xref: /illumos-gate/usr/src/lib/nsswitch/nis/common/getnetgrent.c (revision 657a8c206b913d1ee578fd725f0b25eca5b77253)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
23  * Use is subject to license terms.
24  */
25 
26 /*
27  *	nis/getnetgrent.c -- "nis" backend for nsswitch "netgroup" database
28  *
29  *	The API for netgroups differs sufficiently from that for the average
30  *	getXXXbyYYY function that we use very few of the support routines in
31  *	nis_common.h.
32  *
33  *	The implementation of setnetgrent()/getnetgrent() here follows the
34  *	the 4.x code, inasmuch as the setnetgrent() routine does all the work
35  *	of traversing the netgroup graph and building a (potentially large)
36  *	list in memory, and getnetgrent() just steps down the list.
37  *
38  *	An alternative, and probably better, implementation would lazy-eval
39  *	the netgroup graph in response to getnetgrent() calls (though
40  *	setnetgrent() should still check for the top-level netgroup name
41  *	and return NSS_SUCCESS / NSS_NOTFOUND).
42  */
43 
44 #pragma ident	"%Z%%M%	%I%	%E% SMI"
45 
46 #include "nis_common.h"
47 #include <ctype.h>
48 #include <rpcsvc/ypclnt.h>
49 #include <malloc.h>
50 #include <string.h>
51 #ifdef	DEBUG
52 #include <sys/syslog.h>
53 #endif	/* DEBUG */
54 
55 /*
56  * The nss_backend_t for a getnetgrent() sequence;  we actually give the
57  *   netgroup frontend a pointer to one of these structures in response to
58  *   a (successful) setnetgrent() call on the nis_netgr_be backend
59  *   described further down in this file.
60  */
61 
62 struct nis_getnetgr_be;
63 typedef nss_status_t	(*nis_getnetgr_op_t)(struct nis_getnetgr_be *, void *);
64 
65 struct nis_getnetgr_be {
66 	nis_getnetgr_op_t	*ops;
67 	nss_dbop_t		n_ops;
68 	/*
69 	 * State for set/get/endnetgrent()
70 	 */
71 	char			*netgroup;
72 	struct grouplist	*all_members;
73 	struct grouplist	*next_member;
74 };
75 
76 struct grouplist {  /* One element of the list generated by a setnetgrent() */
77 	char			*triple[NSS_NETGR_N];
78 	struct	grouplist	*gl_nxt;
79 };
80 
81 static nss_status_t
82 getnetgr_set(be, a)
83 	struct nis_getnetgr_be	*be;
84 	void			*a;
85 {
86 	const char		*netgroup = (const char *) a;
87 
88 	if (be->netgroup != 0 &&
89 	    strcmp(be->netgroup, netgroup) == 0) {
90 		/* We already have the member-list;  regurgitate it */
91 		be->next_member = be->all_members;
92 		return (NSS_SUCCESS);
93 	}
94 	return (NSS_NOTFOUND);
95 }
96 
97 static nss_status_t
98 getnetgr_get(be, a)
99 	struct nis_getnetgr_be	*be;
100 	void			*a;
101 {
102 	struct nss_getnetgrent_args *args = (struct nss_getnetgrent_args *)a;
103 	struct grouplist	*mem;
104 
105 	if ((mem = be->next_member) == 0) {
106 		args->status = NSS_NETGR_NO;
107 	} else {
108 		char			*buffer	= args->buffer;
109 		int			buflen	= args->buflen;
110 		enum nss_netgr_argn	i;
111 
112 		args->status = NSS_NETGR_FOUND;
113 
114 		for (i = 0;  i < NSS_NETGR_N;  i++) {
115 			const char	*str;
116 			ssize_t	len;
117 
118 			if ((str = mem->triple[i]) == 0) {
119 				args->retp[i] = 0;
120 			} else if ((len = strlen(str) + 1) <= buflen) {
121 				args->retp[i] = buffer;
