aboutsummaryrefslogtreecommitdiff
path: root/nscd
AgeCommit message (Collapse)AuthorFilesLines
2014-05-26Use NSS_STATUS_TRYAGAIN to indicate insufficient buffer (BZ #16878)Siddhesh Poyarekar1-6/+8
The netgroups nss modules in the glibc tree use NSS_STATUS_UNAVAIL (with errno as ERANGE) when the supplied buffer does not have sufficient space for the result. This is wrong, because the canonical way to indicate insufficient buffer is to set the errno to ERANGE and the status to NSS_STATUS_TRYAGAIN, as is used by all other modules. This fixes nscd behaviour when the nss_ldap module returns NSS_STATUS_TRYAGAIN to indicate that a netgroup entry is too long to fit into the supplied buffer.
2014-05-21Don't mention linuxthreads in Depend files.Joseph Myers1-1/+1
I noticed that some of the Depend files, used to determine the subdirectory build order in sysd-sorted, still mentioned linuxthreads, although it hasn't been supported for many years. This patch removes those references. In the case of nscd, it substitutes an nptl reference, since I believe there is a fact a thread library dependence there; the others already mentioned nptl. Note that I am not at all confident in the completeness of these Depend files. Note also that references to linuxthreads remain in a comment in sysdeps/unix/sysv/linux/ia64/Versions, and in manual/maint.texi, manual/signal.texi and scripts/documented.sh. Tested x86_64 that the installed shared libraries are unchanged by the patch (as is sysd-sorted). * nscd/Depend (linuxthreads): Remove. (nptl): Add. * resolv/Depend (linuxthreads): Remove. * rt/Depend (linuxthreads): Remove.
2014-05-07Fix typo in nscd/selinux.cOndřej Bílka1-1/+1
2014-05-01Fix implicit declarationAndreas Schwab1-0/+1
2014-04-30Initialize all of datahead structure in nscd (BZ #16791)Siddhesh Poyarekar1-4/+16
The datahead structure has an unused padding field that remains uninitialized. Valgrind prints out a warning for it on querying a netgroups entry. This is harmless, but is a potential data leak since it would result in writing out an uninitialized byte to the cache file. Besides, this happens only when there is a cache miss, so we're not adding computation to any fast path.
2014-04-30Consolidate code to initialize nscd dataset headerSiddhesh Poyarekar8-122/+91
This patch consolidates the code to initialize the header of a dataset into a single set of functions (one for positive and another for negative datasets) primarily to reduce repetition of code. The secondary reason is to simplify Patch 2/2 which fixes the problem of an uninitialized byte in the header by initializing an unused field in the structure and hence preventing a possible data leak into the cache file.
2014-04-14nscd: Make SELinux checks dynamic.Carlos O'Donell1-39/+68
The SELinux team has indicated to me that glibc's SELinux checks in nscd are not being carried out as they would expect the API to be used today. They would like to move away from static header defines for class and permissions and instead use dynamic checks at runtime that provide an answer which is dependent on the runtime status of SELinux i.e. more dynamic. The following patch is a minimal change that moves us forward in this direction. It does the following: * Stop checking for SELinux headers that define NSCD__SHMEMHOST. Check only for the presence or absence of the library. * Don't encode the specific SELinux permission constants into a table at build time, and instead use the symbolic name for the permission as expected. * Lookup the "What do we do if we don't know this permission?" policy and use that if we find SELinux's policy is older than the glibc policy e.g. we make a request for a permission that SELinux doesn't know about. * Lastly, translate the class and permission and then make the permission check. This is done every time we lookup a permission, and this is the expected way to use the API. SELinux will optimize this for us, and we expect the network latencies to hide these extra library calls. Tested on x86, x86-64, and via Fedora Rawhide since November 2013. See: https://sourceware.org/ml/libc-alpha/2014-04/msg00179.html
2014-04-09Define _STRING_ARCH_unaligned unconditionallyAdhemerval Zanella3-5/+5
This patch defines _STRING_ARCH_unaligned to 0 on default bits/string.h header to avoid undefined compiler warnings on platforms that do not define it. It also make adjustments in code where tests checked if macro existed or not.
