1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 22 /* 23 * Copyright 2009 Sun Microsystems, Inc. All rights reserved. 24 * Use is subject to license terms. 25 * Copyright 2012 Milan Jurik. All rights reserved. 26 */ 27 28 #include <stdlib.h> /* getenv() */ 29 #include <assert.h> 30 #include <unistd.h> 31 #include <string.h> 32 #include <pthread.h> 33 #include <dlfcn.h> 34 #include <nss_dbdefs.h> 35 #include <exec_attr.h> 36 #include <gssapi/gssapi.h> 37 #include "nscd_door.h" 38 #include "nscd_switch.h" 39 #include "nscd_log.h" 40 #include "nscd_frontend.h" 41 42 #pragma weak nss_search = _nss_search 43 #define nss_search _nss_search 44 45 extern rwlock_t nscd_smf_service_state_lock; 46 47 /* nscd id: main, forker, or child */ 48 extern int _whoami; 49 50 static int 51 retry_test(nss_status_t res, int n, struct __nsw_lookup_v1 *lkp) 52 { 53 if (res != NSS_TRYAGAIN && res != NSS_NISSERVDNS_TRYAGAIN) { 54 if (res == NSS_SUCCESS) { 55 __NSW_UNPAUSE_ACTION(lkp->actions[__NSW_TRYAGAIN]); 56 __NSW_UNPAUSE_ACTION( 57 lkp->actions[__NSW_NISSERVDNS_TRYAGAIN]); 58 } 59 return (0); 60 } 61 62 if ((res == NSS_TRYAGAIN && 63 lkp->actions[__NSW_TRYAGAIN] == __NSW_TRYAGAIN_FOREVER) || 64 (res == NSS_NISSERVDNS_TRYAGAIN && 65 lkp->actions[__NSW_NISSERVDNS_TRYAGAIN] == __NSW_TRYAGAIN_FOREVER)) 66 return (1); 67 68 if (res == NSS_TRYAGAIN && 69 lkp->actions[__NSW_TRYAGAIN] == __NSW_TRYAGAIN_NTIMES) 70 if (n <= lkp->max_retries) 71 return (1); 72 else { 73 lkp->actions[__NSW_TRYAGAIN] = __NSW_TRYAGAIN_PAUSED; 74 return (0); 75 } 76 77 if (res == NSS_NISSERVDNS_TRYAGAIN && 78 lkp->actions[__NSW_NISSERVDNS_TRYAGAIN] == __NSW_TRYAGAIN_NTIMES) 79 if (n <= lkp->max_retries) 80 return (1); 81 else { 82 lkp->actions[__NSW_NISSERVDNS_TRYAGAIN] = 83 __NSW_TRYAGAIN_PAUSED; 84 return (0); 85 } 86 87 return (0); 88 } 89 90 static thread_key_t loopback_key = THR_ONCE_KEY; 91 typedef struct lb_key { 92 int srci; 93 int dbi; 94 int fnum; 95 int *lb_flagp; 96 } lb_key_t; 97 98 static int 99 set_loopback_key(lb_key_t *key) { 100 101 int rc; 102 103 rc = thr_keycreate_once(&loopback_key, NULL); 104 /* set key if not already set */ 105 if (rc == 0 && pthread_getspecific(loopback_key) == NULL) 106 rc = thr_setspecific(loopback_key, key); 107 108 return (rc); 109 } 110 111 static lb_key_t * 112 get_loopback_key(void) { 113 114 char *me = "get_loopback_key"; 115 lb_key_t *k = NULL; 116 117 k = pthread_getspecific(loopback_key); 118 119 _NSCD_LOG(NSCD_LOG_SWITCH_ENGINE, NSCD_LOG_LEVEL_DEBUG) 120 (me, "get loopback key, key = %p\n", k); 121 122 return (k); 123 } 124 125 static void 126 clear_loopback_key(lb_key_t *key) { 127 128 char *me = "clear_loopback_key"; 129 130 if (loopback_key != THR_ONCE_KEY && key != NULL) { 131 /* 132 * key->lb_flagp points to the location of the 133 * flag, check_flag, in the stack where it was 134 * first set; clearing the flag tells that 135 * stack the loopback error has been resolved 136 */ 137 *key->lb_flagp = 0; 138 (void) thr_setspecific(loopback_key, NULL); 139 } 140 141 _NSCD_LOG(NSCD_LOG_SWITCH_ENGINE, NSCD_LOG_LEVEL_DEBUG) 142 (me, "key %p cleared\n", key); 143 } 144 145 static thread_key_t initf_key = THR_ONCE_KEY; 146 147 static int 148 set_initf_key(void *pbuf) { 149 150 int rc; 151 152 rc = thr_keycreate_once(&initf_key, NULL); 153 if (rc == 0) 154 rc = thr_setspecific(initf_key, pbuf); 155 156 return (rc); 157 } 158 159 static void * 160 get_initf_key(void) { 161 162 char *me = "get_initf_key"; 163 void *pbuf; 164 165 pbuf = pthread_getspecific(initf_key); 166 167 _NSCD_LOG(NSCD_LOG_SWITCH_ENGINE, NSCD_LOG_LEVEL_DEBUG) 168 (me, "got initf pbuf, key = %p\n", pbuf); 169 170 return (pbuf); 171 } 172 173 static void 174 clear_initf_key(void) { 175 176 char *me = "clear_initf_key"; 177 178 (void) thr_setspecific(initf_key, NULL); 179 180 _NSCD_LOG(NSCD_LOG_SWITCH_ENGINE, NSCD_LOG_LEVEL_DEBUG) 181 (me, "initf pbuf cleared\n"); 182 } 183 184 /* 185 * Call the input initf function to extract the 186 * NSS front end parameters and examine them to 187 * determine if an NSS lookup is to be performed 188 * on a regular or a pseudo (called from compat 189 * backend) database. Then set the necessary 190 * parameters for later data structures creation 191 * and processing. 192 */ 193 static nscd_rc_t 194 getparams( 195 int search_fnum, 196 nss_db_initf_t initf, 197 nscd_nsw_params_t *params) 198 { 199 200 nscd_rc_t rc = NSCD_SUCCESS; 201 nss_db_params_t *p; 202 int j; 203 char *dbn; 204 const char *n; 205 char *me = "getparams"; 206 207 p = ¶ms->p; 208 (void) memset(params, 0, sizeof (nscd_nsw_params_t)); 209 (*initf)(p); 210 params->dbi = -1; 211 params->cfgdbi = -1; 212 params->compati = -1; 213 params->dnsi = -1; 214 215 /* map database name to index */ 216 n = p->name; 217 for (j = 0; j < NSCD_NUM_DB; j++) { 218 dbn = NSCD_NSW_DB_NAME(j); 219 if (*n != *dbn) 220 continue; 221 if (strcmp(n, dbn) == 0) { 222 params->dbi = j; 223 if (*n != 'h' && *n != 'i' && *n != 's' && *n != 'a') 224 break; 225 if (strcmp(n, NSS_DBNAM_HOSTS) == 0 && 226 search_fnum == NSS_DBOP_HOSTS_BYNAME) 227 params->dnsi = 0; 228 else if (strcmp(n, NSS_DBNAM_IPNODES) == 0 && 229 search_fnum == NSS_DBOP_IPNODES_BYNAME) 230 params->dnsi = 1; 231 else if (strcmp(n, NSS_DBNAM_SHADOW) == 0) 232 params->privdb = 1; 233 break; 234 } 235 } 236 237 /* 238 * use the switch policy for passwd_compat or 239 * group_compat? 