122 				(void) memcpy(buffer, str, len);
123 				buffer += len;
124 				buflen -= len;
125 			} else {
126 				args->status = NSS_NETGR_NOMEM;
127 				break;
128 			}
129 		}
130 		be->next_member	= mem->gl_nxt;
131 	}
132 	return (NSS_SUCCESS);	/* Yup, even for end-of-list, i.e. */
133 				/* do NOT advance to next backend. */
134 }
135 
136 /*ARGSUSED*/
137 static nss_status_t
138 getnetgr_end(be, dummy)
139 	struct nis_getnetgr_be	*be;
140 	void			*dummy;
141 {
142 	struct grouplist	*gl;
143 	struct grouplist	*next;
144 
145 	for (gl = be->all_members; gl != NULL; gl = next) {
146 		enum nss_netgr_argn	i;
147 
148 		next = gl->gl_nxt;
149 		for (i = NSS_NETGR_MACHINE;  i < NSS_NETGR_N;  i++) {
150 			if (gl->triple[i] != 0) {
151 				free(gl->triple[i]);
152 			}
153 		}
154 		free(gl);
155 	}
156 	be->all_members = 0;
157 	be->next_member = 0;
158 	if (be->netgroup != 0) {
159 		free(be->netgroup);
160 		be->netgroup = 0;
161 	}
162 	return (NSS_SUCCESS);
163 }
164 
165 /*ARGSUSED*/
166 static nss_status_t
167 getnetgr_destr(be, dummy)
168 	struct nis_getnetgr_be	*be;
169 	void			*dummy;
170 {
171 	if (be != 0) {
172 		(void) getnetgr_end(be, (void *)0);
173 		free(be);
174 	}
175 	return (NSS_SUCCESS);
176 }
177 
178 static nis_getnetgr_op_t getnetgr_ops[] = {
179 	getnetgr_destr,
180 	getnetgr_end,
181 	getnetgr_set,
182 	getnetgr_get,	/* getnetgrent_r() */
183 };
184 
185 
186 /*
187  * The nss_backend_t for innetgr() and setnetgrent().
188  */
189 
190 struct nis_netgr_be;
191 typedef nss_status_t	(*nis_netgr_op_t)(struct nis_netgr_be *, void *);
192 
193 struct nis_netgr_be {
194 	nis_netgr_op_t		*ops;
195 	nss_dbop_t		n_ops;
196 	const char		*domain;	/* (default) YP domain */
197 };
198 
199 
200 /*
201  * Code to do top-down search in the graph defined by the 'netgroup' YP map
202  */
203 
204 /*
205  * ===> This code is now used for setnetgrent(), not just innetgr().
206  *
207  * If the easy way doesn't pan out, recursively search the 'netgroup' map.
208  * In order to do this, we:
209  *
210  *    -	remember all the netgroup names we've seen during this search,
211  *	whether or not we've expanded them yet (we want fast insertion
212  *	with duplicate-detection, so use yet another chained hash table),
213  *
214  *    -	keep a list of all the netgroups we haven't expanded yet (we just
215  *	want fast insertion and pop-first, so a linked list will do fine).
216  *	If we insert at the head, we get a depth-first search;  insertion
217  *	at the tail gives breadth-first (?), which seems preferable (?).
218  *
219  * A netgrnam struct contains pointers for both the hash-table and the list.
220  * It also contains the netgroup name;  note that we embed the name at the
221  * end of the structure rather than holding a pointer to yet another
222  * malloc()ed region.
223  *
224  * A netgrtab structure contains the hash-chain heads and the head/tail
225  * pointers for the expansion list.
226  *
227  * Most of this code is common to at least the NIS and NIS+ backends;  it
228  * should be generalized and, presumably, moved into the frontend.
229  * ==> Not any longer...
