222d
     Summary: automake.in (generate_makefile): Suggest using AM_CPPFLAGS instead of INCLUDES
     Date: 2002-07-09
[2]: http://git.savannah.gnu.org/cgit/automake.git/tag/?id=Release-1-6b
2016-04-29 17:30:18 -07:00
Stéphane Graber
65c2617140
Tweak uid/gid map default configuration
- Use an allocation of 65536 uids and gids to allow for POSIX-compliant
   user owned namespaces.
 - Don't allocate a uid/gid map to system users.
   Unfortunately checking for --system isn't quite enough as some
   distribution wrappers always call useradd without --system and take care
   of choosing a uid and gid themselves, so also check whether the
   requested uid/gid is in the user range.

This is taken from a patch I wrote for Ubuntu a couple years ago and
which somehow didn't make it upstream.

Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
2016-02-15 18:11:10 -05:00
Bastian Blank
d2fa8c5d4b Fix user busy errors at userdel
From: Bastian Blank <bastian.blank@credativ.de>
Acked-by: Serge Hallyn <serge.hallyn@ubuntu.com>
2015-11-17 10:53:55 -06:00
Serge Hallyn
533d2bab3d get_map_ranges: initialize argidx to 0 at top of loop
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
2015-08-06 00:34:25 -05:00
Serge Hallyn
7edb32e75f Fix a resource leak in libmis/idmapping.c
Reported at https://alioth.debian.org/tracker/?func=detail&atid=411478&aid=315136&group_id=30580
by Alejandro Joya.

Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
2015-08-06 00:10:13 -05:00
Eric W. Biederman
578947e661 newuidmap,newgidmap: Correct the range size sanity check in get_map_ranges
The number of ranges should be the ceiling of the number of arguments divided
by three.

Without this fix newuidmap and newgidmap always report and error and fail,
which is very much not what we want.

Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
2013-09-10 17:51:40 -05:00
Nicolas François
2883ff6ad5 Include <stdio.h>
* libmisc/idmapping.c: Include <stdio.h> needed for fprintf() and
	stderr.
2013-08-16 01:13:20 +02:00
Nicolas François
7d5732cb49 Remove dead code.
* libmisc/find_new_sub_gids.c: Remove dead code.
	find_new_sub_gids() is always called with *range_count set to 0.
	It's more difficult to keep the subordinate GIDs and UIDs
	synchronized, than for the user's UID/GId because the count of
	subordinate IDs may differ.
	* libmisc/find_new_sub_uids.c: Likewise.
	* lib/subordinateio.h, lib/subordinateio.c: Remove APIs that are
	no more needed: is_sub_uid_range_free(), is_sub_gid_range_free(),
	is_range_free().
2013-08-15 17:30:19 +02:00
Nicolas François
e1a4b6e57b Document the semantic of ranges.
* libmisc/idmapping.h: Document what the upper and lower fields
	are in struct map_range.
	* man/newgidmap.1.xml: Document when the gid, gidlower and count
	argument are.
	* man/newuidmap.1.xml: Likewise for uid, uidlower and count.
2013-08-13 19:28:07 +02:00
Nicolas François
5884ba907c (shadow_random): Use long instead of size_t.
* libmisc/salt.c (shadow_random): Use long instead of size_t.
	Compatibility with size_t is easier to check since it's used for
	smaller numbers (salt size).
2013-08-13 19:16:24 +02:00
Nicolas François
bfbd83239e Fix handling of boundaries.
* lib/subordinateio.c: Fix handling of boundaries.
	* libmisc/find_new_sub_uids.c: Likewise.
	* libmisc/find_new_sub_gids.c: Likewise.
2013-08-13 00:11:24 +02:00
Nicolas François
d611d54ed4 Allow disabling of subordinate IDs.
* configure.in: Add configure options --enable-subordinate-ids /
	--disable-subordinate-ids. Enabled by default.
	* lib/prototypes.h: Include <config.h> before using its macros.
	* lib/commonio.h, lib/commonio.c: Define commonio_append only when
	ENABLE_SUBIDS is defined.
	* lib/prototypes.h, libmisc/find_new_sub_gids.c,
	libmisc/find_new_sub_uids.c: Likewise.
	* lib/subordinateio.h, lib/subordinateio.c: Likewise.
	* libmisc/user_busy.c: Only check if subordinate IDs are in use if
	ENABLE_SUBIDS is defined.
	* src/Makefile.am: Create newgidmap and newuidmap only if
	ENABLE_SUBIDS is defined.
	* src/newusers.c: Check for ENABLE_SUBIDS to enable support for
	subordinate IDs.
	* src/useradd.c: Likewise.
	* src/userdel.c: Likewise.
	* src/usermod.c: Likewise.
	* man/Makefile.am: Install man1/newgidmap.1, man1/newuidmap.1,
	man5/subgid.5, and man5/subuid.5 only if ENABLE_SUBIDS is defined.
	* man/fr/Makefile.am: Install man1/newgidmap.1, man1/newuidmap.1,
	man5/subgid.5, and man5/subuid.5 (not translated yet).
	* man/generate_mans.mak: Add xsltproc conditionals
	subids/no_subids.
	* man/login.defs.d/SUB_GID_COUNT.xml: Add dependency on subids
	condition.
	* man/login.defs.d/SUB_UID_COUNT.xml: Likewise.
	* man/usermod.8.xml: Document options for subordinate IDs and
	reference subgid(5) / subuid(5) depending on the subids condition.
2013-08-11 15:46:59 +02:00
Nicolas François
14ebc92d8c Remove unused variable.
* libmisc/salt.c: Remove unused variable.
2013-08-10 00:11:52 +02:00
Nicolas François
45986f8dc8 Fix for Alioth#314271 (musl libc)
* libmisc/utmp.c: Add include files needed for getaddrinfo().
	See Alioth#314271
2013-08-07 02:18:43 +02:00
Nicolas François
316bc6b3f4 Fix wording: secondary -> subordinate.
* libmisc/find_new_sub_gids.c: Fix wording: secondary ->
	subordinate.
	* libmisc/find_new_sub_uids.c: Likewise.
2013-08-07 01:01:33 +02:00
Nicolas François
ac53650da5 Remove duplicate check.
* libmisc/find_new_sub_gids.c: Remove duplicate check (duplicate
	at least in its intent).
2013-08-06 23:59:09 +02:00
Serge Hallyn
c0ce911b5e userns: add argument sanity checking
In find_new_sub_{u,g}ids, check for min, count and max values.

