about summary refs log tree commit diff
path: root/nss
Commit message (Collapse)AuthorAgeFilesLines
* Fix leak in getaddrinfo introduced by the fix for CVE-2023-4806 [BZ #30843]Romain Geissler2023-09-262-0/+23
| | | | | | | | | | | | This patch fixes a very recently added leak in getaddrinfo. This was assigned CVE-2023-5156. Resolves: BZ #30884 Related: BZ #30842 Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org> (cherry picked from commit ec6b95c3303c700eb89eebeda2d7264cc184a796)
* getaddrinfo: Fix use after free in getcanonname (CVE-2023-4806)Siddhesh Poyarekar2023-09-156-2/+135
| | | | | | | | | | | | | | | | | | | | | | | | When an NSS plugin only implements the _gethostbyname2_r and _getcanonname_r callbacks, getaddrinfo could use memory that was freed during tmpbuf resizing, through h_name in a previous query response. The backing store for res->at->name when doing a query with gethostbyname3_r or gethostbyname2_r is tmpbuf, which is reallocated in gethosts during the query. For AF_INET6 lookup with AI_ALL | AI_V4MAPPED, gethosts gets called twice, once for a v6 lookup and second for a v4 lookup. In this case, if the first call reallocates tmpbuf enough number of times, resulting in a malloc, th->h_name (that res->at->name refers to) ends up on a heap allocated storage in tmpbuf. Now if the second call to gethosts also causes the plugin callback to return NSS_STATUS_TRYAGAIN, tmpbuf will get freed, resulting in a UAF reference in res->at->name. This then gets dereferenced in the getcanonname_r plugin call, resulting in the use after free. Fix this by copying h_name over and freeing it at the end. This resolves BZ #30843, which is assigned CVE-2023-4806. Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org> (cherry picked from commit 973fe93a5675c42798b2161c6f29c01b0e243994)
* nss: Use shared prefix in IPv4 address in tst-reload1Florian Weimer2022-10-131-4/+4
| | | | | | | | | Otherwise, sorting based on the longest-matching prefix in getaddrinfo can reorder the addresses in ways the test does not expect, depending on the IPv4 address of the host. Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org> (cherry picked from commit c02e29a0ba47d636281e1a026444a1a0a254aa12)
* nss: Fix tst-nss-files-hosts-long on single-stack hosts (bug 24816)Florian Weimer2022-10-131-4/+5
| | | | | | | | | | getent implicitly passes AI_ADDRCONFIG to getaddrinfo by default. Use --no-addrconfig to suppress that, so that both IPv4 and IPv6 lookups succeed even if the address family is not supported by the host. Reviewed-by: Carlos O'Donell <carlos@redhat.com> (cherry picked from commit c75d20b5b27b0a60f0678236f51a4d3b0b058c00)
* nss: Implement --no-addrconfig option for getentFlorian Weimer2022-10-131-1/+10
| | | | | | | | The ahosts, ahostsv4, ahostsv6 commands unconditionally pass AI_ADDRCONFIG to getaddrinfo, which is not always desired. Reviewed-by: Carlos O'Donell <carlos@redhat.com> (cherry picked from commit a623f13adfac47c8634a7288e08f821a846bc650)
* nss: handle stat failure in check_reload_and_get (BZ #28752)Sam James2022-06-081-15/+24
| | | | | | | | | | | | | | | | | Skip the chroot test if the database isn't loaded correctly (because the chroot test uses some existing DB state). The __stat64_time64 -> fstatat call can fail if running under an (aggressive) seccomp filter, like Firefox seems to use. This manifested in a crash when using glib built with FAM support with such a Firefox build. Suggested-by: DJ Delorie <dj@redhat.com> Signed-off-by: Sam James <sam@gentoo.org> Reviewed-by: DJ Delorie <dj@redhat.com>
* nss: add assert to DB_LOOKUP_FCT (BZ #28752)Sam James2022-06-081-0/+5
| | | | | | | | | It's interesting if we have a null action list, so an assert is worthwhile. Suggested-by: DJ Delorie <dj@redhat.com> Signed-off-by: Sam James <sam@gentoo.org> Reviewed-by: DJ Delorie <dj@redhat.com>
* nss: Optimize nss_hash in nss_hash.cNoah Goldstein2022-05-231-37/+42
