1 files changed, 36 insertions, 13 deletions

diff --git a/usr/src/lib/libbsm/common/adt.c b/usr/src/lib/libbsm/common/adt.c
index 20741efa75..3e0f4ec2c5 100644
--- a/usr/src/lib/libbsm/common/adt.c
+++ b/usr/src/lib/libbsm/common/adt.c
@@ -23,6 +23,7 @@
  * Copyright (c) 2001, 2010, Oracle and/or its affiliates. All rights reserved.
  * Copyright 2013, Joyent, Inc. All rights reserved.
  * Copyright 2017 OmniOS Community Edition (OmniOSce) Association.
+ * Copyright 2014 Nexenta Systems, Inc.  All rights reserved.
  */
 
 #include <bsm/adt.h>
@@ -192,7 +193,23 @@ adt_get_mask_from_user(uid_t uid, au_mask_t *mask)
 		/* c2audit excluded */
 		mask->am_success = 0;
 		mask->am_failure = 0;
-	} else if (uid <= MAXUID) {
+		return (0);
+	}
+
+	/*
+	 * This function applies the 'attributable' mask, modified by
+	 * any per-user flags, to any user whose UID can be mapped to
+	 * a name via name services.
+	 * Others, such as users with Ephemeral UIDs, or NFS clients
+	 * using AUTH_SYS, get the 'non-attributable mask'.
+	 * This is true even if some _other_ system or service could
+	 * map the ID to a name, or if it could be inferred from
+	 * other records.
+	 * Note that it is possible for records to contain _only_
+	 * an ephemeral ID, which can't be mapped back to a name
+	 * once it becomes invalid (e.g. server reboot).
+	 */
+	if (uid <= MAXUID) {
 		if ((buff_sz = sysconf(_SC_GETPW_R_SIZE_MAX)) == -1) {
 			adt_write_syslog("couldn't determine maximum size of "
 			    "password buffer", errno);
@@ -201,18 +218,24 @@ adt_get_mask_from_user(uid_t uid, au_mask_t *mask)
 		if ((pwd_buff = calloc(1, (size_t)++buff_sz)) == NULL) {
 			return (-1);
 		}
-		if (getpwuid_r(uid, &pwd, pwd_buff, (int)buff_sz) == NULL) {
-			errno = EINVAL;	/* user doesn't exist */
-			free(pwd_buff);
-			return (-1);
-		}
-		if (au_user_mask(pwd.pw_name, mask)) {
+		/*
+		 * Ephemeral id's and id's that exist in a name service we
+		 * don't have configured (LDAP, NIS) can't be looked up,
+		 * but either way it's not an error.
+		 */
+		if (getpwuid_r(uid, &pwd, pwd_buff, (int)buff_sz) != NULL) {
+			if (au_user_mask(pwd.pw_name, mask)) {
+				free(pwd_buff);
+				errno = EFAULT; /* undetermined failure */
+				return (-1);
+			}
 			free(pwd_buff);
-			errno = EFAULT; /* undetermined failure */
-			return (-1);
+			return (0);
 		}
 		free(pwd_buff);
-	} else if (auditon(A_GETKMASK, (caddr_t)mask, sizeof (*mask)) == -1) {
+	}
+
+	if (auditon(A_GETKMASK, (caddr_t)mask, sizeof (*mask)) == -1) {
 			return (-1);
 	}
 
@@ -1082,9 +1105,9 @@ adt_from_export_format(adt_internal_state_t *internal,
 	struct export_header	head;
 	struct export_link	link;
 	adr_t			context;
-	int32_t 		offset;
-	int32_t 		length;
-	int32_t 		version;
+	int32_t			offset;
+	int32_t			length;
+	int32_t			version;
 	size_t			label_len;
 	char			*p = (char *)external;