In idmapping.c:get_map_ranges(), make sure that the value passed
in for ranges did not overflow.  Couldn't happen with the current
code, but this is a sanity check for any future potential mis-uses.

Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
2013-08-05 10:08:46 -05:00
Eric W. Biederman
673c2a6f9a newuidmap,newgidmap: New suid helpers for using subordinate uids and gids
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
2013-08-05 10:08:46 -05:00
Eric W. Biederman
89f7b0868c Add support for detecting busy subordinate user ids
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
2013-08-05 10:08:45 -05:00
Eric W. Biederman
a8f26262cf Implement find_new_sub_uids find_new_sub_gids
Functions for finding new subordinate uid and gids ranges for use
with useradd.

Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
2013-08-05 10:08:45 -05:00
Nicolas François
60fc4bbf57 Debian bug 677275 - random() max value
* libmisc/salt.c: random() max value is 2^31-1 (same as RAND_MAX
	on GNU). As it is not clear whether on some systems the max value
	can exceed this number and whether some systems have max values
	which would be lower, we take this into account when defining the
	salt size and number of rounds for SHA encrypted passwords. Higher
	values are favored.
2013-08-05 14:19:23 +02:00
Nicolas François
a168d046f3 Fix typo in comment. 2013-08-04 15:56:32 +02:00
Nicolas François
ee1952424d Fix memory leak.
* libmisc/setupenv.c: Free pw_dir and pw_shell before reallocating
	them.
2013-08-02 20:28:24 +02:00
Nicolas François
b6c1a8579e Fix segfaults
* libmisc/setupenv.c: xstrdup the static char* temp_pw_dir /
	temp_pw_shell. That way we can continue to use pw_free() without
	segving. Thanks to Serge Hallyn for the patch.
2013-08-02 20:24:20 +02:00
Michael Scherer
4e65be1211 use chdir() before calling chroot() 2013-07-29 11:05:16 +02:00
mancha
52a38d5509 crypt() in glibc/eglibc 2.17 now fails if passed
a salt that violates specs. On Linux, crypt() also fails with
DES/MD5 salts in FIPS140 mode. Rather than exit() on NULL returns
we send them back to the caller for appropriate handling.
2013-07-28 18:41:11 +02:00
bubulle
945eb8f50b if using the static char* for pw_dir, strdup it so pw_free() can be used. (Closes: Debian#691459) 2013-07-28 14:16:09 +02:00
nekral-guest
f243d4077d * NEWS, src/login.c: Log in utmp / utmpx / wtmp also when PAM is
enabled. This is not done by pam_lastlog. This was broken on
	2011-07-23.
	* NEWS, libmisc/utmp.c: Do not log in wtmp when PAM is enabled.
	This is done by pam_lastlog.
2012-05-18 17:57:52 +00:00
nekral-guest
011c5155fa 2012-02-13 Mike Frysinger <vapier@gentoo.org>
* libmisc/copydir.c: Add missing #include <stdarg.h>
2012-02-13 19:16:29 +00:00
nekral-guest
2c24c012bd * lib/prototypes.h, lib/Makefile.am, po/POTFILES.in,
libmisc/copydir.c, lib/selinux.c: Move set_selinux_file_context()
	and reset_selinux_file_context() from libmisc/copydir.c to
	lib/selinux.c.
	* lib/commonio.c: Use set_selinux_file_context() and
	reset_selinux_file_context() instead of using the existing
	database SELinux context to set the context for the newly created
	files.
2011-12-09 22:13:02 +00:00
nekral-guest
e570b8ded4 * libmisc/copydir.c: Ignore errors to copy ACLs if the operation
is not supported.
2011-11-21 19:34:22 +00:00
nekral-guest
82d767d121 * libmisc/root_flag.c, src/gpasswd.c, src/chsh.c: Add splint
annotations.
	* src/pwconv.c, src/pwunconv.c, src/grpconv.c, src/grpunconv.c:
	Ignore return value of spw_rewind, pw_rewind, sgr_rewind, and