230  */
231 
232 struct netgrnam {
233 	struct netgrnam	*hash_chain;
234 	struct netgrnam	*expand_next;
235 	char		name[1];	/* Really [strlen(name) + 1] */
236 };
237 
238 #define	HASHMOD	113
239 
240 struct netgrtab {
241 	struct netgrnam	*expand_first;
242 	struct netgrnam	**expand_lastp;
243 	struct netgrnam	*hash_heads[HASHMOD];
244 };
245 
246 static void
247 ngt_init(ngt)
248 	struct netgrtab	*ngt;
249 {
250 	(void) memset((void *)ngt, 0, sizeof (*ngt));
251 	ngt->expand_lastp = &ngt->expand_first;
252 }
253 
254 /* === ? Change ngt_init() and ngt_destroy() to malloc/free struct netgrtab */
255 
256 static void
257 /* ==> ? Should return 'failed' (out-of-memory) status ? */
258 ngt_insert(ngt, name, namelen)
259 	struct netgrtab	*ngt;
260 	const char	*name;
261 	size_t		namelen;
262 {
263 	unsigned	hashval;
264 	size_t		i;
265 	struct netgrnam	*cur;
266 	struct netgrnam	**head;
267 
268 #define	dummy		((struct netgrnam *)0)
269 
270 	for (hashval = 0, i = 0;  i < namelen;  i++) {
271 		hashval = (hashval << 2) + hashval +
272 			((const unsigned char *)name)[i];
273 	}
274 	head = &ngt->hash_heads[hashval % HASHMOD];
275 	for (cur = *head;  cur != 0;  cur = cur->hash_chain) {
276 		if (strncmp(cur->name, name, namelen) == 0 &&
277 		    cur->name[namelen] == 0) {
278 			return;		/* Already in table, do nothing */
279 		}
280 	}
281 	/* Create new netgrnam struct */
282 	cur = (struct netgrnam *)
283 		malloc(namelen + 1 + (char *)&dummy->name[0] - (char *)dummy);
284 	if (cur == 0) {
285 		return;			/* Out of memory, too bad */
286 	}
287 	(void) memcpy(cur->name, name, namelen);
288 	cur->name[namelen] = 0;
289 
290 	/* Insert in hash table */
291 	cur->hash_chain = *head;
292 	*head = cur;
293 
294 	/* Insert in expansion list (insert at end for breadth-first search */
295 	cur->expand_next = 0;
296 	*ngt->expand_lastp = cur;
297 	ngt->expand_lastp = &cur->expand_next;
298 
299 #undef	dummy
300 }
301 
302 static const char *
303 ngt_next(ngt)
304 	struct netgrtab	*ngt;
305 {
306 	struct netgrnam	*first;
307 
308 	if ((first = ngt->expand_first) == 0) {
309 		return (0);
310 	}
311 	if ((ngt->expand_first = first->expand_next) == 0) {
312 		ngt->expand_lastp = &ngt->expand_first;
313 	}
314 	return (first->name);
315 }
316 
317 static void
318 ngt_destroy(ngt)
319 	struct netgrtab	*ngt;
320 {
321 	struct netgrnam	*cur;
322 	struct netgrnam *next;
323 	int		i;
324 
325 	for (i = 0;  i < HASHMOD;  i++) {
326 		for (cur = ngt->hash_heads[i];  cur != 0; /* cstyle */) {
327 			next = cur->hash_chain;
328 			free(cur);
329 			cur = next;
330 		}
331 	}
332 	/* Don't bother zeroing pointers;  must do init if we want to reuse */
333 }
334 
335 typedef const char *ccp;
336 
337 static nss_status_t
338 top_down(struct nis_netgr_be *be, const char **groups, int ngroups,
339     int (*func)(ccp triple[3], void *iter_args, nss_status_t *return_val),
340     void *iter_args)
341 {
342 	struct netgrtab		*ngt;
343 	/* netgrtab goes on the heap, not the stack, because it's large and */
344 	/* stacks may not be all that big in multi-threaded programs. */
345 
346 	const char		*group;
347 	int			nfound;
348 	int			done;
349 	nss_status_t		result;
350 
351 	if ((ngt = (struct netgrtab *)malloc(sizeof (*ngt))) == 0) {
352 		return (NSS_UNAVAIL);
353 	}
354 	ngt_init(ngt);
355 
356 	while (ngroups > 0) {
357 		ngt_insert(ngt, *groups, strlen(*groups));
358 		groups++;
359 		ngroups--;
360 	}
361 