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The prior unrolling didn't really do much as it left the dependency chain between iterations. Unrolled the loop for 4 so 4x multiplies could be pipelined in out-of-order machines. Results for __nss_hash Benchmarked on Tigerlake: 11th Gen Intel(R) Core(TM) i7-1165G7 @ 2.80GHz Time as Geometric Mean of N=25 runs Geometric of all benchmark New / Old: 0.845 type, length, New Time, Old Time, New Time / Old Time fixed, 0, 4.019, 3.729, 1.078 fixed, 1, 4.95, 5.707, 0.867 fixed, 2, 5.152, 5.657, 0.911 fixed, 3, 4.641, 5.721, 0.811 fixed, 4, 5.551, 5.81, 0.955 fixed, 5, 6.525, 6.552, 0.996 fixed, 6, 6.711, 6.561, 1.023 fixed, 7, 6.715, 6.767, 0.992 fixed, 8, 7.874, 7.915, 0.995 fixed, 9, 8.888, 9.767, 0.91 fixed, 10, 8.959, 9.762, 0.918 fixed, 11, 9.188, 9.987, 0.92 fixed, 12, 9.708, 10.618, 0.914 fixed, 13, 10.393, 11.14, 0.933 fixed, 14, 10.628, 12.097, 0.879 fixed, 15, 10.982, 12.965, 0.847 fixed, 16, 11.851, 14.429, 0.821 fixed, 32, 24.334, 34.414, 0.707 fixed, 64, 55.618, 86.688, 0.642 fixed, 128, 118.261, 224.36, 0.527 fixed, 256, 256.183, 538.629, 0.476 random, 2, 11.194, 11.556, 0.969 random, 4, 17.516, 17.205, 1.018 random, 8, 23.501, 20.985, 1.12 random, 16, 28.131, 29.212, 0.963 random, 32, 35.436, 38.662, 0.917 random, 64, 45.74, 58.868, 0.777 random, 128, 75.394, 121.963, 0.618 random, 256, 139.524, 260.726, 0.535 Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
* nss: Add tests for the nss_hash in nss_hash.hNoah Goldstein2022-05-234-0/+124
| | | | | If we want to further optimize the function tests are needed. Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
* hurd: Fix arbitrary error codeSamuel Thibault2022-04-121-1/+1
| | | | ELIBBAD is Linux-specific.
* Allow for unpriviledged nested containersDJ Delorie2022-04-041-0/+2
| | | | | | | | | | | | | | | | | If the build itself is run in a container, we may not be able to fully set up a nested container for test-container testing. Notably is the mounting of /proc, since it's critical that it be mounted from within the same PID namespace as its users, and thus cannot be bind mounted from outside the container like other mounts. This patch defaults to using the parent's PID namespace instead of creating a new one, as this is more likely to be allowed. If the test needs an isolated PID namespace, it should add the "pidns" command to its init script. Reviewed-by: Carlos O'Donell <carlos@redhat.com>
* Simplify allocations and fix merge and continue actions [BZ #28931]Siddhesh Poyarekar2022-03-224-0/+659
| | | | | | | | | | | | | | | | | | | | | Allocations for address tuples is currently a bit confusing because of the pointer chasing through PAT, making it hard to observe the sequence in which allocations have been made. Narrow scope of the pointer chasing through PAT so that it is only used where necessary. This also tightens actions behaviour with the hosts database in getaddrinfo to comply with the manual text. The "continue" action discards previous results and the "merge" action results in an immedate lookup failure. Consequently, chaining of allocations across modules is no longer necessary, thus opening up cleanup opportunities. A test has been added that checks some combinations to ensure that they work correctly. Resolves: BZ #28931 Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org> Reviewed-by: DJ Delorie <dj@redhat.com>
* nss: Sort tests and tests-container and put one test per lineSiddhesh Poyarekar2022-03-171-15/+24
| | | | Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
* nss: Protect against errno changes in function lookup (bug 28953)Florian Weimer2022-03-114-4/+142
| | | | | | | | | | | | | dlopen may clobber errno. The nss_test_errno module uses an ELF constructor to achieve that, but there could be internal errors during dlopen that cause this, too. Therefore, the NSS framework has to guard against such errno clobbers. __nss_module_get_function is currently the only function that calls __nss_module_load, so it is sufficient to save and restore errno around this call. Reviewed-by: Carlos O'Donell <carlos@redhat.com>
* nss: Do not mention NSS test modules in <gnu/lib-names.h>Florian Weimer2022-03-111-8/+5
| | | | | | | | They are not actually installed. Use the nss_files version instead in nss/Makefile, similar to how __nss_shlib_revision is derived from LIBNSS_FILES_SO. Reviewed-by: Carlos O'Donell <carlos@redhat.com>
* Update copyright dates not handled by scripts/update-copyrights.Paul Eggert2022-01-012-2/+2
| | | | | | | | | | | | | | I've updated copyright dates in glibc for 2022. This is the patch for the changes not generated by scripts/update-copyrights and subsequent build / regeneration of generated files. As well as the usual annual updates, mainly dates in --version output (minus csu/version.c which previously had to be handled manually but is now successfully updated by update-copyrights), there is a small change to the copyright notice in NEWS which should let NEWS get updated automatically next year. Please remember to include 2022 in the dates for any new files added in future (which means updating any existing uncommitted patches you have that add new files to use the new copyright dates in them).