	gr_rewind.
	* lib/commonio.h: Both head and tail cannot be owned. Set tail as
	dependent.
	* src/expiry.c: Ignore return value of expire ().
	* src/expiry.c: The catch_signals function does not use its sig
	parameter.
	* src/userdel.c: Last audit_logger parameter is a
	shadow_audit_result, use SHADOW_AUDIT_FAILURE instead of 0.
2011-11-19 21:51:52 +00:00
nekral-guest
29050eadb5 * NEWS, src/userdel.c, man/userdel.8.xml: Add option -Z/--selinux-user.
* libmisc/system.c, lib/prototypes.h, libmisc/Makefile.am: Removed
	safe_system().
	* lib/selinux.c, po/POTFILES.in, lib/prototypes.h,
	lib/Makefile.am: Added helper functions for semanage.
	* README, src/useradd.c, src/usermod.c, src/userdel.c,
	configure.in: Use libsemanage instead of semanage.
2011-11-17 21:51:07 +00:00
nekral-guest
2e1652fdec 2011-11-16 Peter Vrabec <pvrabec@redhat.com>
* libmisc/copydir.c: Ignore perm_copy_file() errors with errno set
	to ENOTSUP.
2011-11-16 21:00:43 +00:00
nekral-guest
72ba5c4de7 * libmisc/root_flag.c: Add missing #include <stdio.h> 2011-11-16 19:34:39 +00:00
nekral-guest
2ecea675ee Fix cut&paste issue from yesterday. 2011-11-13 16:24:49 +00:00
nekral-guest
3c608e56f6 * libmisc/root_flag.c: Drop privileges before changing root. The
--root option should not be used by regular users for suid utils.
	* libmisc/root_flag.c: Improve error messages.
2011-11-11 12:09:58 +00:00
nekral-guest
3bb7c43694 * libmisc/copydir.c: Avoid conflict with glibc. Rename error to
error_acl.
2011-11-11 11:59:21 +00:00
nekral-guest
7861eaa5ec Re-indent. 2011-11-06 18:40:06 +00:00
nekral-guest
e4fbf98b18 * man/limits.5.xml, libmisc/limits.c: Sort limit identifiers.
* libmisc/limits.c: Fix support for the K limit identifier.
	* libmisc/limits.c: Add missing default limit for L and U.
2011-11-06 18:39:47 +00:00
nekral-guest
0b5574c28a * lib/prototypes.h, libmisc/Makefile.am, libmisc/root_flag.c,
po/POTFILES.in: Add process_root_flag() to process the --root
	option and chroot so that the chroot config is used and changes
	are applied to the chroot.
2011-11-06 18:37:19 +00:00
nekral-guest
704f28df98 * lib/prototypes.h, libmisc/cleanup.c, lib/spawn.c, src/chage.c:
Add splint annotations.
2011-10-18 20:23:33 +00:00
nekral-guest
f870cc7eab Miscellaneous:
* lib/prototypes, libmisc/basename.c (Basename): Input is a
	constant string.
	* lib/prototypes.h, lib/spawn.h, lib/spawn.c, src/userdel.c,
	lib/nscd.c, lib/Makefile.am: Delete spawn.h. Move from spawn.h to
	prototypes.h.
	* src/userdel.c: Remove unused variables.
	* lib/nscd.c: Remove unused header files.
	* lib/nscd.c: Add the program name to error messages.
	* lib/nscd.c: Indicate when nscd does not terminate normally (signal).
	* lib/spawn.c: Updated header.
	* lib/spawn.c: Flush stdout and stderr to avoid inheriting from
	ongoing buffers.
	* lib/spawn.c: Avoid implicit conversion of pointer to boolean.
	* lib/spawn.c: Replace perror by a complete message.
	* lib/spawn.c: Continue to wait for the child if another child
	terminates.
	* lib/prototypes.h: The name field from cleanup_info_mod is a
	constant string. (username).
2011-09-18 21:02:43 +00:00
nekral-guest
05b55446da * libmisc/cleanup.c: Spawn children should no trigger cleanup
actions. Make sure only the parent (initial caller) perform the
	cleanup actions.
2011-09-18 20:43:28 +00:00
nekral-guest
f1db2383fc * libmisc/salt.c (SHA_salt_rounds): It is statically ensured that
the format fits in rounds_prefix.
	* libmisc/loginprompt.c: Likewise.
2011-09-18 20:41:38 +00:00