362 	done	= 0;	/* Set to 1 to indicate that we cut the iteration  */
363 			/*   short (and 'result' holds the return value)   */
364 	nfound	= 0;	/* Number of successful netgroup yp_match calls	   */
365 
366 	while (!done && (group = ngt_next(ngt)) != 0) {
367 		char		*val;
368 		int		vallen;
369 		char		*p;
370 		int		yperr;
371 
372 		result = _nss_nis_ypmatch(be->domain, "netgroup", group,
373 					&val, &vallen, &yperr);
374 		if (result != NSS_SUCCESS) {
375 			/*LINTED E_NOP_IF_STMT*/
376 			if (result == NSS_NOTFOUND) {
377 				;
378 #ifdef	DEBUG
379 				syslog(LOG_WARNING,
380 				    "NIS netgroup lookup: %s doesn't exist",
381 				    group);
382 #endif	/* DEBUG */
383 			} else {
384 #ifdef	DEBUG
385 				syslog(LOG_WARNING,
386 			"NIS netgroup lookup: yp_match returned [%s]",
387 				    yperr_string(yperr));
388 #endif	/* DEBUG */
389 				done = 1;	/* Give up, return result */
390 			}
391 			/* Don't need to clean up anything */
392 			continue;
393 		}
394 
395 		nfound++;
396 
397 		if ((p = strpbrk(val, "#\n")) != 0) {
398 			*p = '\0';
399 		}
400 		p = val;
401 
402 		/* Parse val into triples and recursive netgroup references */
403 		/*CONSTCOND*/
404 		while (1) {
405 			ccp			triple[NSS_NETGR_N];
406 			int			syntax_err;
407 			enum nss_netgr_argn	i;
408 
409 			while (isspace(*p)) {
410 				p++;
411 			}
412 			if (*p == '\0') {
413 				/* Finished processing this particular val */
414 				break;
415 			}
416 			if (*p != '(') {
417 				/* Doesn't look like the start of a triple, */
418 				/*   so assume it's a recursive netgroup.   */
419 				char *start = p;
420 				p = strpbrk(start, " \t");
421 				if (p == 0) {
422 					/* Point p at the final '\0' */
423 					p = start + strlen(start);
424 				}
425 				ngt_insert(ngt, start, (size_t)(p - start));
426 				continue;
427 			}
428 
429 			/* Main case:  a (machine, user, domain) triple */
430 			p++;
431 			syntax_err = 0;
432 			for (i = NSS_NETGR_MACHINE; i < NSS_NETGR_N; i++) {
433 				char		*start;
434 				char		*limit;
435 				const char	*terminators = ",) \t";
436 
437 				if (i == NSS_NETGR_DOMAIN) {
438 					/* Don't allow comma */
439 					terminators++;
440 				}
441 				while (isspace(*p)) {
442 					p++;
443 				}
444 				start = p;
445 				limit = strpbrk(start, terminators);
446 				if (limit == 0) {
447 					syntax_err++;
448 					break;
449 				}
450 				p = limit;
451 				while (isspace(*p)) {
452 					p++;
453 				}
454 				if (*p == terminators[0]) {
455 					/*
456 					 * Successfully parsed this name and
457 					 *   the separator after it (comma or
458 					 *   right paren); leave p ready for
459 					 *   next parse.
460 					 */
461 					p++;
462 					if (start == limit) {
463 						/* Wildcard */
464 						triple[i] = 0;
465 					} else {
466 						*limit = '\0';
467 						triple[i] = start;
468 					}
469 				} else {
470 					syntax_err++;
471 					break;
472 				}
473 			}
474 
475 			if (syntax_err) {
476 /*
477  * ===> log it;
478  * ===> try skipping past next ')';  failing that, abandon the line;
479  */
480 				break;	/* Abandon this line */
481 			} else if (!(*func)(triple, iter_args, &result)) {
482 				/* Return result, good or bad */
483 				done = 1;
484 				break;
485 			}
486 		}
487 		/* End of inner loop over val[] */
488 		free(val);
489 	}
490 	/* End of outer loop (!done && ngt_next(ngt) != 0) */
491 
492 	ngt_destroy(ngt);
493 	free(ngt);
494 
495 	if (done) {
496 		return (result);
497 	} else if (nfound > 0) {