240 */ 241 if (p->config_name != NULL) { 242 n = p->config_name; 243 for (j = 0; j < NSCD_NUM_DB; j++) { 244 dbn = NSCD_NSW_DB_NAME(j); 245 if (*n == *dbn) { 246 if (strcmp(n, dbn) == 0) { 247 params->cfgdbi = j; 248 break; 249 } 250 } 251 } 252 } 253 254 /* map the database name to the pseudo database index */ 255 if (params->cfgdbi != -1) { 256 if (strstr(p->config_name, "_compat") != NULL) { 257 n = p->name; 258 for (j = params->cfgdbi; j < NSCD_NUM_DB; j++) { 259 dbn = NSCD_NSW_DB_NAME(j); 260 if (*n == *dbn) { 261 if (strcmp(n, dbn) == 0) { 262 params->compati = j; 263 break; 264 } 265 } 266 } 267 } 268 } 269 270 /* 271 * if unsupported database, let caller determine what to do next 272 */ 273 if (params->dbi == -1) { 274 _NSCD_LOG(NSCD_LOG_SWITCH_ENGINE, NSCD_LOG_LEVEL_DEBUG) 275 (me, "unsupported database: %s\n", p->name); 276 return (NSCD_CFG_UNSUPPORTED_SWITCH_DB); 277 } 278 279 return (rc); 280 } 281 282 static void 283 nscd_initf(nss_db_params_t *p) 284 { 285 nss_pheader_t *pbuf; 286 nssuint_t off; 287 nss_dbd_t *pdbd; 288 char *me = "nscd_initf"; 289 290 pbuf = (nss_pheader_t *)get_initf_key(); 291 if (pbuf == NULL) { 292 _NSCD_LOG(NSCD_LOG_SWITCH_ENGINE, NSCD_LOG_LEVEL_DEBUG) 293 (me, "ERROR: initf key not set\n"); 294 return; 295 } 296 297 if (pbuf->dbd_len <= sizeof (nss_dbd_t)) { 298 _NSCD_LOG(NSCD_LOG_SWITCH_ENGINE, NSCD_LOG_LEVEL_DEBUG) 299 (me, "invalid db front params data ? dbd_len = %d\n", 300 pbuf->dbd_len); 301 return; 302 } 303 304 off = pbuf->dbd_off; 305 pdbd = (nss_dbd_t *)((void *)((char *)pbuf + off)); 306 307 p->name = (char *)pdbd + pdbd->o_name; 308 p->config_name = (char *)pdbd + pdbd->o_config_name; 309 p->default_config = (char *)pdbd + pdbd->o_default_config; 310 p->flags = (enum nss_dbp_flags)pdbd->flags; 311 (void) memcpy(&p->private, &pbuf->nscdpriv, sizeof (p->private)); 312 313 _NSCD_LOG(NSCD_LOG_SWITCH_ENGINE, NSCD_LOG_LEVEL_DEBUG) 314 (me, "db frontend params: name =%s, config_name = %s, " 315 "default_config = %s, flags = %x\n", p->name, 316 (p->config_name && *p->config_name != '\0' ? 317 p->config_name : "<NOT SPECIFIED>"), 318 (p->default_config && *p->default_config != '\0' ? 319 p->default_config : "<NOT SPECIFIED>"), 320 p->flags); 321 } 322 323 324 static void 325 trace_result( 326 int dbi, 327 int srci, 328 int op, 329 nss_status_t res, 330 nss_XbyY_args_t *arg) 331 { 332 char *res_str; 333 char *src = "?"; 334 char *db = "?"; 335 char *data_str = "<NOT STRING FORMAT>"; 336 int data_len = 0; 337 char *me = "trace_result"; 338 339 switch (res) { 340 case NSS_SUCCESS: 341 res_str = "NSS_SUCCESS"; 342 break; 343 case NSS_NOTFOUND: 344 res_str = "NSS_NOTFOUND"; 345 break; 346 case NSS_UNAVAIL: 347 res_str = "NSS_UNAVAIL"; 348 break; 349 case NSS_TRYAGAIN: 350 res_str = "NSS_TRYAGAIN"; 351 break; 352 case NSS_NISSERVDNS_TRYAGAIN: 353 res_str = "NSS_NISSERVDNS_TRYAGAIN"; 354 break; 355 default: 356 res_str = "UNKNOWN STATUS"; 357 break; 358 } 359 360 if (dbi != -1) 361 db = NSCD_NSW_DB_NAME(dbi); 362 if (srci != -1) 363 src = NSCD_NSW_SRC_NAME(srci); 364 365 if (arg->buf.result == NULL) { 366 data_str = arg->buf.buffer; 367 data_len = arg->returnlen; 368 } 369 370 if (res == NSS_SUCCESS) { 371 _nscd_logit(me, "%s: database: %s, operation: %d, " 372 "source: %s returned >>%s<<, length = %d\n", 373 res_str, db, op, src, data_str, data_len); 374 return; 375 } 376 377 _nscd_logit(me, "%s: database: %s, operation: %d, source: %s, " 378 "erange= %d, herrno: %s (%d)\n", 379 res_str, db, op, src, arg->erange, hstrerror(arg->h_errno), 380 arg->h_errno); 381 } 382 383 /* 384 * Determine if a request should be done locally in the getXbyY caller's 385 * process. Return none zero if yes, 0 otherwise. This should be called 386 * before the switch engine steps through the backends/sources. 387 * This function returns 1 if: 388 * -- the database is exec_attr and the search_flag is GET_ALL 389 */ 390 static int 391 try_local( 392 int dbi, 393 void *arg) 394 { 395 struct nss_XbyY_args *ap = (struct nss_XbyY_args *)arg; 396 _priv_execattr *ep; 397 int rc = 0; 398 char *me = "try_local"; 399 400 if (strcmp(NSCD_NSW_DB_NAME(dbi), NSS_DBNAM_EXECATTR) == 0) { 401 if ((ep = ap->key.attrp) != NULL && IS_GET_ALL(ep->search_flag)) 402 rc = 1; 403 } 404 405 if (rc != 0) { 406 407 _NSCD_LOG(NSCD_LOG_SWITCH_ENGINE, NSCD_LOG_LEVEL_DEBUG) 408 (me, "TRYLOCAL: exec_attr:GET_ALL\n"); 409 } 410 411 return (rc); 412 } 413 414 /* 415 * Determine if a request should be done locally in the getXbyY caller's 416 * process. Return none zero if yes, 0 otherwise. This should be called 417 * before the switch engine invokes any backend. 418 * This function returns 1 if: 419 * -- the database is shadow and the source is compat 420 */ 421 static int 422 try_local2( 423 int dbi, 424 int srci) 425 { 426 int rc = 0; 427 char *me = "try_local2"; 428 429 if (*NSCD_NSW_DB_NAME(dbi) == 's' && 430 strcmp(NSCD_NSW_DB_NAME(dbi), NSS_DBNAM_SHADOW) == 0) { 431 if (strcmp(NSCD_NSW_SRC_NAME(srci), "compat") == 0) 432 rc = 1; 433 } 434 435 if (rc != 0) { 436 _NSCD_LOG(NSCD_LOG_SWITCH_ENGINE, NSCD_LOG_LEVEL_DEBUG) 437 (me, "TRYLOCAL: database: shadow, source: %s\n", 438 NSCD_NSW_SRC_NAME(srci)); 439 } 440 441 return (rc); 442 } 443 444 static nscd_rc_t 445 get_lib_func(void **handle, void **func, mutex_t *lock, 446 char *lib, char *name, void **func_p) 447 { 448 char *me = "get_lib_func"; 449 void *sym; 450 451 if (func_p != NULL && *handle != NULL && *func != NULL) { 452 *func_p = *func; 453 return (NSCD_SUCCESS); 454 } 455 456 (void) mutex_lock(lock); 457 458 /* close the handle if requested */ 459 if (func_p == NULL) { 460 if (*handle != NULL) { 461 (void) dlclose(*handle); 462 *handle = NULL; 463 *func = NULL; 464 } 465 (void) mutex_unlock(lock); 466 return (NSCD_SUCCESS); 467 } 468 469 if (*handle != NULL && *func != NULL) { 470 *func_p = *func; 471 (void) mutex_unlock(lock); 472 return (NSCD_SUCCESS); 473 } 474 475 if (*handle == NULL) { 476 *handle = dlopen(lib, RTLD_LAZY); 477 if (*handle == NULL) { 478 _NSCD_LOG(NSCD_LOG_SWITCH_ENGINE, NSCD_LOG_LEVEL_ERROR) 479 (me, "unable to dlopen %s\n", lib); 480 (void) mutex_unlock(lock); 481 return (NSCD_CFG_DLOPEN_ERROR); 482 } 483 } 484 485 if ((sym = dlsym(*handle, name)) == NULL) { 