subids: support nsswitch

Closes #154 When starting any operation to do with subuid delegation, check nsswitch for a module to use. If none is specified, then use the traditional /etc/subuid and /etc/subgid files. Currently only one module is supported, and there is no fallback to the files on errors. Several possibilities could be considered: 1. in case of connection error, fall back to files 2. in case of unknown user, also fall back to files etc... When non-files nss module is used, functions to edit the range are not supported. It may make sense to support it, but it also may make sense to require another tool to be used. libsubordinateio also uses the nss_ helpers. This is how for instance lxc could easily be converted to supporting nsswitch. Add a set of test cases, including a dummy libsubid_zzz module. This hardcodes values such that: 'ubuntu' gets 200000 - 300000 'user1' gets 100000 - 165536 'error' emulates an nss module error 'unknown' emulates a user unknown to the nss module 'conn' emulates a connection error ot the nss module Changes to libsubid: Change the list_owner_ranges api: return a count instead of making the array null terminated. This is a breaking change, so bump the libsubid abi major number. Rename free_subuid_range and free_subgid_range to ungrant_subuid_range, because otherwise it's confusing with free_subid_ranges which frees memory. Run libsubid tests in jenkins Switch argument order in find_subid_owners Move the db locking into subordinateio.c Signed-off-by: Serge Hallyn <[email protected]>
shadow-maint · Apr 17, 2021 · 8492dee · 8492dee
1 parent 514c132
commit 8492dee
Show file tree

Hide file tree

Showing 26 changed files with 935 additions and 205 deletions.
diff --git a/.travis.yml b/.travis.yml
@@ -16,6 +16,7 @@ arch:
 before_install:
  - sudo apt-get update -qq
  - sudo apt-get -y install -qq automake autopoint xsltproc libselinux1-dev gettext expect
+ - sudo apt-get -y install -qq byacc libtool
 script:
  - ./autogen.sh --without-selinux --disable-man
  - grep ENABLE_ config.status

diff --git a/configure.ac b/configure.ac
@@ -1,6 +1,6 @@
 dnl Process this file with autoconf to produce a configure script.
 AC_PREREQ([2.69])
-m4_define([libsubid_abi_major], 1)
+m4_define([libsubid_abi_major], 2)
 m4_define([libsubid_abi_minor], 0)
 m4_define([libsubid_abi_micro], 0)
 m4_define([libsubid_abi], [libsubid_abi_major.libsubid_abi_minor.libsubid_abi_micro])

diff --git a/lib/Makefile.am b/lib/Makefile.am
@@ -31,6 +31,7 @@ libshadow_la_SOURCES = \
  groupio.h \
  gshadow.c \
  lockpw.c \
+ nss.c \
  nscd.c \
  nscd.h \
  sssd.c \