498 		/* ==== ? Should only do this if all the top-level groups */
499 		/*	  exist in YP?					  */
500 		return (NSS_SUCCESS);
501 	} else {
502 		return (NSS_NOTFOUND);
503 	}
504 }
505 
506 
507 /*
508  * Code for setnetgrent()
509  */
510 
511 /*
512  * Iterator function for setnetgrent():  copy triple, add to be->all_members
513  */
514 static int
515 save_triple(ccp trippp[NSS_NETGR_N], void *headp_arg,
516     nss_status_t *return_val)
517 {
518 	struct grouplist	**headp = headp_arg;
519 	struct grouplist	*gl;
520 	enum nss_netgr_argn	i;
521 
522 	if ((gl = (struct grouplist *)malloc(sizeof (*gl))) == 0) {
523 		/* Out of memory */
524 		*return_val = NSS_UNAVAIL;
525 		return (0);
526 	}
527 	for (i = NSS_NETGR_MACHINE;  i < NSS_NETGR_N;  i++) {
528 		if (trippp[i] == 0) {
529 			/* Wildcard */
530 			gl->triple[i] = 0;
531 		} else if ((gl->triple[i] = strdup(trippp[i])) == 0) {
532 			/* Out of memory.  Free any we've allocated */
533 			enum nss_netgr_argn	j;
534 
535 			for (j = NSS_NETGR_MACHINE;  j < i;  j++) {
536 				if (gl->triple[j] != 0) {
537 					free(gl->triple[j]);
538 				}
539 			}
540 			*return_val = NSS_UNAVAIL;
541 			return (0);
542 		}
543 	}
544 	gl->gl_nxt = *headp;
545 	*headp = gl;
546 	return (1);	/* Tell top_down() to keep iterating */
547 }
548 
549 static nss_status_t
550 netgr_set(be, a)
551 	struct nis_netgr_be	*be;
552 	void			*a;
553 {
554 	struct nss_setnetgrent_args *args = (struct nss_setnetgrent_args *)a;
555 	struct nis_getnetgr_be	*get_be;
556 	nss_status_t		res;
557 
558 	get_be = (struct nis_getnetgr_be *)malloc(sizeof (*get_be));
559 	if (get_be == 0) {
560 		return (NSS_UNAVAIL);
561 	}
562 
563 	get_be->all_members = 0;
564 	res = top_down(be, &args->netgroup, 1, save_triple,
565 		&get_be->all_members);
566 
567 	if (res == NSS_SUCCESS) {
568 		get_be->ops		= getnetgr_ops;
569 		get_be->n_ops		= sizeof (getnetgr_ops) /
570 						sizeof (getnetgr_ops[0]);
571 		get_be->netgroup	= strdup(args->netgroup);
572 		get_be->next_member	= get_be->all_members;
573 
574 		args->iterator		= (nss_backend_t *)get_be;
575 	} else {
576 		args->iterator		= 0;
577 		free(get_be);
578 	}
579 	return (res);
580 }
581 
582 
583 /*
584  * Code for innetgr()
585  */
586 
587 /*
588  * Iterator function for innetgr():  Check whether triple matches args
589  */
590 static int
591 match_triple(ccp triple[NSS_NETGR_N], void *ia_arg, nss_status_t *return_val)
592 {
593 	struct nss_innetgr_args	*ia = ia_arg;
594 	enum nss_netgr_argn	i;
595 
596 	for (i = NSS_NETGR_MACHINE;  i < NSS_NETGR_N;  i++) {
597 		int		(*cmpf)(const char *, const char *);
598 		char		**argv;
599 		int		n;
600 		const char	*name = triple[i];
601 		int		argc = ia->arg[i].argc;
602 
603 		if (argc == 0 || name == 0) {
604 			/* Wildcarded on one side or t'other */
605 			continue;
606 		}
607 		argv = ia->arg[i].argv;
608 		cmpf = (i == NSS_NETGR_MACHINE) ? strcasecmp : strcmp;
609 		for (n = 0;  n < argc;  n++) {
610 			if ((*cmpf)(argv[n], name) == 0) {
611 				break;
612 			}
613 		}
614 		if (n >= argc) {
615 			/* Match failed, tell top_down() to keep looking */
616 			return (1);
617 		}
618 	}
619 	/* Matched on all three, so quit looking and declare victory */
620 
621 	ia->status = NSS_NETGR_FOUND;
622 	*return_val = NSS_SUCCESS;
623 	return (0);
624 }
625 
626 /*
627  * inlist() -- return 1 if at least one item from the "what" list
628  *   is in the comma-separated, newline-terminated "list"