2014-03-27Avoid overlapping addresses to stpcpy calls in nscd (BZ #16760)Siddhesh Poyarekar1-6/+10
Calls to stpcpy from nscd netgroups code will have overlapping source and destination when all three values in the returned triplet are non-NULL and in the expected (host,user,domain) order. This is seen in valgrind as: ==3181== Source and destination overlap in stpcpy(0x19973b48, 0x19973b48) ==3181== at 0x4C2F30A: stpcpy (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) ==3181== by 0x12567A: addgetnetgrentX (string3.h:111) ==3181== by 0x12722D: addgetnetgrent (netgroupcache.c:665) ==3181== by 0x11114C: nscd_run_worker (connections.c:1338) ==3181== by 0x4E3C102: start_thread (pthread_create.c:309) ==3181== by 0x59B81AC: clone (clone.S:111) ==3181== Fix this by using memmove instead of stpcpy.
2014-03-27Fix nscd lookup for innetgr when netgroup has wildcards (BZ #16758)Siddhesh Poyarekar1-3/+7
nscd works correctly when the request in innetgr is a wildcard, i.e. when one or more of host, user or domain parameters is NULL. However, it does not work when the the triplet in the netgroup definition has a wildcard. This is easy to reproduce for a triplet defined as follows: foonet (,foo,) Here, an innetgr call that looks like this: innetgr ("foonet", "foohost", "foo", NULL); should succeed and so should: innetgr ("foonet", NULL, "foo", "foodomain"); It does succeed with nscd disabled, but not with nscd enabled. This fix adds this additional check for all three parts of the triplet so that it gives the correct result. [BZ #16758] * nscd/netgroupcache.c (addinnetgrX): Succeed if triplet has blank values.
2014-03-19nscd: also invalidate netgroup cache on reloadAndreas Schwab1-0/+1
2014-03-12Provide correct buffer length to netgroup queries in nscd (BZ #16695)Siddhesh Poyarekar1-1/+1
The buffer to query netgroup entries is allocated sufficient space for the netgroup entries and the key to be appended at the end, but it sends in an incorrect available length to the NSS netgroup query functions, resulting in overflow of the buffer in some special cases. The fix here is to factor in the key length when sending the available buffer and buffer length to the query functions.
2014-03-10Mark nscd service as forking in systemd service file (BZ #16639)Siddhesh Poyarekar1-2/+2
Currently the nscd service is installed in systemd as a simple service, which means that it is able to handle its own errors and does not quit. Since nscd does not fit that description, i.e. it can exit on errors like, say, failing to parse nscd.conf, it should be declared as forking instead.
2014-03-03nscd: Improved support for tracking startup failure in nscd service (BZ #16639)Siddhesh Poyarekar4-37/+139
Currently, the nscd parent process parses commandline options and configuration, forks on startup and immediately exits with a success. If the child process encounters some error after this, it goes undetected and any services started up after it may have to repeatedly check to make sure that the nscd service did actually start up and is serving requests. To make this process more reliable, I have added a pipe between the parent and child process, through which the child process sends a notification to the parent informing it of its status. The parent waits for this status and once it receives it, exits with the corresponding exit code. So if the child service sends a success status (0), the parent exits with a success status. Similarly for error conditions, the child sends the non-zero status code, which the parent passes on as the exit code. This, along with setting the nscd service type to forking in its systemd configuration file, allows systemd to be certain that the nscd service is ready and is accepting connections.
2014-02-10Use glibc_likely instead __builtin_expect.Ondřej Bílka20-72/+72
2014-01-27Avoid undefined behaviour in netgroupcacheSiddhesh Poyarekar1-5/+11
Using a buffer after it has been reallocated is undefined behaviour, so get offsets of the triplets in the old buffer before reallocating it.