* Update copyright dates with scripts/update-copyrightsPaul Eggert2022-01-01101-101/+101
| | | | | | | | | | | | | | | | | | | | | | | I used these shell commands: ../glibc/scripts/update-copyrights $PWD/../gnulib/build-aux/update-copyright (cd ../glibc && git commit -am"[this commit message]") and then ignored the output, which consisted lines saying "FOO: warning: copyright statement not found" for each of 7061 files FOO. I then removed trailing white space from math/tgmath.h, support/tst-support-open-dev-null-range.c, and sysdeps/x86_64/multiarch/strlen-vec.S, to work around the following obscure pre-commit check failure diagnostics from Savannah. I don't know why I run into these diagnostics whereas others evidently do not. remote: *** 912-#endif remote: *** 913: remote: *** 914- remote: *** error: lines with trailing whitespace found ... remote: *** error: sysdeps/unix/sysv/linux/statx_cp.c: trailing lines
* nss: Use "files dns" as the default for the hosts database (bug 28700)Florian Weimer2021-12-172-3/+3
| | | | | | | | | | | | | | | | | | This matches what is currently in nss/nsswitch.conf. The new ordering matches what most distributions use in their installed configuration files. It is common to add localhost to /etc/hosts because the name does not exist in the DNS, but is commonly used as a host name. With the built-in "dns [!UNAVAIL=return] files" default, dns is searched first and provides an answer for "localhost" (NXDOMAIN). We never look at the files database as a result, so the contents of /etc/hosts is ignored. This means that "getent hosts localhost" fail without a /etc/nsswitch.conf file, even though the host name is listed in /etc/hosts. Reviewed-by: Carlos O'Donell <carlos@redhat.com>
* Disable DT_RUNPATH on NSS tests [BZ #28455]H.J. Lu2021-12-131-0/+8
| | | | | | | | | | | The glibc internal NSS functions should always load NSS modules from the system. For testing purpose, disable DT_RUNPATH on NSS tests so that the glibc internal NSS functions can load testing NSS modules via DT_RPATH. This partially fixes BZ #28455. Reviewed-by: Carlos O'Donell <carlos@redhat.com>
* nss: Unnest nested function add_keyFangrui Song2021-10-191-41/+41
| | | | | | | This makes makedb.c compilable with Clang which does not support nested functions. Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
* Fix failing nss/tst-nss-files-hosts-long with local resolverAurelien Jarno2021-09-071-0/+1
| | | | | | | | | | | | | | | | | | When a local resolver like unbound is listening on the IPv4 loopback address 127.0.0.1, the nss/tst-nss-files-hosts-long test fails. This is due to: - the default resolver in the absence of resolv.conf being 127.0.0.1 - the default DNS NSS database configuration in the absence of nsswitch.conf being 'hosts: dns [!UNAVAIL=return] file' This causes the requests for 'test4' and 'test6' to first be sent to the local resolver, which responds with NXDOMAIN in the likely case those records do no exist. In turn that causes the access to /etc/hosts to be skipped, which is the purpose of that test. Fix that by providing a simple nsswitch.conf file forcing access to /etc/hosts for that test. I have tested that the only changed result in the testsuite is that test.
