about summary refs log tree commit diff
path: root/nscd
diff options
context:
space:
mode:
Diffstat (limited to 'nscd')
-rw-r--r--nscd/Makefile4
-rw-r--r--nscd/connections.c67
-rw-r--r--nscd/nscd.c26
-rw-r--r--nscd/nscd.conf2
-rw-r--r--nscd/nscd.h13
-rw-r--r--nscd/nscd_conf.c22
-rw-r--r--nscd/nscd_stat.c18
7 files changed, 103 insertions, 49 deletions
diff --git a/nscd/Makefile b/nscd/Makefile
index e3c7af9c0a..b79af9b355 100644
--- a/nscd/Makefile
+++ b/nscd/Makefile
@@ -1,4 +1,4 @@
-# Copyright (C) 1998, 2000, 2002 Free Software Foundation, Inc.
+# Copyright (C) 1998, 2000, 2002, 2003 Free Software Foundation, Inc.
 # This file is part of the GNU C Library.
 
 # The GNU C Library is free software; you can redistribute it and/or
@@ -30,7 +30,7 @@ vpath %.c ../locale/programs
 
 nscd-modules := nscd connections pwdcache getpwnam_r getpwuid_r grpcache \
 		getgrnam_r getgrgid_r hstcache gethstbyad_r gethstbynm2_r \
-		dbg_log nscd_conf nscd_stat cache xmalloc
+		dbg_log nscd_conf nscd_stat cache xmalloc xstrdup
 
 ifeq ($(have-thread-library),yes)
 
diff --git a/nscd/connections.c b/nscd/connections.c
index c80ba96dc5..5cb73eb252 100644
--- a/nscd/connections.c
+++ b/nscd/connections.c
@@ -48,6 +48,8 @@ extern void *xrealloc (void *o, size_t n);
 const char *server_user;
 static uid_t server_uid;
 static gid_t server_gid;
+const char *stat_user;
+uid_t stat_uid;
 static gid_t *server_groups;
 #ifndef NGROUPS
 # define NGROUPS 32
@@ -88,7 +90,7 @@ const char *serv2str[LASTREQ] =
 };
 
 /* The control data structures for the services.  */
-static struct database dbs[lastdb] =
+struct database dbs[lastdb] =
 {
   [pwddb] = {
     .lock = PTHREAD_RWLOCK_WRITER_NONRECURSIVE_INITIALIZER_NP,
@@ -137,20 +139,11 @@ unsigned long int client_queued;
 
 /* Initialize database information structures.  */
 void
-nscd_init (const char *conffile)
+nscd_init (void)
 {
   struct sockaddr_un sock_addr;
   size_t cnt;
 
-  /* Read the configuration file.  */
-  if (nscd_parse_file (conffile, dbs) != 0)
-    {
-      /* We couldn't read the configuration file.  Disable all services
-	 by shutting down the srever.  */
-      dbg_log (_("cannot read configuration file; this is fatal"));
-      exit (1);
-    }
-
   /* Secure mode and unprivileged mode are incompatible */
   if (server_user != NULL && secure_in_use)
     {
@@ -237,6 +230,7 @@ close_sockets (void)
   close (sock);
 }
 
+
 static void
 invalidate_cache (char *key)
 {
@@ -384,20 +378,9 @@ cannot handle old request version %d; current version is %d"),
     case GETSTAT:
     case SHUTDOWN:
     case INVALIDATE:
-      /* Accept shutdown, getstat and invalidate only from root */
-      if (secure_in_use && uid == 0)
+      if (! secure_in_use)
 	{
-	  if (req->type == GETSTAT)
-	    send_stats (fd, dbs);
-	  else if (req->type == INVALIDATE)
-	    invalidate_cache (key);
-	  else
-	    termination_handler (0);
-	}
-      else
-	{
-	  /* Some systems have no SO_PEERCRED implementation.  They don't
-	     care about security so we don't as well.  */
+	  /* Get the callers credentials.  */
 #ifdef SO_PEERCRED
 	  struct ucred caller;
 	  socklen_t optlen = sizeof (caller);
@@ -408,18 +391,30 @@ cannot handle old request version %d; current version is %d"),
 