diff --git a/lib/nss.c b/lib/nss.c
@@ -0,0 +1,157 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <dlfcn.h>
+#include <stdbool.h>
+#include <string.h>
+#include <strings.h>
+#include <ctype.h>
+#include <stdatomic.h>
+#include "prototypes.h"
+#include "../libsubid/subid.h"
+
+#define NSSWITCH "/etc/nsswitch.conf"
+
+// NSS plugin handling for subids
+// If nsswitch has a line like
+// subid: sssd
+// then sssd will be consulted for subids. Unlike normal NSS dbs,
+// only one db is supported at a time. That's open to debate, but
+// the subids are a pretty limited resource, and local files seem
+// bound to step on any other allocations leading to insecure
+// conditions.
+static atomic_flag nss_init_started;
+static atomic_bool nss_init_completed;
+
+static struct subid_nss_ops *subid_nss;
+
+bool nss_is_initialized() {
+ return atomic_load(&nss_init_completed);
+}
+
+void nss_exit() {
+ if (nss_is_initialized() && subid_nss) {
+ dlclose(subid_nss->handle);
+ free(subid_nss);
+ subid_nss = NULL;
+ }
+}
+
+// nsswitch_path is an argument only to support testing.
+void nss_init(char *nsswitch_path) {
+ FILE *nssfp = NULL;
+ char *line = NULL, *p, *token, *saveptr;
+ size_t len = 0;
+
+ if (atomic_flag_test_and_set(&nss_init_started)) {
+ // Another thread has started nss_init, wait for it to complete
+ while (!atomic_load(&nss_init_completed))
+ usleep(100);
+ return;
+ }
+
+ if (!nsswitch_path)
+ nsswitch_path = NSSWITCH;
+
+ // read nsswitch.conf to check for a line like:
+ // subid: files
+ nssfp = fopen(nsswitch_path, "r");
+ if (!nssfp) {
+ fprintf(stderr, "Failed opening %s: %m", nsswitch_path);
+ atomic_store(&nss_init_completed, true);
+ return;
+ }
+ while ((getline(&line, &len, nssfp)) != -1) {
+ if (line[0] == '\0' || line[0] == '#')
+ continue;
+ if (strlen(line) < 8)
+ continue;
+ if (strncasecmp(line, "subid:", 6) != 0)
+ continue;
+ p = &line[6];
+ while ((*p) && isspace(*p))
+ p++;
+ if (!*p)
+ continue;
+ for (token = strtok_r(p, " \n\t", &saveptr);
+ token;
+ token = strtok_r(NULL, " \n\t", &saveptr)) {
+ char libname[65];
+ void *h;
+ if (strcmp(token, "files") == 0) {
+ subid_nss = NULL;
+ goto done;
+ }
+ if (strlen(token) > 50) {
+ fprintf(stderr, "Subid NSS module name too long (longer than 50 characters): %s\n", token);
+ fprintf(stderr, "Using files\n");
+ subid_nss = NULL;
+ goto done;
+ }
+ snprintf(libname, 64, "libsubid_%s.so", token);
+ h = dlopen(libname, RTLD_LAZY);
+ if (!h) {
+ fprintf(stderr, "Error opening %s: %s\n", libname, dlerror());
+ fprintf(stderr, "Using files\n");
+ subid_nss = NULL;
+ goto done;
+ }
+ subid_nss = malloc(sizeof(*subid_nss));
+ if (!subid_nss) {
+ dlclose(h);
+ goto done;
+ }
+ subid_nss->has_range = dlsym(h, "shadow_subid_has_range");
+ if (!subid_nss->has_range) {
+ fprintf(stderr, "%s did not provide @has_range@\n", libname);
+ dlclose(h);
+ free(subid_nss);
+ subid_nss = NULL;
+ goto done;
+ }
+ subid_nss->list_owner_ranges = dlsym(h, "shadow_subid_list_owner_ranges");
+ if (!subid_nss->list_owner_ranges) {
+ fprintf(stderr, "%s did not provide @list_owner_ranges@\n", libname);
+ dlclose(h);
+ free(subid_nss);
+ subid_nss = NULL;
+ goto done;
+ }
+ subid_nss->has_any_range = dlsym(h, "shadow_subid_has_any_range");
+ if (!subid_nss->has_any_range) {
+ fprintf(stderr, "%s did not provide @has_any_range@\n", libname);
+ dlclose(h);
+ free(subid_nss);
+ subid_nss = NULL;
+ goto done;
+ }
+ subid_nss->find_subid_owners = dlsym(h, "shadow_subid_find_subid_owners");
+ if (!subid_nss->find_subid_owners) {
+ fprintf(stderr, "%s did not provide @find_subid_owners@\n", libname);
+ dlclose(h);
+ free(subid_nss);
+ subid_nss = NULL;
+ goto done;
+ }
+ subid_nss->handle = h;
+ goto done;
+ }
+ fprintf(stderr, "No usable subid NSS module found, using files\n");
+ // subid_nss has to be null here, but to ease reviews:
+ free(subid_nss);
+ subid_nss = NULL;
+ goto done;
+ }
+
+done:
+ atomic_store(&nss_init_completed, true);
+ free(line);
+ if (nssfp) {
+ atexit(nss_exit);
+ fclose(nssfp);
+ }
+}
+
+struct subid_nss_ops *get_subid_nss_handle() {
+ nss_init(NULL);
+ return subid_nss;
+}
diff --git a/lib/prototypes.h b/lib/prototypes.h
@@ -262,6 +262,75 @@ extern void motd (void);
 /* myname.c */
 extern /*@null@*//*@only@*/struct passwd *get_my_pwent (void);
 
+/* nss.c */
+#include <libsubid/subid.h>
+extern void nss_init(char *nsswitch_path);
+extern bool nss_is_initialized();
+
+struct subid_nss_ops {
+ /*
+ * nss_has_any_range: does a user own any subid range
+ *
+ * @owner: username
+ * @idtype: subuid or subgid
+ * @result: true if a subid allocation was found for @owner
+ *
+ * returns success if the module was able to determine an answer (true or false),
+ * else an error status.
+ */
+ enum subid_status (*has_any_range)(const char *owner, enum subid_type idtype, bool *result);
+
+ /*
+ * nss_has_range: does a user own a given subid range
+ *
+ * @owner: username
+ * @start: first subid in queried range
+ * @count: number of subids in queried range
+ * @idtype: subuid or subgid
+ * @result: true if @owner has been allocated the subid range.
+ *
+ * returns success if the module was able to determine an answer (true or false),
+ * else an error status.
+ */
+ enum subid_status (*has_range)(const char *owner, unsigned long start, unsigned long count, enum subid_type idtype, bool *result);
+
+ /*
+ * nss_list_owner_ranges: list the subid ranges delegated to a user.
+ *
+ * @owner - string representing username being queried
+ * @id_type - subuid or subgid
+ * @ranges - pointer to an array of struct subordinate_range pointers, or
+ * NULL. The returned array of struct subordinate_range and its
+ * members must be freed by the caller.
+ * @count - pointer to an integer into which the number of returned ranges
+ * is written.
+
+ * returns success if the module was able to determine an answer,
+ * else an error status.
+ */
+ enum subid_status (*list_owner_ranges)(const char *owner, enum subid_type id_type, struct subordinate_range ***ranges, int *count);
+
+ /*
+ * nss_find_subid_owners: find uids who own a given subuid or subgid.
+ *
+ * @id - the delegated id (subuid or subgid) being queried
+ * @id_type - subuid or subgid
+ * @uids - pointer to an array of uids which will be allocated by
+ * nss_find_subid_owners()
+ * @count - number of uids found
+ *
+ * returns success if the module was able to determine an answer,
+ * else an error status.
+ */
+ enum subid_status (*find_subid_owners)(unsigned long id, enum subid_type id_type, uid_t **uids, int *count);
+
+ /* The dlsym handle to close */
+ void *handle;
+};
+
+extern struct subid_nss_ops *get_subid_nss_handle();
+
+
 /* pam_pass_non_interactive.c */
 #ifdef USE_PAM
 extern int do_pam_passwd_non_interactive (const char *pam_service,