* Remove "Contributed by" linesSiddhesh Poyarekar2021-09-0332-32/+0
| | | | | | | | | | | | | | | | | | | | | | | | | | We stopped adding "Contributed by" or similar lines in sources in 2012 in favour of git logs and keeping the Contributors section of the glibc manual up to date. Removing these lines makes the license header a bit more consistent across files and also removes the possibility of error in attribution when license blocks or files are copied across since the contributed-by lines don't actually reflect reality in those cases. Move all "Contributed by" and similar lines (Written by, Test by, etc.) into a new file CONTRIBUTED-BY to retain record of these contributions. These contributors are also mentioned in manual/contrib.texi, so we just maintain this additional record as a courtesy to the earlier developers. The following scripts were used to filter a list of files to edit in place and to clean up the CONTRIBUTED-BY file respectively. These were not added to the glibc sources because they're not expected to be of any use in future given that this is a one time task: https://gist.github.com/siddhesh/b5ecac94eabfd72ed2916d6d8157e7dc https://gist.github.com/siddhesh/15ea1f5e435ace9774f485030695ee02 Reviewed-by: Carlos O'Donell <carlos@redhat.com>
* nss: Directly load nss_dns, without going through dlsym/dlopenFlorian Weimer2021-07-193-23/+51
| | | | | | | | | | | | | This partially fixes static-only NSS support (bug 27959): The dns module no longer needs dlopen. Support for disabling dlopen altogher remains to be added. This commit introduces module_load_builtin into nss/nss_module.c, which handles the common parts of loading the built-in nss_files and nss_dns modules. Reviewed-by: Carlos O'Donell <carlos@redhat.com> Tested-by: Carlos O'Donell <carlos@redhat.com>
* Fix linknamespace errors and local-plt-usages in nss_files.Stefan Liebler2021-07-144-8/+8
| | | | | | | | | | | | | | | | | | | After commit f9c8b11ed7726b858cd7b7cea0d3d7c5233d78cf "nss: Access nss_files through direct references", when building with -Os, multiple conform/.../linknamespace tests and elf/check-localplt are failing: Extra PLT reference: libc.so: fgetc_unlocked Extra PLT reference: libc.so: getline Or e.g.: [initial] glob -> [libc.a(glob.o)] __getpwnam_r -> [libc.a(getpwnam_r.o)] __nss_database_custom -> [libc.a(nsswitch.o)] __nss_module_get_function -> [libc.a(nss_module.o)] __nss_files_functions -> [libc.a(nss_files_functions.o)] _nss_files_endaliasent -> [libc.a(files-alias.o)] feof_unlocked [initial] glob -> [libc.a(glob.o)] __getpwnam_r -> [libc.a(getpwnam_r.o)] __nss_database_custom -> [libc.a(nsswitch.o)] __nss_module_get_function -> [libc.a(nss_module.o)] __nss_files_functions -> [libc.a(nss_files_functions.o)] _nss_files_endaliasent -> [libc.a(files-alias.o)] fgetc_unlocked [initial] glob -> [libc.a(glob.o)] __getpwnam_r -> [libc.a(getpwnam_r.o)] __nss_database_custom -> [libc.a(nsswitch.o)] __nss_module_get_function -> [libc.a(nss_module.o)] __nss_files_functions -> [libc.a(nss_files_functions.o)] _nss_files_endnetgrent -> [libc.a(files-netgrp.o)] getline This patch is using the hidden symbols where possible. Instead of fputc_unlocked, __putc_unlocked is used. (Compare to commit eeaa19f75e52d2d48074ae0c423f2311d67c42c6 "mntent: Use __putc_unlocked instead of fputc_unlocked")
* nss: Fix build error with --disable-nscdCooper Qu2021-07-141-2/+4
| | | | | | | | | | | | | The error is as follows: nss_module.c: In function 'module_load_nss_files': nss_module.c:117:7: error: 'is_nscd' undeclared (first use in this function) 117 | if (is_nscd) | ^~~~~~~ nss_module.c:117:7: note: each undeclared identifier is reported only once for each function it appears in nss_module.c:119:51: error: 'nscd_init_cb' undeclared (first use in this function); did you mean 'nscd_init'? 119 | void (*cb) (size_t, struct traced_file *) = nscd_init_cb; | ^~~~~~~~~~~~ | nscd_init
* Fix failing nss/tst-nss-files-hosts-long.Stefan Liebler2021-07-121-0/+0
| | | | | | | | | | | | | | Sometimes the test nss/tst-nss-files-hosts-long is failing as getent fails with exit-code 2. This happens if tst-reload1 was run just before this test: make t=nss/tst-reload1 test make t=nss/tst-nss-files-hosts-long test Then the test fails as /etc/nsswitch.conf contains "hosts: test2" and the hosts are not searched in /etc/hosts at all. Thus this patch just requests a post cleanup after nss/tst-reload1 has run.