486 487 _NSCD_LOG(NSCD_LOG_SWITCH_ENGINE, NSCD_LOG_LEVEL_ERROR) 488 (me, "unable to find symbol %s:%s\n", lib, name); 489 (void) mutex_unlock(lock); 490 return (NSCD_CFG_DLSYM_ERROR); 491 } else { 492 *func_p = sym; 493 *func = sym; 494 } 495 496 (void) mutex_unlock(lock); 497 return (NSCD_SUCCESS); 498 } 499 500 static nscd_rc_t 501 get_libc_nss_search(void **func_p) 502 { 503 static void *handle = NULL; 504 static void *func = NULL; 505 static mutex_t lock = DEFAULTMUTEX; 506 507 return (get_lib_func(&handle, &func, &lock, 508 "libc.so", "nss_search", func_p)); 509 } 510 511 static nscd_rc_t 512 get_gss_func(void **func_p) 513 { 514 static void *handle = NULL; 515 static void *func = NULL; 516 static mutex_t lock = DEFAULTMUTEX; 517 518 return (get_lib_func(&handle, &func, &lock, 519 "libgss.so", "gss_inquire_cred", func_p)); 520 } 521 522 static nscd_rc_t 523 get_sldap_shadow_func(void **func_p) 524 { 525 static void *handle = NULL; 526 static void *func = NULL; 527 static mutex_t lock = DEFAULTMUTEX; 528 529 return (get_lib_func(&handle, &func, &lock, 530 "libsldap.so", "__ns_ldap_is_shadow_update_enabled", 531 func_p)); 532 } 533 534 /* 535 * get_dns_funcs returns pointers to gethostbyname functions in the 536 * dynamically loaded nss_dns & nss_mdns modules that return host 537 * lookup results along with the TTL value in the DNS resource 538 * records. The dnsi parameter indicates whether the lookup database 539 * is hosts(0) or ipnodes(1). The srcname parameter identifies the DNS 540 * module: dns/mdns and the function returns the address of the specific 541 * gethostbyname function in func_p variable. 542 */ 543 static nscd_rc_t 544 get_dns_funcs(int dnsi, nss_status_t (**func_p)(), const char *srcname) 545 { 546 int si; 547 void **funcpp; 548 static void *handle[2] = { NULL, NULL }; 549 static mutex_t func_lock[2] = { DEFAULTMUTEX, DEFAULTMUTEX }; 550 static void *func[2][2] = {{NULL, NULL}, {NULL, NULL}}; 551 static const char *lib[2] = { "nss_dns.so.1", "nss_mdns.so.1" }; 552 static const char *func_name[2][2] = 553 {{ "_nss_get_dns_hosts_name", "_nss_get_dns_ipnodes_name" }, 554 { "_nss_get_mdns_hosts_name", "_nss_get_mdns_ipnodes_name" }}; 555 556 /* source index: 0 = dns, 1 = mdns */ 557 if (strcmp(srcname, "dns") == 0) 558 si = 0; 559 else 560 si = 1; 561 562 /* 563 * function index (func[si][dnsi]): 564 * [0,0] = dns/hosts, [0,1] = dns/ipnodes, 565 * [1,0] = mdns/hosts, [1,1] = mdns/ipnodes 566 */ 567 568 if (dnsi < 0) { /* close handle */ 569 funcpp = NULL; 570 (void) mutex_lock(&func_lock[si]); 571 func[si][0] = NULL; 572 func[si][1] = NULL; 573 (void) mutex_unlock(&func_lock[si]); 574 } else 575 funcpp = (void **)func_p; 576 577 return (get_lib_func(&handle[si], &func[si][dnsi], &func_lock[si], 578 (char *)lib[si], (char *)func_name[si][dnsi], funcpp)); 579 } 580 581 static nss_status_t 582 search_dns_withttl(nscd_sw_return_t *swret, const char *srcname, int dnsi) 583 { 584 nss_status_t (*func)(); 585 nss_status_t res = NSS_UNAVAIL; 586 nscd_rc_t rc; 587 588 swret->noarg = 0; 589 if (strcmp(srcname, "dns") != 0 && strcmp(srcname, "mdns") != 0) 590 return (NSS_ERROR); 591 592 rc = get_dns_funcs(dnsi, &func, srcname); 593 if (rc == NSCD_SUCCESS) { 594 /* 595 * data_len in the packed buf header may be changed 596 * by the dns or mdns backend, reset it just in 597 * case 598 */ 599 ((nss_pheader_t *)swret->pbuf)->data_len = 600 swret->datalen; 601 res = (func)(NULL, &swret->pbuf, &swret->pbufsiz); 602 } 603 return (res); 604 } 605 606 /* 607 * Returns a flag to indicate if needs to fall back to the 608 * main nscd when a per-user lookup failed with rc NSS_NOTFOUND. 609 */ 610 static int 611 set_fallback_flag(char *srcname, nss_status_t rc) 612 { 613 char *me = "set_fallback_flag"; 614 if (strcmp(srcname, "ldap") == 0 && rc == NSS_NOTFOUND) { 615 _NSCD_LOG(NSCD_LOG_SWITCH_ENGINE, NSCD_LOG_LEVEL_DEBUG) 616 (me, "NSS_NOTFOUND (ldap): fallback to main nscd " 617 "may be needed\n"); 618 return (1); 619 } 620 return (0); 621 } 622 623 nss_status_t 624 nss_search(nss_db_root_t *rootp, nss_db_initf_t initf, int search_fnum, 625 void *search_args) 626 { 627 char *me = "nss_search"; 628 nss_status_t res = NSS_UNAVAIL; 629 nscd_nsw_state_t *s = NULL; 630 int n_src; 631 unsigned int status_vec = 0; 632 int dbi, srci = -1; 633 int check_loopback = 0; 634 int state_thr = 0; 635 lb_key_t key, *k = NULL; 636 nss_db_root_t root_db; 637 nscd_nsw_params_t params; 638 nscd_sw_return_t *swret; 639 640 _NSCD_LOG(NSCD_LOG_SWITCH_ENGINE, NSCD_LOG_LEVEL_DEBUG) 641 (me, "rootp = %p, initf = %p, search_fnum = %d, " 642 "search_args = %p\n", rootp, initf, 643 search_fnum, search_args); 644 645 NSCD_SW_STATS_G.lookup_request_received_g++; 646 NSCD_SW_STATS_G.lookup_request_in_progress_g++; 647 NSCD_SW_STATS_G.lookup_request_queued_g++; 648 649 /* determine db index, cfg db index, etc */ 650 if (getparams(search_fnum, initf, ¶ms) == 651 NSCD_CFG_UNSUPPORTED_SWITCH_DB) { 652 /* 653 * if unsupported database and the request is from the 654 * the door, tell the door client to try it locally 655 */ 656 if (initf == nscd_initf) { 657 res = NSS_TRYLOCAL; 658 goto error_exit; 659 } else { /* otherwise, let libc:nss_search() handle it */ 660 nss_status_t (*func)(); 661 662 if (get_libc_nss_search((void **)&func) == 663 NSCD_SUCCESS) 664 return ((func)(rootp, initf, search_fnum, 665 search_args)); 666 else 667 goto error_exit; 668 } 669 } 670 dbi = params.dbi; 671 672 /* get address of the switch engine return data area */ 673 if (initf == nscd_initf) { 674 swret = (nscd_sw_return_t *)params.p.private; 675 swret->srci = -1; 676 } else { 677 swret = NULL; 678 params.dnsi = -1; 679 } 680 681 /* 682 * for door request that should be processed by the client, 683 * send it back with status NSS_TRYLOCAL 684 */ 685 if (initf == nscd_initf && try_local(dbi, search_args) == 1) { 686 res = NSS_TRYLOCAL; 687 goto error_exit; 688 } 689 690 NSCD_SW_STATS(dbi).lookup_request_received++; 691 NSCD_SW_STATS(dbi).lookup_request_in_progress++; 692 NSCD_SW_STATS(dbi).lookup_request_queued++; 693 694 /* if lookup not enabled, return NSS_UNAVAIL */ 695 if (!