629  */
630 static const char comma = ',';	/* Don't let 'cfix' near this */
631 
632 static int
633 inlist(nwhat, pwhat, list)
634 	nss_innetgr_argc	nwhat;
635 	nss_innetgr_argv	pwhat;
636 	char			*list;
637 {
638 	char			*p;
639 	nss_innetgr_argc	nw;
640 	nss_innetgr_argv	pw;
641 
642 	while (*list != 0) {
643 		while (*list == comma || isspace(*list))
644 			list++;
645 		for (p = list;  *p != 0 && *p != comma &&
646 		    !isspace(*p); /* nothing */)
647 			p++;
648 		if (p != list) {
649 			if (*p != 0)
650 				*p++ = 0;
651 			for (pw = pwhat, nw = nwhat;  nw != 0;  pw++, nw--) {
652 				if (strcmp(list, *pw) == 0)
653 					return (1);
654 			}
655 			list = p;
656 		}
657 	}
658 	return (0);
659 }
660 
661 /*
662  * Generate a key for a netgroup.byXXXX NIS map
663  */
664 static void
665 makekey(key, name, domain)
666 	char		*key;
667 	const char	*name;
668 	const char	*domain;
669 {
670 	while (*key++ = *name++)
671 		;
672 	*(key-1) = '.';
673 	while (*key++ = *domain++)
674 		;
675 }
676 
677 static int
678 makekey_lc(key, name, domain)
679 	char		*key;
680 	const char	*name;		/* Convert this to lowercase */
681 	const char	*domain;	/* But not this */
682 {
683 	int		found_uc = 0;
684 	char		c;
685 
686 	while (c = *name++) {
687 		if (isupper(c)) {
688 			++found_uc;
689 			c = tolower(c);
690 		}
691 		*key++ = c;
692 	}
693 	*key++ = '.';
694 	while (*key++ = *domain++)
695 		;
696 	return (found_uc);
697 }
698 
699 /*
700  * easy_way() --  try to use netgroup.byuser and netgroup.byhost maps to
701  *		  get answers more efficiently than by recursive search.
702  *
703  * If more than one name (username or hostname) is specified, this approach
704  * becomes less attractive;  at some point it's probably cheaper to do the
705  * recursive search.  We don't know what the threshold is (among other things
706  * it may depend on the site-specific struucture of netgroup information),
707  * so here's a guesstimate.
708  */
709 
710 #define	NNAME_THRESHOLD	5
711 
712 static int
713 easy_way(be, ia, argp, map, try_lc, statusp)
714 	struct nis_netgr_be	*be;
715 	struct nss_innetgr_args	*ia;
716 	struct nss_innetgr_1arg	*argp;
717 	const char		*map;
718 	int			try_lc;
719 	nss_status_t		*statusp;
720 {
721 	nss_innetgr_argc	nname = argp->argc;
722 	nss_innetgr_argv	pname = argp->argv;
723 	const char		*domain = ia->arg[NSS_NETGR_DOMAIN].argv[0];
724 	const char		*wild = "*";
725 	int			yperr;
726 	char			*val;
727 	int			vallen;
728 	char			*key;
729 	int			i;
730 
731 	/* Our caller guaranteed that nname >= 1 */
732 	while (nname > 1) {
733 		struct nss_innetgr_1arg	just_one;
734 
735 		if (nname > NNAME_THRESHOLD) {
736 			return (0);	/* May be cheaper to use 'netgroup' */
737 		}
738 
739 		just_one.argc = 1;
740 		just_one.argv = pname;
741 
742 		if (easy_way(be, ia, &just_one, map, try_lc, statusp) &&
743 		    ia->status == NSS_NETGR_FOUND) {
744 			return (1);
745 		}
746 		++pname;
747 		--nname;
748 		/* Fall through and do the last one inline */
749 	}
750 
751 	if ((key = malloc(strlen(*pname) + strlen(domain) + 2)) == 0) {
752 		return (0);	/* Or maybe (1) and NSS_UNAVAIL */
753 	}
754 
755 	for (i = 0;  i < (try_lc ? 6 : 4);  i++) {
756 		switch (i) {
757 		    case 0:
758 			makekey(key, *pname, domain);
759 			break;
760 		    case 1:
761 			makekey(key, wild, domain);
762 			break;
763 		    case 2:
764 			makekey(key, *pname, wild);
765 			break;
766 		    case 3:
767 			makekey(key, wild, wild);
