From patchwork Fri Feb 19 21:28:48 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: DJ Delorie X-Patchwork-Id: 1442460 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=sourceware.org (client-ip=2620:52:3:1:0:246e:9693:128c; helo=sourceware.org; envelope-from=libc-alpha-bounces@sourceware.org; receiver=) Authentication-Results: ozlabs.org; dkim=pass (1024-bit key; secure) header.d=sourceware.org header.i=@sourceware.org header.a=rsa-sha256 header.s=default header.b=MVTlM7Qn; dkim-atps=neutral Received: from sourceware.org (server2.sourceware.org [IPv6:2620:52:3:1:0:246e:9693:128c]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4Dj4Tg2rBqz9s1l for ; Sat, 20 Feb 2021 08:29:27 +1100 (AEDT) Received: from server2.sourceware.org (localhost [IPv6:::1]) by sourceware.org (Postfix) with ESMTP id 1BD1B398EC20; Fri, 19 Feb 2021 21:29:25 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 1BD1B398EC20 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sourceware.org; s=default; t=1613770165; bh=xd4516qrGfTYr8HCjTONrpOpOSG9oCZhGMMqiKxZ8Wc=; h=Date:To:Subject:List-Id:List-Unsubscribe:List-Archive:List-Post: List-Help:List-Subscribe:From:Reply-To:From; b=MVTlM7QnZV2g4/VdO9UBOVM6L0vCemomB6rO3NlJinD+qKglkx8G9gx0I1916V8Qb IakLlD/Z0Hq6EZpBtiyGcGYHyYmcFhWsnu7rZWp3mXHvkcZEqb2BiiBdIT92vuhU4N BoY0OTu7V6uMsKnIhi+K0p4OOjtEqZc+G0y2XyeA= X-Original-To: libc-alpha@sourceware.org Delivered-To: libc-alpha@sourceware.org Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [216.205.24.124]) by sourceware.org (Postfix) with ESMTP id 128CC384240F for ; Fri, 19 Feb 2021 21:29:23 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.3.2 sourceware.org 128CC384240F Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-487-bW3tSmqOMGmHP8kW5Ertgw-1; Fri, 19 Feb 2021 16:29:20 -0500 X-MC-Unique: bW3tSmqOMGmHP8kW5Ertgw-1 Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 6E81A8030DD for ; Fri, 19 Feb 2021 21:28:50 +0000 (UTC) Received: from greed.delorie.com (ovpn-116-4.rdu2.redhat.com [10.10.116.4]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 3C1A713470 for ; Fri, 19 Feb 2021 21:28:50 +0000 (UTC) Received: from greed.delorie.com.redhat.com (localhost [127.0.0.1]) by greed.delorie.com (8.14.7/8.14.7) with ESMTP id 11JLSmGc008820 for ; Fri, 19 Feb 2021 16:28:48 -0500 Date: Fri, 19 Feb 2021 16:28:48 -0500 Message-Id: To: libc-alpha@sourceware.org Subject: [patch] Un-disable nss module loading after chroot [27389] X-Scanned-By: MIMEDefang 2.79 on 10.5.11.11 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com X-Spam-Status: No, score=-12.6 required=5.0 tests=BAYES_00, DKIMWL_WL_HIGH, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, GIT_PATCH_0, RCVD_IN_DNSWL_LOW, RCVD_IN_MSPIKE_H3, RCVD_IN_MSPIKE_WL, SPF_HELO_NONE, SPF_PASS, TXREP autolearn=ham autolearn_force=no version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on server2.sourceware.org X-BeenThere: libc-alpha@sourceware.