(NSCD_SW_CFG_G.enable_lookup_g == nscd_true && 696 NSCD_SW_CFG(dbi).enable_lookup == nscd_true)) { 697 698 _NSCD_LOG(NSCD_LOG_SWITCH_ENGINE, NSCD_LOG_LEVEL_DEBUG) 699 (me, "lookup not enabled for %s\n", NSCD_NSW_DB_NAME(dbi)); 700 701 goto error_exit; 702 } 703 704 /* determine if loopback checking is configured */ 705 if (NSCD_SW_CFG_G.enable_loopback_checking_g == nscd_true && 706 NSCD_SW_CFG(dbi).enable_loopback_checking == nscd_true) { 707 check_loopback = 1; 708 709 _NSCD_LOG(NSCD_LOG_SWITCH_ENGINE, NSCD_LOG_LEVEL_DEBUG) 710 (me, "loopback checking enabled for %s\n", 711 NSCD_NSW_DB_NAME(dbi)); 712 } 713 714 if (check_loopback) { 715 k = get_loopback_key(); 716 if (k != NULL) { 717 if (k->dbi != dbi || k->fnum != search_fnum) { 718 clear_loopback_key(k); 719 k = NULL; 720 } 721 } 722 } 723 724 if (s == 0) { 725 nscd_rc_t rc; 726 727 if (check_loopback) { 728 rc = _nscd_get_nsw_state_thread(&root_db, ¶ms); 729 state_thr = 1; 730 } else 731 rc = _nscd_get_nsw_state(&root_db, ¶ms); 732 733 NSCD_SW_STATS_G.lookup_request_queued_g--; 734 NSCD_SW_STATS(dbi).lookup_request_queued--; 735 736 if (rc != NSCD_SUCCESS) 737 goto error_exit; 738 739 s = (nscd_nsw_state_t *)root_db.s; 740 } 741 742 _NSCD_LOG(NSCD_LOG_SWITCH_ENGINE, NSCD_LOG_LEVEL_DEBUG) 743 (me, "database = %s, config = >>%s<<\n", NSCD_NSW_DB_NAME(dbi), 744 (*s->nsw_cfg_p)->nsw_cfg_str); 745 746 for (n_src = 0; n_src < s->max_src; n_src++) { 747 nss_backend_t *be = NULL; 748 nss_backend_op_t funcp = NULL; 749 struct __nsw_lookup_v1 *lkp; 750 int smf_state; 751 int n_loop = 0; 752 int max_retry = 10; 753 754 res = NSS_UNAVAIL; 755 756 if (n_src == 0) 757 lkp = s->config->lookups; 758 else 759 lkp = lkp->next; 760 761 /* set the number of max. retries */ 762 if (lkp->actions[__NSW_TRYAGAIN] == __NSW_TRYAGAIN_NTIMES) 763 max_retry = lkp->max_retries; 764 765 srci = (*s->nsw_cfg_p)->src_idx[n_src]; 766 if (swret != NULL) 767 swret->srci = srci; 768 769 _NSCD_LOG(NSCD_LOG_SWITCH_ENGINE, NSCD_LOG_LEVEL_DEBUG) 770 (me, "nsw source = %s\n", NSCD_NSW_SRC_NAME(srci)); 771 772 /* 773 * If no privilege to look up, skip. 774 * 'files' requires PRIV_FILE_DAC_READ to read shadow(4) data, 775 * 'ldap' requires all zones privilege. 776 */ 777 if (params.privdb == 1 && swret != NULL) { 778 boolean_t (*is_shadow_update_enabled)(); 779 boolean_t check_ldap_priv = B_FALSE; 780 781 if (strcmp(NSCD_NSW_SRC_NAME(srci), "ldap") == 0) { 782 if (get_sldap_shadow_func( 783 (void **)&is_shadow_update_enabled) == 784 NSCD_SUCCESS && 785 is_shadow_update_enabled()) { 786 check_ldap_priv = B_TRUE; 787 788 /* 789 * A peruser nscd doesn't have 790 * the privileges to lookup a 791 * private database, such as shadow, 792 * returns NSS_ALTRETRY to have the 793 * main nscd do the job. 794 */ 795 if (_whoami == NSCD_CHILD) { 796 res = NSS_ALTRETRY; 797 goto free_nsw_state; 798 } 799 } 800 } 801 802 if ((strcmp(NSCD_NSW_SRC_NAME(srci), "files") == 0 && 803 _nscd_check_client_priv(NSCD_READ_PRIV) != 0) || 804 (check_ldap_priv && 805 _nscd_check_client_priv(NSCD_ALL_PRIV) != 0)) { 806 _NSCD_LOG(NSCD_LOG_SWITCH_ENGINE, 807 NSCD_LOG_LEVEL_DEBUG) 808 (me, "no privilege to look up, skip source\n"); 809 810 goto next_src; 811 } 812 } 813 814 /* get state of the (backend) client service */ 815 smf_state = _nscd_get_smf_state(srci, dbi, 0); 816 817 /* stop if the source is one that should be TRYLOCAL */ 818 if (initf == nscd_initf && /* request is from the door */ 819 (smf_state == NSCD_SVC_STATE_UNSUPPORTED_SRC || 820 (smf_state == NSCD_SVC_STATE_FOREIGN_SRC && 821 s->be_version_p[n_src] == NULL) || 822 (params.privdb && try_local2(dbi, srci) == 1))) { 823 _NSCD_LOG(NSCD_LOG_SWITCH_ENGINE, NSCD_LOG_LEVEL_DEBUG) 824 (me, "returning TRYLOCAL ... \n"); 825 res = NSS_TRYLOCAL; 826 goto free_nsw_state; 827 } 828 829 if (check_loopback && k != NULL) { 830 831 if (k->srci == srci && k->dbi == dbi) 832 if (k->fnum == search_fnum) { 833 834 _NSCD_LOG(NSCD_LOG_SWITCH_ENGINE, 835 NSCD_LOG_LEVEL_DEBUG) 836 (me, "loopback detected: " 837 "source = %s, database = %s " 838 "search fnum = %d\n", 839 NSCD_NSW_SRC_NAME(srci), 840 NSCD_NSW_DB_NAME(dbi), search_fnum); 841 842 NSCD_SW_STATS_G.loopback_nsw_db_skipped_g++; 843 NSCD_SW_STATS(dbi).loopback_nsw_db_skipped++; 844 continue; 845 } 846 } 847 848 be = s->be[n_src]; 849 if (be != NULL) 850 funcp = NSS_LOOKUP_DBOP(be, search_fnum); 851 852 /* request could be from within nscd so check states again */ 853 if (be == NULL || (params.dnsi < 0 && (funcp == NULL || 854 (smf_state != NSCD_SVC_STATE_UNINITED && 855 smf_state != NSCD_SVC_STATE_UNSUPPORTED_SRC && 856 smf_state != NSCD_SVC_STATE_FOREIGN_SRC && 857 smf_state < SCF_STATE_ONLINE)))) { 858 859 _NSCD_LOG(NSCD_LOG_SWITCH_ENGINE, 860 NSCD_LOG_LEVEL_DEBUG) 861 (me, "unable to look up source %s: be = %p, " 862 "smf state = %d, funcp = %p\n", 863 NSCD_NSW_SRC_NAME(srci), be, smf_state, funcp); 864 865 goto next_src; 866 } 867 868 do { 869 /* 870 * we can only retry max_retry times, 871 * otherwise threads may get stuck in this 872 * do-while loop forever 873 */ 874 if (n_loop > max_retry) { 875 if (swret != NULL) 876 res = NSS_TRYLOCAL; 877 goto free_nsw_state; 878 } 879 880 /* 881 * set up to prevent loopback 882 */ 883 if (check_loopback && k == NULL) { 884 key.srci = srci; 885 key.dbi = dbi; 886 key.fnum = search_fnum; 887 key.lb_flagp = &check_loopback; 888 (void) set_loopback_key(&key); 889 k = &key; 890 } 891 892 _NSCD_LOG(NSCD_LOG_SWITCH_ENGINE, 893 NSCD_LOG_LEVEL_DEBUG) 894 (me, "looking