diff options
| author | Dan McDonald <danmcd@mnx.io> | 2022-10-10 09:10:46 -0400 |
|---|---|---|
| committer | Dan McDonald <danmcd@mnx.io> | 2022-10-10 09:10:46 -0400 |
| commit | 8733bb6571c33535090fb28bcbe9aa273867168a (patch) | |
| tree | d6a55ba8e3b32ff80c64c797b7a1858a23813f5c /usr/src/lib/libbsm/common/adt.c | |
| parent | 1facf1a43ecaaa0225b7c9d134732d342b607d8d (diff) | |
| parent | d687f445dcb8e0cd6caf81ea59a259f83ac93e2d (diff) | |
| download | illumos-joyent-8733bb6571c33535090fb28bcbe9aa273867168a.tar.gz | |
[illumos-gate merge]
commit d687f445dcb8e0cd6caf81ea59a259f83ac93e2d
15016 find_elf should cope with O_DIRECTORY absence
commit eca0273a3d9494e12a4d82943f1b2d701cde4489
15057 i86pc: redefinition of typedef 'vmm_data_req_t' is a C11 feature
commit bdf9be201fbb95afc4f1d45b03d66d6f0f96c25f
15052 libc: unused label
commit 430fb0518974971393f591123b410c866df1855a
5913 audit_syslog is noisy when it discards messages
commit cd918266dec8ae2553f7a0efd53c52aa90d99a39
2271 CIFS clients fail to authenticate when idmap is using IDMU
Diffstat (limited to 'usr/src/lib/libbsm/common/adt.c')
| -rw-r--r-- | usr/src/lib/libbsm/common/adt.c | 49 |
1 files changed, 36 insertions, 13 deletions
diff --git a/usr/src/lib/libbsm/common/adt.c b/usr/src/lib/libbsm/common/adt.c index 20741efa75..3e0f4ec2c5 100644 --- a/usr/src/lib/libbsm/common/adt.c +++ b/usr/src/lib/libbsm/common/adt.c @@ -23,6 +23,7 @@ * Copyright (c) 2001, 2010, Oracle and/or its affiliates. All rights reserved. * Copyright 2013, Joyent, Inc. All rights reserved. * Copyright 2017 OmniOS Community Edition (OmniOSce) Association. + * Copyright 2014 Nexenta Systems, Inc. All rights reserved. */ #include <bsm/adt.h> @@ -192,7 +193,23 @@ adt_get_mask_from_user(uid_t uid, au_mask_t *mask) /* c2audit excluded */ mask->am_success = 0; mask->am_failure = 0; - } else if (uid <= MAXUID) { + return (0); + } + + /* + * This function applies the 'attributable' mask, modified by + * any per-user flags, to any user whose UID can be mapped to + * a name via name services. + * Others, such as users with Ephemeral UIDs, or NFS clients + * using AUTH_SYS, get the 'non-attributable mask'. + * This is true even if some _other_ system or service could + * map the ID to a name, or if it could be inferred from + * other records. + * Note that it is possible for records to contain _only_ + * an ephemeral ID, which can't be mapped back to a name + * once it becomes invalid (e.g. server reboot). + */ + if (uid <= MAXUID) { if ((buff_sz = sysconf(_SC_GETPW_R_SIZE_MAX)) == -1) { adt_write_syslog("couldn't determine maximum size of " "password buffer", errno); @@ -201,18 +218,24 @@ adt_get_mask_from_user(uid_t uid, au_mask_t *mask) if ((pwd_buff = calloc(1, (size_t)++buff_sz)) == NULL) { return (-1); } - if (getpwuid_r(uid, &pwd, pwd_buff, (int)buff_sz) == NULL) { - errno = EINVAL; /* user doesn't exist */ - free(pwd_buff); - return (-1); - } - if (au_user_mask(pwd.pw_name, mask)) { + /* + * Ephemeral id's and id's that exist in a name service we + * don't have configured (LDAP, NIS) can't be looked up, + * but either way it's not an error. + */ + if (getpwuid_r(uid, &pwd, pwd_buff, (int)buff_sz) != NULL) { + if (au_user_mask(pwd.pw_name, mask)) { + free(pwd_buff); + errno = EFAULT; /* undetermined failure */ + return (-1); + } free(pwd_buff); - errno = EFAULT; /* undetermined failure */ - return (-1); + return (0); } free(pwd_buff); - } else if (auditon(A_GETKMASK, (caddr_t)mask, sizeof (*mask)) == -1) { + } + + if (auditon(A_GETKMASK, (caddr_t)mask, sizeof (*mask)) == -1) { return (-1); } @@ -1082,9 +1105,9 @@ adt_from_export_format(adt_internal_state_t *internal, struct export_header head; struct export_link link; adr_t context; - int32_t offset; - int32_t length; - int32_t version; + int32_t offset; + int32_t length; + int32_t version; size_t label_len; char *p = (char *)external; |