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Libc-alpha mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-Patchwork-Original-From: DJ Delorie via Libc-alpha From: DJ Delorie Reply-To: DJ Delorie Errors-To: libc-alpha-bounces@sourceware.org Sender: "Libc-alpha" In response to upstream use cases, we're re-enabling this for the time being, despite the potential security issues. diff --git a/nss/nss_database.c b/nss/nss_database.c index 162800cda3..9ff3bb6ffb 100644 --- a/nss/nss_database.c +++ b/nss/nss_database.c @@ -402,7 +402,6 @@ nss_database_check_reload_and_get (struct nss_database_state *local, atomic_store_release (&local->data.reload_disabled, 1); *result = local->data.services[database_index]; __libc_lock_unlock (local->lock); - __nss_module_disable_loading (); return true; } local->root_ino = str.st_ino; diff --git a/nss/tst-reload2.c b/nss/tst-reload2.c index 5dae16b4f0..5ecb032e9f 100644 --- a/nss/tst-reload2.c +++ b/nss/tst-reload2.c @@ -26,6 +26,7 @@ #include #include #include +#include #include #include @@ -48,7 +49,7 @@ static const char *group_4[] = { "alpha", "beta", "gamma", "fred", NULL }; -static struct group group_table_data[] = +static struct group group_table_data1[] = { GRP (4), GRP_LAST () @@ -58,7 +59,7 @@ void _nss_test1_init_hook (test_tables *t) { t->pwd_table = pwd_table1; - t->grp_table = group_table_data; + t->grp_table = group_table_data1; } static struct passwd pwd_table2[] = @@ -68,10 +69,21 @@ static struct passwd pwd_table2[] = PWD_LAST () }; +static const char *group_5[] = { + "fred", NULL +}; + +static struct group group_table_data2[] = + { + GRP (5), + GRP_LAST () + }; + void _nss_test2_init_hook (test_tables *t) { t->pwd_table = pwd_table2; + t->grp_table = group_table_data2; } static int @@ -79,6 +91,7 @@ do_test (void) { struct passwd *pw; struct group *gr; + struct hostent *he; char buf1[PATH_MAX]; char buf2[PATH_MAX]; @@ -99,7 +112,9 @@ do_test (void) TEST_COMPARE (pw->pw_uid, 1234); /* This just loads the test2 DSO. */ - gr = getgrnam ("name4"); + gr = getgrgid (5); + TEST_VERIFY (gr != NULL); + /* Change the root dir. */ @@ -114,15 +129,21 @@ do_test (void) if (pw) TEST_VERIFY (pw->pw_uid != 2468); - /* The "files" DSO should not be loaded. */ - gr = getgrnam ("test3"); - TEST_VERIFY (gr == NULL); - /* We should still be using the old configuration. */ pw = getpwnam ("test1"); TEST_VERIFY (pw != NULL); if (pw) TEST_COMPARE (pw->pw_uid, 1234); + gr = getgrgid (5); + TEST_VERIFY (gr != NULL); + gr = getgrnam ("name4"); + TEST_VERIFY (gr == NULL); + + /* hosts in the outer nsswitch is files; the inner one is test1. + Verify that we're still using the outer nsswitch *and* that we + can load the files DSO. */ + he = gethostbyname ("test2"); + TEST_VERIFY (he != NULL); return 0; } diff --git a/nss/tst-reload2.root/etc/hosts b/nss/tst-reload2.root/etc/hosts new file mode 100644 index 0000000000..bbd9e494ef --- /dev/null +++ b/nss/tst-reload2.root/etc/hosts @@ -0,0 +1 @@ +1.2.3.4 test1 diff --git a/nss/tst-reload2.root/etc/nsswitch.conf b/nss/tst-reload2.root/etc/nsswitch.conf index 570795ae22..688a589519 100644 --- a/nss/tst-reload2.root/etc/nsswitch.conf +++ b/nss/tst-reload2.root/etc/nsswitch.conf @@ -1,2 +1,3 @@ passwd: test1 group: test2 +hosts: files diff --git a/nss/tst-reload2.root/subdir/etc/hosts b/nss/tst-reload2.root/subdir/etc/hosts new file mode 100644 index 0000000000..0a2cbd4337 --- /dev/null +++ b/nss/tst-reload2.root/subdir/etc/hosts @@ -0,0 +1 @@ +1.2.3.4 test2 diff --git a/nss/tst-reload2.root/subdir/etc/nsswitch.conf b/nss/tst-reload2.root/subdir/etc/nsswitch.conf index f1d73f8765..fea271869e 100644 --- a/nss/tst-reload2.root/subdir/etc/nsswitch.conf +++ b/nss/tst-reload2.root/subdir/etc/nsswitch.conf @@ -1,2 +1,3 @@ passwd: test2 group: files +hosts: test1