up source = %s, loop# = %d \n", 895 NSCD_NSW_SRC_NAME(srci), n_loop); 896 897 /* 898 * search the backend, if hosts lookups, 899 * try to get the hosts data with ttl first 900 */ 901 if (params.dnsi >= 0) { 902 res = search_dns_withttl(swret, 903 NSCD_NSW_SRC_NAME(srci), params.dnsi); 904 /* 905 * if not able to get ttl, fall back 906 * to the regular backend call 907 */ 908 if (res == NSS_ERROR) 909 res = (*funcp)(be, search_args); 910 else { 911 /* 912 * status/result are in the 913 * packed buffer, not 914 * search_args 915 */ 916 swret->noarg = 1; 917 } 918 } else 919 res = (*funcp)(be, search_args); 920 if (swret != NULL) 921 swret->errnum = errno; 922 923 /* 924 * backend is not up, check and update the 925 * smf state table 926 */ 927 if (res == NSS_UNAVAIL) 928 (void) _nscd_get_smf_state(srci, dbi, 1); 929 930 /* 931 * may need to fall back to use the main nscd 932 * if per-user lookup 933 */ 934 if (_whoami == NSCD_CHILD && swret != NULL) 935 swret->fallback = set_fallback_flag( 936 NSCD_NSW_SRC_NAME(srci), res); 937 938 _NSCD_LOG_IF(NSCD_LOG_SWITCH_ENGINE, 939 NSCD_LOG_LEVEL_DEBUG) { 940 941 /* 942 * set up to trace the result/status 943 * of the dns/ttl lookup 944 */ 945 if (swret != NULL && swret->noarg == 1) { 946 nss_pheader_t *phdr; 947 struct nss_XbyY_args *arg; 948 arg = (struct nss_XbyY_args *) 949 search_args; 950 phdr = (nss_pheader_t *)swret->pbuf; 951 arg->buf.buffer = (char *)phdr + 952 phdr->data_off; 953 arg->returnlen = phdr->data_len; 954 if (phdr->p_errno == ERANGE) 955 arg->erange = 1; 956 arg->h_errno = phdr->p_herrno; 957 } 958 959 trace_result(dbi, srci, search_fnum, res, 960 (nss_XbyY_args_t *)search_args); 961 } 962 963 n_loop++; 964 } while (retry_test(res, n_loop, lkp)); 965 966 next_src: 967 968 status_vec |= (1 << res); 969 970 if (__NSW_ACTION_V1(lkp, res) == __NSW_RETURN) { 971 break; 972 } 973 } 974 975 free_nsw_state: 976 977 if (state_thr == 1) 978 _nscd_put_nsw_state_thread(s); 979 else 980 _nscd_put_nsw_state(s); 981 if (check_loopback && k != NULL) 982 clear_loopback_key(k); 983 984 if (res != NSS_SUCCESS) 985 goto error_exit; 986 987 NSCD_SW_STATS_G.lookup_request_succeeded_g++; 988 NSCD_SW_STATS(dbi).lookup_request_succeeded++; 989 NSCD_SW_STATS_G.lookup_request_in_progress_g--; 990 NSCD_SW_STATS(dbi).lookup_request_in_progress--; 991 992 return (NSS_SUCCESS); 993 994 error_exit: 995 996 NSCD_SW_STATS_G.lookup_request_failed_g++; 997 NSCD_SW_STATS_G.lookup_request_in_progress_g--; 998 NSCD_SW_STATS(dbi).lookup_request_failed++; 999 NSCD_SW_STATS(dbi).lookup_request_in_progress--; 1000 1001 return (res); 1002 } 1003 1004 1005 /* ===> get/set/endent */ 1006 1007 static void nss_setent_u(nss_db_root_t *, 1008 nss_db_initf_t, 1009 nss_getent_t *); 1010 static nss_status_t nss_getent_u(nss_db_root_t *, 1011 nss_db_initf_t, 1012 nss_getent_t *, 1013 void *); 1014 static void nss_endent_u(nss_db_root_t *, 1015 nss_db_initf_t, 1016 nss_getent_t *); 1017 1018 void 1019 nss_setent(nss_db_root_t *rootp, nss_db_initf_t initf, 1020 nss_getent_t *contextpp) 1021 { 1022 if (contextpp == 0) 1023 return; 1024 nss_setent_u(rootp, initf, contextpp); 1025 } 1026 1027 nss_status_t 1028 nss_getent(nss_db_root_t *rootp, nss_db_initf_t initf, nss_getent_t *contextpp, 1029 void *args) 1030 { 1031 nss_status_t status; 1032 1033 if (contextpp == 0) { 1034 return (NSS_UNAVAIL); 1035 } 1036 status = nss_getent_u(rootp, initf, contextpp, args); 1037 return (status); 1038 } 1039 1040 void 1041 nss_endent(nss_db_root_t *rootp, nss_db_initf_t initf, 1042 nss_getent_t *contextpp) 1043 { 1044 if (contextpp == 0) 1045 return; 1046 nss_endent_u(rootp, initf, contextpp); 1047 } 1048 1049 /*ARGSUSED*/ 1050 static void 1051 end_iter_u(nss_db_root_t *rootp, struct nss_getent_context *contextp) 1052 { 1053 nscd_getent_context_t *ctx; 1054 nscd_nsw_state_t *s; 1055 nss_backend_t *be; 1056 int n_src; 1057 1058 ctx = (nscd_getent_context_t *)contextp; 1059 s = ctx->nsw_state; 1060 n_src = ctx->n_src; 1061 be = ctx->be; 1062 1063 if (s != 0) { 1064 if (n_src < s->max_src && be != 0) { 1065 (void) NSS_INVOKE_DBOP(be, NSS_DBOP_ENDENT, 0); 1066 ctx->be = 0; /* Should be unnecessary, but hey */ 1067 } 1068 } 1069 ctx->n_src = 0; 1070 } 1071 1072 static void 1073 nss_setent_u(nss_db_root_t *rootp, nss_db_initf_t initf, 1074 nss_getent_t *contextpp) 1075 { 1076 char *me = "nss_setent_u"; 1077 nscd_nsw_state_t *s; 1078 nscd_getent_context_t *contextp; 1079 nscd_nsw_params_t params; 1080 nss_db_root_t root; 1081 nss_backend_t *be; 1082 int n_src, i; 1083 nscd_sw_return_t *swret = NULL; 1084 1085 _NSCD_LOG(NSCD_LOG_SWITCH_ENGINE, NSCD_LOG_LEVEL_DEBUG) 1086 (me, "rootp = %p, initf = %p, contextpp = %p \n", 1087 rootp, initf, contextpp); 1088 1089 /* 1090 * Get the nsw db index via the initf function. If unsupported 1091 * database, no need to continue 1092 */ 1093 if (getparams(-1, initf, ¶ms) == NSCD_CFG_UNSUPPORTED_SWITCH_DB) 1094 return; 1095 1096 /* get address of the switch engine return data area */ 1097 if (initf == nscd_initf) 1098 swret = (nscd_sw_return_t *)params.p.private; 1099 1100 /* if no privilege to look up, return */ 1101 if (params.privdb == 1 && swret != NULL && 1102 _nscd_check_client_priv(NSCD_READ_PRIV) != 0) { 1103 1104 _NSCD_LOG(NSCD_LOG_SWITCH_ENGINE, NSCD_LOG_LEVEL_DEBUG) 1105 (me, "no privilege \n"); 1106 return; 1107 } 1108 1109 if ((contextp = (nscd_getent_context_t *)contextpp->ctx) == 0) { 1110 if ((_nscd_get_getent_ctx(contextpp, ¶ms)) != 1111 NSCD_SUCCESS) { 1112 return; 1113 } 1114 contextp = (nscd_getent_context_t *)contextpp->ctx; 1115 } 1116 s = contextp->nsw_state; 1117 1118 if (s == 0) { 1119 if (_nscd_get_nsw_state(&root, ¶ms) != 1120 NSCD_SUCCESS) { 1121 return; 1122 } 1123 s = (nscd_nsw_state_t *)root.s; 1124 contextp->nsw_state = s; 1125 1126 } else { 1127 s = contextp->nsw_state; 1128 n_src = contextp->n_src; 1129 be = contextp->be; 1130 if (n_src == 0 && be != 0) { 1131 /* 1132 * Optimization: don't do endent, don't change 1133 * backends, just do the setent. Look Ma, no locks 1134 * (nor any context that needs updating). 