* nss: Do not install static linker input files for libnss_filesFlorian Weimer2021-07-081-0/+8
|
* nss: Access nss_files through direct referencesFlorian Weimer2021-07-0719-32/+104
| | | | | | | | This partially fixes static-only NSS support (bug 27959): The files module no longer needs dlopen. Support for the dns module remains to be added, and also support for disabling dlopen altogether. Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
* nss_files: Move into libcFlorian Weimer2021-07-078-35/+31
| | | | | | This is the first step towards fixing bug 27959. Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
* nss_files: Add generic code for set*ent, end*ent and file openFlorian Weimer2021-07-076-108/+199
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This reduces RSS usage if nss_files is not actually used, and can be used later to make NSS data thread-specific. It also results in a small code size reduction. Before: text data bss dec hex filename 2288 0 72 2360 938 nss/files-alias.os 1807 0 72 1879 757 nss/files-ethers.os 1371 0 72 1443 5a3 nss/files-grp.os 6246 0 72 6318 18ae nss/files-hosts.os 869 0 0 869 365 nss/files-initgroups.os 666 0 0 666 29a nss/files-init.os 1934 0 0 1934 78e nss/files-netgrp.os 2353 0 72 2425 979 nss/files-network.os 2130 0 72 2202 89a nss/files-proto.os 1372 0 72 1444 5a4 nss/files-pwd.os 2124 0 72 2196 894 nss/files-rpc.os 2265 0 72 2337 921 nss/files-service.os 1125 0 72 1197 4ad nss/files-sgrp.os 1124 0 72 1196 4ac nss/files-spwd.os After: text data bss dec hex filename 2040 0 0 2040 7f8 nss/files-alias.os 1599 0 0 1599 63f nss/files-ethers.os 1155 0 0 1155 483 nss/files-grp.os 6010 0 0 6010 177a nss/files-hosts.os 869 0 0 869 365 nss/files-initgroups.os 666 0 0 666 29a nss/files-init.os 1934 0 0 1934 78e nss/files-netgrp.os 2129 0 0 2129 851 nss/files-network.os 1914 0 0 1914 77a nss/files-proto.os 1156 0 0 1156 484 nss/files-pwd.os 1908 0 0 1908 774 nss/files-rpc.os 2057 0 0 2057 809 nss/files-service.os 909 0 0 909 38d nss/files-sgrp.os 908 0 0 908 38c nss/files-spwd.os 1090 0 8 1098 44a nss/nss_files_data.os 27674 code bytes before, 26344 code bytes after, so it is an overall win despite the extra initialization code. Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
* nss_files: Allocate nscd file registration data on the heapFlorian Weimer2021-07-071-34/+20
| | | | | | | | | | | | | | | | | | | | | | This is only needed if nss_files is loaded by nscd. Before: text data bss dec hex filename 767 0 24952 25719 6477 nss/files-init.os After: text data bss dec hex filename 666 0 0 666 29a nss/files-init.os Using PATH_MAX bytes unconditionally for the directory name is wasteful, but fixing that would constitute another break of this semi-public ABI. (The other issue is that with symbolic links, an arbitrary set of parent directories may need watching, not just a single one.) Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
* nss: Fix NSS_DECLARE_MODULE_FUNCTIONS handling of _nss_*_endnetgrentFlorian Weimer2021-06-291-1/+1
| | | | | The old version had an additional underscore, making the declaration ineffective.