2014-01-24Adjust pointers to triplets in netgroup query data (BZ #16474)Siddhesh Poyarekar1-1/+11
The _nss_*_getnetgrent_r query populates the netgroup results in the allocated buffer and then sets the result triplet to point to strings in the buffer. This is a problem when the buffer is reallocated since the pointers to the triplet strings are no longer valid. The pointers need to be adjusted so that they now point to strings in the reallocated buffer.
2014-01-16Don't use alloca in addgetnetgrentX (BZ #16453)Siddhesh Poyarekar1-31/+6
addgetnetgrentX has a buffer which is grown as per the needs of the requested size either by using alloca or by falling back to malloc if the size is larger than 1K. There are two problems with the alloca bits: firstly, it doesn't really extend the buffer since it does not use the return value of the extend_alloca macro, which is the location of the reallocated buffer. Due to this the buffer does not actually extend itself and hence a subsequent write may overwrite stuff on the stack. The second problem is more subtle - the buffer growth on the stack is discontinuous due to block scope local variables. Combine that with the fact that unlike realloc, extend_alloca does not copy over old content and you have a situation where the buffer just has garbage in the space where it should have had data. This could have been fixed by adding code to copy over old data whenever we call extend_alloca, but it seems unnecessarily complicated. This code is not exactly a performance hotspot (it's called when there is a cache miss, so factors like network lookup or file reads will dominate over memory allocation/reallocation), so this premature optimization is unnecessary. Thanks Brad Hubbard <bhubbard@redhat.com> for his help with debugging the problem.
2014-01-04nscd: list all tables in usage()Sami Kerola1-3/+22
Usage output for option --invalidate=TABLE is not helpful without list of tables. The list is also missing from nscd(8) manual which made it pretty difficult to know what are the tables.
2014-01-02Fix return code from getent netgroup when the netgroup is not found (bz #16366)Siddhesh Poyarekar1-29/+62
nscd incorrectly returns a success even when the netgroup in question is not found and adds a positive result in the cache. this patch fixes this behaviour by adding a negative lookup entry to cache and returning an error when the netgroup is not found.
2014-01-02Fix infinite loop in nscd when netgroup is empty (bz #16365)Siddhesh Poyarekar1-3/+4
Currently, when a user looks up a netgroup that does not have any members, nscd goes into an infinite loop trying to find members in the group. This is because it does not handle cases when getnetgrent returns an NSS_STATUS_NOTFOUND (which is what it does on empty group). Fixed to handle this in the same way as NSS_STATUS_RETURN, similar to what getgrent does by itself.
2014-01-01Update remaining copyright datesAllan McRae1-1/+1
Update copyright years that are not handled by scripts/update-copyright.
2014-01-01Update copyright notices with scripts/update-copyrightsAllan McRae39-39/+39
2013-12-16Add systemd unit file for nscdAllan McRae2-0/+22
Provide an example systemd unit and tmpfile for running nscd.
2013-11-11Fix off-by-one in nscd getservbyport callAndreas Schwab1-1/+1
2013-10-30rename configure.in to configure.acMike Frysinger1-1/+1
Autoconf has been deprecating configure.in for quite a long time. Rename all our configure.in and preconfigure.in files to .ac. Signed-off-by: Mike Frysinger <vapier@gentoo.org>
2013-09-30Properly cache the result from looking up the nss database configAndreas Schwab2-16/+14
2013-09-09Fix nesting of ifdefs in netgroupcache.cAllan McRae1-2/+2
Fixes unclosed '{' if HAVE_SENDFILE is defined (BZ #15895).
2013-08-28Use __glibc_unlikely instead of __builtin_expect (..., 0)Siddhesh Poyarekar1-1/+1
2013-08-26Initialize res_hconf in nscdSiddhesh Poyarekar1-0/+4
Fixes BZ #15890.