1135 */ 1136 (void) NSS_INVOKE_DBOP(be, NSS_DBOP_SETENT, 0); 1137 return; 1138 } 1139 if (n_src < s->max_src && be != 0) { 1140 (void) NSS_INVOKE_DBOP(be, NSS_DBOP_ENDENT, 0); 1141 contextp->be = 0; /* Play it safe */ 1142 } 1143 } 1144 for (n_src = 0, be = 0; n_src < s->max_src && 1145 (be = s->be[n_src]) == 0; n_src++) { 1146 ; 1147 } 1148 1149 contextp->n_src = n_src; 1150 contextp->be = be; 1151 1152 if (be == 0) { 1153 /* Things are broken enough that we can't do setent/getent */ 1154 nss_endent_u(rootp, initf, contextpp); 1155 return; 1156 } 1157 1158 /* 1159 * make sure all the backends are supported 1160 */ 1161 for (i = 0; i < s->max_src; i++) { 1162 int st, srci; 1163 1164 if (s->be[i] == NULL) 1165 continue; 1166 1167 srci = (*s->nsw_cfg_p)->src_idx[i]; 1168 st = _nscd_get_smf_state(srci, params.dbi, 1); 1169 if (st == NSCD_SVC_STATE_UNSUPPORTED_SRC || 1170 (st == NSCD_SVC_STATE_FOREIGN_SRC && 1171 s->be_version_p[i] == NULL && initf == nscd_initf) || 1172 st == NSCD_SVC_STATE_UNINITED || 1173 (params.privdb && 1174 try_local2(params.dbi, srci) == 1)) { 1175 nss_endent_u(rootp, initf, contextpp); 1176 1177 _NSCD_LOG(NSCD_LOG_SWITCH_ENGINE, 1178 NSCD_LOG_LEVEL_DEBUG) 1179 (me, "backend (%s) not available (state = %d)\n", 1180 NSCD_NSW_SRC_NAME(srci), st); 1181 1182 return; 1183 } 1184 } 1185 1186 (void) NSS_INVOKE_DBOP(be, NSS_DBOP_SETENT, 0); 1187 } 1188 1189 nss_status_t 1190 nss_getent_u(nss_db_root_t *rootp, nss_db_initf_t initf, 1191 nss_getent_t *contextpp, void *args) 1192 { 1193 char *me = "nss_getent_u"; 1194 nscd_nsw_state_t *s; 1195 nscd_getent_context_t *contextp; 1196 int n_src; 1197 nss_backend_t *be; 1198 1199 _NSCD_LOG(NSCD_LOG_SWITCH_ENGINE, NSCD_LOG_LEVEL_DEBUG) 1200 (me, "rootp = %p, initf = %p, contextpp = %p, args = %p\n", 1201 rootp, initf, contextpp, args); 1202 1203 if ((contextp = (nscd_getent_context_t *)contextpp->ctx) == 0) { 1204 nss_setent_u(rootp, initf, contextpp); 1205 if ((contextp = (nscd_getent_context_t *)contextpp->ctx) == 0) { 1206 /* Give up */ 1207 _NSCD_LOG(NSCD_LOG_SWITCH_ENGINE, 1208 NSCD_LOG_LEVEL_ERROR) 1209 (me, "not able to obtain getent context ... give up\n"); 1210 1211 return (NSS_UNAVAIL); 1212 } 1213 } 1214 1215 s = contextp->nsw_state; 1216 n_src = contextp->n_src; 1217 be = contextp->be; 1218 1219 if (s == 0) { 1220 /* 1221 * We've done an end_iter() and haven't done nss_setent() 1222 * or nss_endent() since; we should stick in this state 1223 * until the caller invokes one of those two routines. 1224 */ 1225 return (NSS_SUCCESS); 1226 } 1227 1228 while (n_src < s->max_src) { 1229 nss_status_t res; 1230 struct __nsw_lookup_v1 *lkp = NULL; 1231 int n; 1232 1233 /* get the nsw config for the current source */ 1234 lkp = s->config->lookups; 1235 for (n = 0; n < n_src; n++) 1236 lkp = lkp->next; 1237 1238 if (be == 0) { 1239 /* If it's null it's a bug, but let's play safe */ 1240 res = NSS_UNAVAIL; 1241 } else { 1242 _NSCD_LOG(NSCD_LOG_SWITCH_ENGINE, 1243 NSCD_LOG_LEVEL_DEBUG) 1244 (me, "database: %s, backend: %s, nsswitch config: %s\n", 1245 NSCD_NSW_DB_NAME(s->dbi), 1246 lkp->service_name, 1247 (*s->nsw_cfg_p)->nsw_cfg_str); 1248 1249 res = NSS_INVOKE_DBOP(be, NSS_DBOP_GETENT, args); 1250 } 1251 1252 if (__NSW_ACTION_V1(lkp, res) == __NSW_RETURN) { 1253 if (res != __NSW_SUCCESS) { 1254 end_iter_u(rootp, 1255 (struct nss_getent_context *)contextp); 1256 } 1257 return (res); 1258 } 1259 (void) NSS_INVOKE_DBOP(be, NSS_DBOP_ENDENT, 0); 1260 do { 1261 n_src++; 1262 } while (n_src < s->max_src && 1263 (be = s->be[n_src]) == 0); 1264 if (be == 0) { 1265 /* 1266 * This is the case where we failed to get the backend 1267 * for the last source. We exhausted all sources. 1268 */ 1269 nss_endent_u(rootp, initf, contextpp); 1270 return (NSS_NOTFOUND); 1271 } 1272 contextp->n_src = n_src; 1273 contextp->be = be; 1274 (void) NSS_INVOKE_DBOP(be, NSS_DBOP_SETENT, 0); 1275 } 1276 /* Got to the end of the sources without finding another entry */ 1277 end_iter_u(rootp, (struct nss_getent_context *)contextp); 1278 return (NSS_SUCCESS); 1279 /* success is either a successful entry or end of the sources */ 1280 } 1281 1282 /*ARGSUSED*/ 1283 void 1284 nss_endent_u(nss_db_root_t *rootp, nss_db_initf_t initf, 1285 nss_getent_t *contextpp) 1286 { 1287 char *me = "nss_endent_u"; 1288 nscd_getent_context_t *contextp; 1289 1290 _NSCD_LOG(NSCD_LOG_SWITCH_ENGINE, NSCD_LOG_LEVEL_DEBUG) 1291 (me, "rootp = %p, initf = %p, contextpp = %p \n", 1292 rootp, initf, contextpp); 1293 1294 if ((contextp = (nscd_getent_context_t *)contextpp->ctx) == 0) { 1295 /* nss_endent() on an unused context is a no-op */ 1296 return; 1297 } 1298 1299 if (_nscd_is_getent_ctx_in_use(contextp) == 0) { 1300 end_iter_u(rootp, (struct nss_getent_context *)contextp); 1301 _nscd_put_getent_ctx(contextp); 1302 contextpp->ctx = NULL; 1303 } 1304 } 1305 1306 /* 1307 * _nss_db_state_destr() and nss_delete() do nothing in nscd 1308 * but is needed to make the caller (below nscd) happy 1309 */ 1310 /*ARGSUSED*/ 1311 void 1312 _nss_db_state_destr(struct nss_db_state *s) 1313 { 1314 /* nsw state in nscd is always reused, so do nothing here */ 1315 } 1316 1317 /*ARGSUSED*/ 1318 void 1319 nss_delete(nss_db_root_t *rootp) 1320 { 1321 /* 1322 * the only resource kept tracked by the nss_db_root_t 1323 * is the nsw state which is always reused and no need 1324 * to be freed. So just return. 1325 */ 1326 } 1327 1328 /* 1329 * Start of nss_psearch/nss_psetent()/nss_pgetent()/nss_pendent() 1330 * buffers switch entry points 1331 */ 1332 1333 /* 1334 * nss_psearch opens a packed structure header, assembles a local 1335 * nss_XbyY_args_t structure and calls the local copy of nss_search. 