* Use 64 bit time_t stat internallyAdhemerval Zanella2021-06-221-2/+2
| | | | | | | | | | For the legacy ABI with supports 32-bit time_t it calls the 64-bit time directly, since the LFS symbols calls the 64-bit time_t ones internally. Checked on i686-linux-gnu and x86_64-linux-gnu. Reviewed-by: Lukasz Majewski <lukma@denx.de>
* dlfcn: Cleanups after -ldl is no longer requiredFlorian Weimer2021-06-031-5/+0
| | | | | | | | | | | | This commit removes the ELF constructor and internal variables from dlfcn/dlfcn.c. The file now serves the same purpose as nptl/libpthread-compat.c, so it is renamed to dlfcn/libdl-compat.c. The use of libdl-shared-only-routines ensures that libdl.a is empty. This commit adjusts the test suite not to use $(libdl). The libdl.so symbolic link is no longer installed. Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
* Use a #pragma to suppress a bogus GCC 10 warning instead of an assert [BZ ↵Martin Sebor2021-05-101-1/+11
| | | | | | 27832]. Reviewed-by: fweimer@redhat.com
* Annotate additional APIs with GCC attribute access.Martin Sebor2021-05-061-2/+5
| | | | | | | | | | | | | | | | This change continues the improvements to compile-time out of bounds checking by decorating more APIs with either attribute access, or by explicitly providing the array bound in APIs such as tmpnam() that expect arrays of some minimum size as arguments. (The latter feature is new in GCC 11.) The only effects of the attribute and/or the array bound is to check and diagnose calls to the functions that fail to provide a sufficient number of elements, and the definitions of the functions that access elements outside the specified bounds. (There is no interplay with _FORTIFY_SOURCE here yet.) Tested with GCC 7 through 11 on x86_64-linux.
* nss: fix nss_database_lookup2's alternate handling [BZ #27416]DJ Delorie2021-03-0928-96/+248
| | | | | | | | | | | | | | | | | | | | __nss_database_lookup2's extra arguments were left unused in the nsswitch reloading patch set; this broke compat (default config ignored) and shadow files (secondary name ignored) which relies on these fallbacks. This patch adds in the previous behavior by correcting the initialization of the database list to reflect the fallbacks. This means that the nss_database_lookup2 interface no longer needs to be passed the fallback info, so API and callers were adjusted. Since all callers needed to be edited anyway, the calls were changed from __nss_database_lookup2 to the faster __nss_database_get. This was an intended optimization which was deferred during the initial lookup changes to avoid touching so many files. The test case verifies that compat targets work (passwd) and that the default configuration works (group). Tested on x86-64.
* nss: Re-enable NSS module loading after chroot [BZ #27389]DJ Delorie2021-03-026-8/+32
| | | | | | | | | | | | | | | | | | | | | The glibc 2.33 release enabled /etc/nsswitch.conf reloading, and to prevent potential security issues like CVE-2019-14271 the re-loading of nsswitch.conf and all mdoules was disabled when the root filesystem changes (see bug 27077). Unfortunately php-lpfm and openldap both require the ability to continue to load NSS modules after chroot. The packages do not exec after the chroot, and so do not cause the protections to be reset. The only solution is to re-enable only NSS module loading (not nsswitch.conf reloading) and so get back the previous glibc behaviour. In the future we may introduce a way to harden applications so they do not reload NSS modules once the root filesystem changes, or that only files/dns are available pre-loaded (or builtin). Reviewed-by: Carlos O'Donell <carlos@redhat.com>
* nsswitch: return result when nss database is locked [BZ #27343]Sergei Trofimovich2021-02-051-1/+2
| | | | | | | | | | | | | | | | | | | | | | | Before the change nss_database_check_reload_and_get() did not populate the '*result' value when it returned success in a case of chroot detection. This caused initgroups() to use garage pointer in the following test (extracted from unbound): ``` int main() { // load some NSS modules struct passwd * pw = getpwnam("root"); chdir("/tmp"); chroot("/tmp"); chdir("/"); // access nsswitch.conf in a chroot initgroups("root", 0); } ``` Reviewed-by: DJ Delorie <dj@redhat.com>
* Fix nss/tst-reload2 for systems without PATH_MAXDJ Delorie2021-01-271-0/+4
|
* nsswitch: do not reload if "/" changesDJ Delorie2021-01-279-1/+178
| | | | | | | | | | | https://sourceware.org/bugzilla/show_bug.cgi?id=27077 Before reloading nsswitch.conf, verify that the root directory hasn't changed - if it has, it's likely that we've entered a container and should not trust the nsswitch inside the container nor load any shared objects therein. Reviewed-by: Carlos O'Donell <carlos@redhat.com>
* Update copyright dates not handled by scripts/update-copyrights.Paul Eggert2021-01-022-2/+2
| | | | | | | | | | | | | | I've updated copyright dates in glibc for 2021. This is the patch for the changes not generated by scripts/update-copyrights and subsequent build / regeneration of generated files. As well as the usual annual updates, mainly dates in --version output (minus csu/version.c which previously had to be handled manually but is now successfully updated by update-copyrights), there is a small change to the copyright notice in NEWS which should let NEWS get updated automatically next year. Please remember to include 2021 in the dates for any new files added in future (which means updating any existing uncommitted patches you have that add new files to use the new copyright dates in them).