 	      dbg_log (_("error getting callers id: %s"),
 		       strerror_r (errno, buf, sizeof (buf)));
+	      break;
 	    }
-	  else
-	    if (caller.uid == 0)
+
+	  uid = caller.uid;
+#else
+	  /* Some systems have no SO_PEERCRED implementation.  They don't
+	     care about security so we don't as well.  */
+	  uid = 0;
 #endif
-	      {
-		if (req->type == GETSTAT)
-		  send_stats (fd, dbs);
-		else if (req->type == INVALIDATE)
-		  invalidate_cache (key);
-		else
-		  termination_handler (0);
-	      }
+	}
+
+      /* Accept shutdown, getstat and invalidate only from root.  For
+	 the stat call also allow the user specified in the config file.  */
+      if (req->type == GETSTAT)
+	{
+	  if (uid == 0 || uid == stat_uid)
+	    send_stats (fd, dbs);
+	}
+      else if (uid == 0)
+	{
+	  if (req->type == INVALIDATE)
+	    invalidate_cache (key);
+	  else
+	    termination_handler (0);
 	}
       break;
 
@@ -480,7 +475,7 @@ nscd_run (void *p)
       int fd = TEMP_FAILURE_RETRY (accept (conn.fd, NULL, NULL));
       request_header req;
       char buf[256];
-      uid_t uid = 0;
+      uid_t uid = -1;
 #ifdef SO_PEERCRED
       pid_t pid = 0;
 #endif
@@ -526,7 +521,7 @@ nscd_run (void *p)
 	      || secure[serv2db[req.type]])
 	    uid = caller.uid;
 
-	      pid = caller.pid;
+	  pid = caller.pid;
 	}
       else if (__builtin_expect (debug_level > 0, 0))
 	{
diff --git a/nscd/nscd.c b/nscd/nscd.c
index 3d55741df1..69cfa90ab5 100644
--- a/nscd/nscd.c
+++ b/nscd/nscd.c
@@ -30,6 +30,7 @@
 #include <paths.h>
 #include <pthread.h>
 #include <signal.h>
+#include <stdbool.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
@@ -109,6 +110,9 @@ static struct argp argp =
   options, parse_opt, NULL, doc,
 };
 
+/* True if only statistics are requested.  */
+static bool get_stats;
+
 int
 main (int argc, char **argv)
 {
@@ -129,6 +133,20 @@ main (int argc, char **argv)
       exit (EXIT_FAILURE);
     }
 
+  /* Read the configuration file.  */
+  if (nscd_parse_file (conffile, dbs) != 0)
+    {
+      /* We couldn't read the configuration file.  We don't start the
+	 server.  */
+      dbg_log (_("cannot read configuration file; this is fatal"));
+      exit (1);
+    }
+
+  /* Do we only get statistics?  */
+  if (get_stats)
+    /* Does not return.  */
+    receive_print_stats ();
+
   /* Check if we are already running. */
   if (check_pid (_PATH_NSCDPID))
     error (EXIT_FAILURE, 0, _("already running"));
@@ -223,7 +241,7 @@ main (int argc, char **argv)
   __nss_disable_nscd ();
 
   /* Init databases.  */
-  nscd_init (conffile);
+  nscd_init ();
 
   /* Handle incoming requests */
   start_threads ();
@@ -268,10 +286,8 @@ parse_opt (int key, char *arg, struct argp_state *state)
       }
 
     case 'g':
-      if (getuid () != 0)
-	error (EXIT_FAILURE, 0, _("Only root is allowed to use this option!"));
-      receive_print_stats ();
-      /* Does not return.  */
+      get_stats = true;
+      break;
 
     case 'i':
       if (getuid () != 0)
diff --git a/nscd/nscd.conf b/nscd/nscd.conf
index 226dda377f..ed05ba495f 100644
--- a/nscd/nscd.conf
+++ b/nscd/nscd.conf
@@ -10,6 +10,7 @@
 #	threads			<#threads to use>
 #	server-user             <user to run server as instead of root>
 #		server-user is ignored if nscd is started with -S parameters
+#       stat-user               <user who is allowed to request statistics>
 #
 #       enable-cache		<service> <yes|no>
 #	positive-time-to-live	<service> <time in seconds>
@@ -24,6 +25,7 @@
 #	logfile			/var/log/nscd.log
 #	threads			6
 #	server-user		nobody
+#	stat-user		somebody
 	debug-level		0
 
 	enable-cache		passwd		yes
diff --git a/nscd/nscd.h b/nscd/nscd.h
index 73c94a5035..af7ae9a7e5 100644
--- a/nscd/nscd.h
+++ b/nscd/nscd.h
@@ -89,6 +89,7 @@ struct database
 