768 			break;
769 		    case 4:
770 			if (!makekey_lc(key, *pname, domain)) {
771 				try_lc = 0;	/* Sleazy but effective */
772 				continue;	/*   i.e. quit looping  */
773 			}
774 			break;
775 		    case 5:
776 			(void) makekey_lc(key, *pname, wild);
777 			break;
778 		}
779 		*statusp = _nss_nis_ypmatch(be->domain, map, key,
780 					&val, &vallen, &yperr);
781 		if (*statusp == NSS_SUCCESS) {
782 			if (inlist(ia->groups.argc, ia->groups.argv, val)) {
783 				free(val);
784 				free(key);
785 				ia->status = NSS_NETGR_FOUND;
786 				return (1);
787 			} else {
788 				free(val);
789 			}
790 		} else {
791 #ifdef DEBUG
792 			syslog(LOG_WARNING,
793 				"innetgr: yp_match(%s,%s) failed: %s",
794 				map, key, yperr_string(yperr));
795 #endif	/* DEBUG */
796 			if (yperr != YPERR_KEY)  {
797 				free(key);
798 				return (0);
799 			}
800 		}
801 	}
802 
803 	free(key);
804 
805 /* =====> is this (an authoritative "no") always the right thing to do?	*/
806 /*	  Answer:  yes, except for hostnames that aren't all lowercase	*/
807 
808 	*statusp = NSS_NOTFOUND;	/* Yup, three different flavours of */
809 	ia->status = NSS_NETGR_NO;	/*   status information, so-called. */
810 	return (1);			/*   Silly, innit?		    */
811 }
812 
813 
814 static nss_status_t
815 netgr_in(be, a)
816 	struct nis_netgr_be	*be;
817 	void			*a;
818 {
819 	struct nss_innetgr_args	*ia = (struct nss_innetgr_args *)a;
820 	nss_status_t		res;
821 
822 	ia->status = NSS_NETGR_NO;
823 
824 	/* Can we use netgroup.byhost or netgroup.byuser to speed things up? */
825 
826 /* ====> diddle this to try fast path for domains.argc == 0 too */
827 	if (ia->arg[NSS_NETGR_DOMAIN].argc == 1) {
828 		if (ia->arg[NSS_NETGR_MACHINE].argc == 0 &&
829 		    ia->arg[NSS_NETGR_USER   ].argc != 0) {
830 			if (easy_way(be, ia, &ia->arg[NSS_NETGR_USER],
831 			    "netgroup.byuser", 0, &res)) {
832 				return (res);
833 			}
834 		} else if (ia->arg[NSS_NETGR_USER].argc == 0 &&
835 		    ia->arg[NSS_NETGR_MACHINE].argc != 0) {
836 			if (easy_way(be, ia, &ia->arg[NSS_NETGR_MACHINE],
837 			    "netgroup.byhost", 1, &res)) {
838 				return (res);
839 			}
840 		}
841 	}
842 
843 	/* Nope, try the slow way */
844 	ia->status = NSS_NETGR_NO;
845 	res = top_down(be, (const char **)ia->groups.argv, ia->groups.argc,
846 	    match_triple, ia);
847 	return (res);
848 }
849 
850 
851 /*
852  * (Almost) boilerplate for a switch backend
853  */
854 
855 /*ARGSUSED*/
856 static nss_status_t
857 netgr_destr(be, dummy)
858 	struct nis_netgr_be	*be;
859 	void			*dummy;
860 {
861 	if (be != 0) {
862 		free(be);
863 	}
864 	return (NSS_SUCCESS);
865 }
866 
867 static nis_netgr_op_t netgroup_ops[] = {
868 	netgr_destr,
869 	0,		/* No endent, because no setent/getent */
870 	0,		/* No setent;  setnetgrent() is really a getXbyY() */
871 	0,		/* No getent in the normal sense */
872 
873 	netgr_in,	/* innetgr() */
874 	netgr_set,	/* setnetgrent() */
875 };
876 
877 /*ARGSUSED*/
878 nss_backend_t *
879 _nss_nis_netgroup_constr(dummy1, dummy2, dummy3)
880 	const char	*dummy1, *dummy2, *dummy3;
881 {
882 	const char		*domain;
883 	struct nis_netgr_be	*be;
884 
885 	if ((domain = _nss_nis_domain()) == 0 ||
886 	    (be = (struct nis_netgr_be *)malloc(sizeof (*be))) == 0) {
887 		return (0);
888 	}
889 	be->ops		= netgroup_ops;
890 	be->n_ops	= sizeof (netgroup_ops) / sizeof (netgroup_ops[0]);
891 	be->domain	= domain;
892 
893 	return ((nss_backend_t *)be);
894 }
895