2013-08-26Fix indentation in aicache.cSiddhesh Poyarekar1-1/+1
2013-06-24Fix typo in commentSiddhesh Poyarekar1-2/+2
2013-06-11Fix handling of netgroup cache in nscdAndreas Schwab3-14/+23
2013-05-16Add #include <stdint.h> for uint[32|64]_t usage (except installed headers).Ryan S. Arnold6-0/+6
2013-04-15Properly check for short writes when sending the response in nscdAndreas Schwab4-62/+91
2013-04-15nscd: don't fork twiceAndreas Schwab1-9/+0
2013-02-18unify xmalloc prototypes & friendsMike Frysinger1-6/+1
These prototypes are duplicated in many places. Add a dedicated header for holding prototypes for program-specific functions to avoid that. Signed-off-by: Mike Frysinger <vapier@gentoo.org>
2013-02-08Refactor code out of nscd's two main poll loops.Carlos O'Donell1-65/+83
We refactor the inotify file checking code and the database clearing code out of the main_loop_poll and mail_loop_epoll functions. We document some the related functions with appropriate comments.
2013-02-07Remove lots of inline keywords.Roland McGrath2-3/+4
2013-01-10Revert "Properly check for short writes when sending the response in nscd"Andreas Schwab4-25/+8
This reverts commit dd31ac7a8e0d4cc24eee6815f9101caa5aa64291.
2013-01-10Revert "* nscd/nscd.h: Move persistent storage back to /var/run/nscd"Andreas Schwab1-5/+5
This reverts commit 70d3e06ed0ffabb6ce974cc94b2cff1d67252193.
2013-01-10Revert "nscd: don't fork twice"Andreas Schwab1-0/+9
This reverts commit 7e9b080575fd68c788c33623594ba5516fa7ceb0.
2013-01-10nscd: don't fork twiceAndreas Schwab1-9/+0
2013-01-10* nscd/nscd.h: Move persistent storage back to /var/run/nscdThorsten Kukuk1-5/+5
2013-01-10Properly check for short writes when sending the response in nscdAndreas Schwab4-8/+25
* nscd/grpcache.c (cache_addgr): Properly check for short write. * nscd/initgrcache.c (addinitgroupsX): Likewise. * nscd/pwdcache.c (cache_addpw): Likewise. * nscd/servicescache.c (cache_addserv): Likewise. Don't write more than recsize.
2013-01-02Update copyright notices with scripts/update-copyrights.Joseph Myers38-41/+38
2013-01-01Update copyright years.David S. Miller1-2/+2
* catgets/gencat.c: Update copyright year. * csu/version.c: Likewise. * debug/catchsegv.sh: Likewise. * debug/pcprofiledump.c: Likewise. * debug/xtrace.sh: Likewise. * elf/ldconfig.c: Likewise. * elf/ldd.bash.in: Likewise. * elf/pldd.c: Likewise. * elf/sotruss.ksh: Likewise. * elf/sprof.c: Likewise. * iconv/iconv_prog.c: Likewise. * iconv/iconvconfig.c: Likewise. * locale/programs/locale.c: Likewise. * locale/programs/localedef.c: Likewise. * login/programs/pt_chown.c: Likewise. * malloc/memusage.sh: Likewise. * malloc/memusagestat.c: Likewise. * malloc/mtrace.pl: Likewise. * nscd/nscd.c: Likewise. * nss/getent.c: Likewise. * nss/makedb.c: Likewise. * posix/getconf.c: Likewise.
2012-11-29 [BZ #13761]Jeff Law1-8/+25
* nscd/grpcache.c (cache_addgr): Rename alloca_used to dataset_temporary. Track alloca usage into alloca_used. If dataset is large allocate and release it via malloc/free.
2012-11-09Support --with-pkgversion and --with-bugurl.Joseph Myers1-3/+6
2012-10-24BZ#14743: Move clock_* symbols from librt to libc.Roland McGrath1-4/+2