 
 /* Global variables.  */
+extern struct database dbs[lastdb];
 extern const char *dbnames[lastdb];
 extern const char *serv2str[LASTREQ];
 
@@ -99,13 +100,17 @@ extern const struct iovec hst_iov_disabled;
 /* Number of threads to run.  */
 extern int nthreads;
 
-/* Tables for which we cache data with uid */
+/* Tables for which we cache data with uid.  */
 extern int secure[lastdb];
-extern int secure_in_use; /* Is one of the above 1 ? */
+extern int secure_in_use; /* Is one of the above 1?  */
 
-/* User name to run server processes as */
+/* User name to run server processes as.  */
 extern const char *server_user;
 
+/* Name and UID of user who is allowed to request statistics.  */
+extern const char *stat_user;
+extern uid_t stat_uid;
+
 /* Time the server was started.  */
 extern time_t start_time;
 
@@ -119,7 +124,7 @@ extern void termination_handler (int signum) __attribute__ ((__noreturn__));
 extern int nscd_open_socket (void);
 
 /* connections.c */
-extern void nscd_init (const char *conffile);
+extern void nscd_init (void);
 extern void close_sockets (void);
 extern void start_threads (void) __attribute__ ((__noreturn__));
 
diff --git a/nscd/nscd_conf.c b/nscd/nscd_conf.c
index 7de38d9d25..23c28ceef0 100644
--- a/nscd/nscd_conf.c
+++ b/nscd/nscd_conf.c
@@ -1,4 +1,4 @@
-/* Copyright (c) 1998, 2000 Free Software Foundation, Inc.
+/* Copyright (c) 1998, 2000, 2003 Free Software Foundation, Inc.
    This file is part of the GNU C Library.
    Contributed by Thorsten Kukuk <kukuk@suse.de>, 1998.
 
@@ -19,6 +19,7 @@
 
 #include <ctype.h>
 #include <malloc.h>
+#include <pwd.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
@@ -29,6 +30,10 @@
 #include "dbg_log.h"
 #include "nscd.h"
 
+/* Wrapper functions with error checking for standard functions.  */
+extern char *xstrdup (const char *s);
+
+
 /* Names of the databases.  */
 const char *dbnames[lastdb] =
 {
@@ -181,7 +186,20 @@ nscd_parse_file (const char *fname, struct database dbs[lastdb])
           if (!arg1)
             dbg_log (_("Must specify user name for server-user option"));
           else
-            server_user = strdup (arg1);
+            server_user = xstrdup (arg1);
+        }
+      else if (strcmp (entry, "stat-user") == 0)
+        {
+          if (!arg1)
+            dbg_log (_("Must specify user name for stat-user option"));
+          else
+	    {
+	      stat_user = xstrdup (arg1);
+
+	      struct passwd *pw = getpwnam (stat_user);
+	      if (pw != NULL)
+		stat_uid = pw->pw_uid;
+	    }
         }
       else
 	dbg_log (_("Unknown option: %s %s %s"), entry, arg1, arg2);
diff --git a/nscd/nscd_stat.c b/nscd/nscd_stat.c
index 7cfde982f6..f04e1972b5 100644
--- a/nscd/nscd_stat.c
+++ b/nscd/nscd_stat.c
@@ -114,6 +114,24 @@ receive_print_stats (void)
   ssize_t nbytes;
   int fd;
   int i;
+  uid_t uid = getuid ();
+
+  /* Find out whether there is another user but root allowed to
+     request statistics.  */
+  if (uid != 0)
+    {
+      /* User specified?  */
+      if(stat_user == NULL || stat_uid != uid)
+	{
+	  if (stat_user != NULL)
+	    error (EXIT_FAILURE, 0,
+		   _("Only root or %s is allowed to use this option!"),
+		   stat_user);
+	  else
+	    error (EXIT_FAILURE, 0,
+		   _("Only root is allowed to use this option!"));
+	}
+    }
 
   /* Open a socket to the running nscd.  */
   fd = nscd_open_socket ();