* Update copyright dates with scripts/update-copyrightsPaul Eggert2021-01-0297-97/+97
| | | | | | | | | | | | | | | | I used these shell commands: ../glibc/scripts/update-copyrights $PWD/../gnulib/build-aux/update-copyright (cd ../glibc && git commit -am"[this commit message]") and then ignored the output, which consisted lines saying "FOO: warning: copyright statement not found" for each of 6694 files FOO. I then removed trailing white space from benchtests/bench-pthread-locks.c and iconvdata/tst-iconv-big5-hkscs-to-2ucs4.c, to work around this diagnostic from Savannah: remote: *** pre-commit check failed ... remote: *** error: lines with trailing whitespace found remote: error: hook declined to update refs/heads/master
* nsswitch: handle missing actions properlyDJ Delorie2020-12-142-2/+6
| | | | | | | | | | | | | Some internal functions need to know if a database has a nonzero list of actions; success getting the database does not guarantee that. Add checks for such as needed. Skip the ":" in each nsswitch.conf line so as not to add a dummy action libnss_:.so See also https://bugzilla.redhat.com/show_bug.cgi?id=1906066 Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
* Fix linknamespace errors in nss_database.c if build with -Os.Stefan Liebler2020-12-111-2/+2
| | | | | | | | | | | | | | | | | | | Starting with recent commits, I get 43 conform/.../linknamespace FAILs: - nss: Introduce <nss_module.h> - <nss_action.h>: New abstraction for combining NSS modules and NSS actions - nss: Implement <nss_database.h> (see nss/nss_database.c) - nsswitch: use new internal API (core) - nsswitch: user new internal API (tests) - nsswitch: use new internal API (callers) e.g. conform/XPG42/wordexp.h/linknamespace.out [initial] wordexp -> [libc.a(wordexp.o)] __getpwnam_r -> [libc.a(getpwnam_r.o)] __nss_database_custom -> [libc.a(nsswitch.o)] __nss_database_get -> [libc.a(nss_database.o)] feof_unlocked [initial] wordexp -> [libc.a(wordexp.o)] __getpwnam_r -> [libc.a(getpwnam_r.o)] __nss_database_custom -> [libc.a(nsswitch.o)] __nss_database_get -> [libc.a(nss_database.o)] ferror_unlocked This patch is just using __ferror_unlocked and __feof_unlocked instead of the non "__" prefixed ones. Reviewed-by: DJ Delorie <dj@redhat.com>
* nsswitch: use new internal API (callers)DJ Delorie2020-12-049-74/+32
| | | | | | Stitch new ABI and types throughout all NSS callers. Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
* nsswitch: user new internal API (tests)DJ Delorie2020-12-047-1/+524
| | | | | | Testsuite support and new test for new API. Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
* nsswitch: use new internal API (core)DJ Delorie2020-12-047-844/+165
| | | | | | Core changes to switch the NSS internals to use the new API. Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
* nss: Implement <nss_database.h>Florian Weimer2020-12-043-1/+522
| | | | | | | | | | | This code manages the mappings of the available databases in NSS (i.e. passwd, hosts, netgroup, etc) with the actions that should be taken to do a query on those databases. This is the main API between query functions scattered throughout glibc and the underlying code (actions, modules, etc). Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
* <nss_action.h>: New abstraction for combining NSS modules and NSS actionsFlorian Weimer2020-12-044-1/+423
| | | | | | | | | | nss_action manages a set of lists of actions; these are the portions of the lines in nsswitch.conf to the right of the colons, like "dns [!UNAVAIL=return] files". Each permutation of actions and conditionals is cached for reuse, which limits memory growth, and refers to the static list of modules managed by nss_modules. Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>