1336 * The return data is assembled in "files native format" in the 1337 * return buffer location. Status if packed back up with the buffer 1338 * and the whole wad is returned to the cache or the client. 1339 */ 1340 1341 void 1342 nss_psearch(void *buffer, size_t length) 1343 { 1344 /* inputs */ 1345 nss_db_initf_t initf; 1346 int dbop; 1347 int rc; 1348 nss_XbyY_args_t arg; 1349 nss_status_t status; 1350 nscd_sw_return_t swret = { 0 }, *swrp = &swret; 1351 nss_pheader_t *pbuf = (nss_pheader_t *)buffer; 1352 char *me = "nss_psearch"; 1353 1354 if (buffer == NULL || length == 0) { 1355 NSCD_SET_STATUS(pbuf, NSS_ERROR, EFAULT); 1356 return; 1357 } 1358 1359 status = nss_packed_arg_init(buffer, length, 1360 NULL, &initf, &dbop, &arg); 1361 if (status != NSS_SUCCESS) { 1362 NSCD_SET_STATUS(pbuf, status, -1); 1363 return; 1364 } 1365 1366 /* 1367 * pass the address of the return data area 1368 * for the switch engine to return its own data 1369 */ 1370 (void) memcpy(&pbuf->nscdpriv, &swrp, sizeof (swrp)); 1371 swret.pbuf = buffer; 1372 swret.pbufsiz = length; 1373 swret.datalen = pbuf->data_len; 1374 1375 /* 1376 * use the generic nscd_initf for all database lookups 1377 * (the TSD key is the pointer to the packed header) 1378 */ 1379 rc = set_initf_key(pbuf); 1380 if (rc != 0) { 1381 NSCD_SET_STATUS(pbuf, NSS_UNAVAIL, EINVAL); 1382 return; 1383 } 1384 initf = nscd_initf; 1385 1386 /* Perform local search and pack results into return buffer */ 1387 /* nscd's search ignores db_root */ 1388 status = nss_search(NULL, initf, dbop, &arg); 1389 1390 /* 1391 * If status is NSS_NOTFOUND and ldap also returned 1392 * NSS_NOTFOUND, it is possible that the user does 1393 * not have a credential, so check and see if 1394 * needs to return NSS_ALTRETRY to let the main 1395 * nscd get a chance to process the lookup 1396 */ 1397 if (swret.fallback == 1 && status == NSS_NOTFOUND) { 1398 OM_uint32 (*func)(); 1399 OM_uint32 stat; 1400 nscd_rc_t rc; 1401 1402 rc = get_gss_func((void **)&func); 1403 if (rc == NSCD_SUCCESS) { 1404 if (func(&stat, GSS_C_NO_CREDENTIAL, 1405 NULL, NULL, NULL, NULL) != GSS_S_COMPLETE) { 1406 1407 _NSCD_LOG(NSCD_LOG_SWITCH_ENGINE, 1408 NSCD_LOG_LEVEL_DEBUG) 1409 (me, "NSS_ALTRETRY: fallback to main nscd needed\n"); 1410 1411 status = NSS_ALTRETRY; 1412 } 1413 } 1414 } 1415 1416 NSCD_SET_STATUS(pbuf, status, -1); 1417 errno = swret.errnum; 1418 1419 /* 1420 * Move result/status from args to packed buffer only if 1421 * arg was being used and rc from the switch engine is not 1422 * NSS_TRYLOCAL. 1423 */ 1424 if (!swret.noarg && status != NSS_TRYLOCAL) 1425 nss_packed_set_status(buffer, length, status, &arg); 1426 1427 _NSCD_LOG(NSCD_LOG_SWITCH_ENGINE, NSCD_LOG_LEVEL_DEBUG) 1428 (me, "switch engine result: source is %s, status %d, " 1429 "herrno is %d, errno is %s\n", 1430 (swret.srci != -1) ? NSCD_NSW_SRC_NAME(swret.srci) : "<NOTSET>", 1431 pbuf->p_status, pbuf->p_herrno, strerror(pbuf->p_errno)); 1432 1433 /* clear the TSD key used by the generic initf */ 1434 clear_initf_key(); 1435 pbuf->nscdpriv = 0; 1436 } 1437 1438 static void 1439 nscd_map_contextp(void *buffer, nss_getent_t *contextp, 1440 nssuint_t **cookie_num_p, nssuint_t **seqnum_p, int setent) 1441 { 1442 nss_pheader_t *pbuf = (nss_pheader_t *)buffer; 1443 nssuint_t off; 1444 nscd_getent_context_t *ctx; 1445 char *me = "nscd_map_contextp"; 1446 nscd_getent_p1_cookie_t *cookie; 1447 1448 if (buffer == NULL) { 1449 NSCD_SET_STATUS(pbuf, NSS_ERROR, EFAULT); 1450 return; 1451 } 1452 1453 off = pbuf->key_off; 1454 cookie = (nscd_getent_p1_cookie_t *)((void *)((char *)buffer + off)); 1455 if (seqnum_p != NULL) 1456 *seqnum_p = &cookie->p1_seqnum; 1457 1458 /* 1459 * if called by nss_psetent, and the passed in cookie number 1460 * is NSCD_NEW_COOKIE, then there is no cookie yet, return a 1461 * pointer pointing to where the cookie number will be stored. 1462 * Also because there is no cookie to validate, just return 1463 * success. 1464 * 1465 * On the other hand, if a cookie number is passed in, we need 1466 * to validate the cookie number before returning. 1467 */ 1468 if (cookie_num_p != NULL) 1469 *cookie_num_p = &cookie->p1_cookie_num; 1470 if (setent == 1 && cookie->p1_cookie_num == NSCD_NEW_COOKIE) { 1471 NSCD_SET_STATUS_SUCCESS(pbuf); 1472 return; 1473 } 1474 1475 /* 1476 * If the sequence number and start time match nscd's p0 cookie, 1477 * then either setent was done twice in a row or this is the 1478 * first getent after the setent, return success as well. 1479 */ 1480 if (cookie->p1_seqnum == NSCD_P0_COOKIE_SEQNUM) { 1481 nscd_getent_p0_cookie_t *p0c = 1482 (nscd_getent_p0_cookie_t *)cookie; 1483 if (p0c->p0_time == _nscd_get_start_time()) { 1484 NSCD_SET_STATUS_SUCCESS(pbuf); 1485 return; 1486 } 1487 } 1488 1489 _NSCD_LOG(NSCD_LOG_SWITCH_ENGINE, NSCD_LOG_LEVEL_DEBUG) 1490 (me, "cookie # = %lld, sequence # = %lld\n", 1491 cookie->p1_cookie_num, cookie->p1_seqnum); 1492 1493 ctx = _nscd_is_getent_ctx(cookie->p1_cookie_num); 1494 1495 if (ctx == NULL) { 1496 _NSCD_LOG(NSCD_LOG_SWITCH_ENGINE, NSCD_LOG_LEVEL_DEBUG) 1497 (me, "No matching context found (cookie number: %lld)\n", 1498 cookie->p1_cookie_num); 1499 1500 NSCD_SET_STATUS(pbuf, NSS_ERROR, EFAULT); 1501 return; 1502 } 1503 1504 /* if not called by nss_psetent, verify sequence number */ 1505 if (setent != 1 && ctx->seq_num != 1506 (nscd_seq_num_t)cookie->p1_seqnum) { 1507 _NSCD_LOG(NSCD_LOG_SWITCH_ENGINE, NSCD_LOG_LEVEL_DEBUG) 1508 (me, "invalid sequence # (%lld)\n", cookie->p1_seqnum); 1509 1510 _nscd_free_ctx_if_aborted(ctx); 1511 NSCD_SET_STATUS(pbuf, NSS_ERROR, EFAULT); 1512 return; 1513 } 1514 1515 contextp->ctx = (struct nss_getent_context *)ctx; 1516 1517 NSCD_SET_STATUS_SUCCESS(pbuf); 1518 } 1519 1520 void 1521 nss_psetent(void *buffer, size_t length, pid_t pid) 1522 { 1523 nss_getent_t context = { 0 }; 1524 nss_getent_t *contextp = &context; 1525 nssuint_t *cookie_num_p; 1526 nssuint_t *seqnum_p; 1527 nss_pheader_t *pbuf = (nss_pheader_t *)buffer; 1528 nscd_getent_p0_cookie_t *p0c; 1529 char *me = "nss_psetent"; 1530 1531 if (buffer == NULL || length == 0) { 1532 NSCD_SET_STATUS(pbuf, NSS_ERROR, EFAULT); 1533 return; 1534 } 1535 1536 /* 1537 * If this is a per-user nscd, and the user does not have 1538 * the necessary credential, return NSS_TRYLOCAL, so the 1539 * setent/getent can be done locally in the process of the 1540 * setent call 1541 */ 1542 if (_whoami == NSCD_CHILD) { 1543 OM_uint32 (*func)(); 1544 OM_uint32 stat; 1545 nscd_rc_t rc; 1546 1547 rc = get_gss_func((void **)&func); 1548 if (rc == NSCD_SUCCESS) { 1549 if (func(&stat, GSS_C_NO_CREDENTIAL, 1550 NULL, NULL, NULL, NULL) != GSS_S_COMPLETE) { 1551 1552 _NSCD_LOG(NSCD_LOG_SWITCH_ENGINE, 1553 NSCD_LOG_LEVEL_DEBUG) 1554 (me, "NSS_TRYLOCAL: fallback to caller process\n"); 1555 NSCD_SET_STATUS(pbuf, NSS_TRYLOCAL, 0); 1556 return; 1557 } 1558 } 1559 } 1560 1561 /* check cookie number */ 1562 nscd_map_contextp(buffer, contextp, &cookie_num_p, &seqnum_p, 1); 1563 if (NSCD_STATUS_IS_NOT_OK(pbuf)) 1564 return; 1565 1566 /* set cookie number and sequence number */ 1567 p0c = (nscd_getent_p0_cookie_t *)cookie_num_p; 1568 if (contextp->ctx == NULL) { 1569 /* 1570 * first setent (no existing getent context), 1571 * return a p0 cookie 1572 */ 1573 _NSCD_LOG(NSCD_LOG_SWITCH_ENGINE, NSCD_LOG_LEVEL_DEBUG) 1574 (me, "first setent, no getent context yet\n"); 1575 } else { 1576 /* 1577 * doing setent on an existing getent context, 1578 * release resources allocated and return a 1579 * p0 cookie 1580 */ 1581 _NSCD_LOG(NSCD_LOG_SWITCH_ENGINE, NSCD_LOG_LEVEL_DEBUG) 1582 (me, "setent resetting sequence number = %lld\n", *seqnum_p); 1583 1584 if (_nscd_is_getent_ctx_in_use((nscd_getent_context_t *) 1585 contextp->ctx) == 0) { 1586 /* 1587 * context not in use, release the backend and 1588 * return the context to the pool 1589 */ 1590 end_iter_u(NULL, contextp->ctx); 1591 _nscd_put_getent_ctx( 1592 (nscd_getent_context_t *)contextp->ctx); 1593 contextp->ctx = NULL; 1594 } 1595 } 1596 1597 p0c->p0_pid = pid; 1598 p0c->p0_time = _nscd_get_start_time(); 1599 p0c->p0_seqnum = NSCD_P0_COOKIE_SEQNUM; 1600 _NSCD_LOG(NSCD_LOG_SWITCH_ENGINE, NSCD_LOG_LEVEL_DEBUG) 1601 (me, "returning a p0 cookie: pid = %ld, time = %ld, seq #= %llx\n", 1602 p0c->p0_pid, p0c->p0_time, p0c->p0_seqnum); 1603 1604 NSCD_SET_STATUS(pbuf, NSS_SUCCESS, 0); 1605 } 1606 1607 static void 1608 delayed_setent(nss_pheader_t *pbuf, nss_db_initf_t initf, 1609 nss_getent_t *contextp, nssuint_t *cookie_num_p, 1610 nssuint_t *seqnum_p, pid_t pid) 1611 { 1612 nscd_getent_context_t *ctx; 1613 nscd_sw_return_t swret = { 0 }, *swrp = &swret; 1614 char *me = "delayed_setent"; 1615 1616 /* 1617 * check credential 1618 */ 1619 _nscd_APP_check_cred(pbuf, &pid, "NSCD_DELAYED_SETENT", 1620 NSCD_LOG_SWITCH_ENGINE, NSCD_LOG_LEVEL_ERROR); 1621 if (NSCD_STATUS_IS_NOT_OK(pbuf)) { 1622 _NSCD_LOG(NSCD_LOG_SWITCH_ENGINE, NSCD_LOG_LEVEL_DEBUG) 1623 (me, "invalid credential\n"); 1624 return; 1625 } 1626 1627 /* 1628 * pass the packed header buffer pointer to nss_setent 1629 */ 1630 (void) memcpy(&pbuf->nscdpriv, &swrp, sizeof (swrp)); 1631 swret.pbuf = pbuf; 1632 1633 /* Perform local setent and set context */ 1634 nss_setent(NULL, initf, contextp); 1635 1636 /* insert cookie info into packed buffer header */ 1637 ctx = (nscd_getent_context_t *)contextp->ctx; 1638 if (ctx != NULL) { 1639 *cookie_num_p = ctx->cookie_num; 1640 *seqnum_p = ctx->seq_num; 1641 ctx->pid = pid; 1642 } else { 1643 /* 1644 * not able to allocate a getent context, the 1645 * client should try the enumeration locally 1646 */ 1647 *cookie_num_p = NSCD_LOCAL_COOKIE; 1648 *seqnum_p = 0; 1649 1650 _NSCD_LOG(NSCD_LOG_SWITCH_ENGINE, NSCD_LOG_LEVEL_DEBUG) 1651 (me, "NSS_TRYLOCAL: cookie # = %lld, sequence # = %lld\n", 1652 *cookie_num_p, *seqnum_p); 1653 NSCD_SET_STATUS(pbuf, NSS_TRYLOCAL, 0); 1654 return; 1655 } 1656 1657 _NSCD_LOG(NSCD_LOG_SWITCH_ENGINE, NSCD_LOG_LEVEL_DEBUG) 1658 (me, "NSS_SUCCESS: cookie # = %lld, sequence # = %lld\n", 1659 ctx->cookie_num, ctx->seq_num); 1660 1661 NSCD_SET_STATUS(pbuf, NSS_SUCCESS, 0); 1662 } 1663 1664 void 1665 nss_pgetent(void *buffer, size_t length) 1666 { 1667 /* inputs */ 1668 nss_db_initf_t initf; 1669 nss_getent_t context = { 0 }; 1670 nss_getent_t *contextp = &context; 1671 nss_XbyY_args_t arg = { 0}; 1672 nss_status_t status; 1673 nssuint_t *cookie_num_p; 1674 nssuint_t *seqnum_p; 1675 nscd_getent_context_t *ctx; 1676 int rc; 1677 nss_pheader_t *pbuf = (nss_pheader_t *)buffer; 1678 char *me = "nss_pgetent"; 1679 1680 if (buffer == NULL || length == 0) { 1681 NSCD_SET_STATUS(pbuf, NSS_ERROR, EFAULT); 1682 return; 1683 } 1684 1685 /* verify the cookie passed in */ 1686 nscd_map_contextp(buffer, contextp, &cookie_num_p, &seqnum_p, 0); 1687 if (NSCD_STATUS_IS_NOT_OK(pbuf)) 1688 return; 1689 1690 /* 1691 * use the generic nscd_initf for all the getent requests 1692 * (the TSD key is the pointer to the packed header) 1693 */ 1694 rc = set_initf_key(pbuf); 1695 if (rc != 0) { 1696 NSCD_SET_STATUS(pbuf, NSS_UNAVAIL, EINVAL); 1697 return; 1698 } 1699 initf = nscd_initf; 1700 1701 /* if no context yet, get one */ 1702 if (contextp->ctx == NULL) { 1703 nscd_getent_p0_cookie_t *p0c = 1704 (nscd_getent_p0_cookie_t *)cookie_num_p; 1705 1706 delayed_setent(pbuf, initf, contextp, cookie_num_p, 1707 seqnum_p, p0c->p0_pid); 1708 if (NSCD_STATUS_IS_NOT_OK(pbuf)) { 1709 clear_initf_key(); 1710 return; 1711 } 1712 } 1713 1714 status = nss_packed_context_init(buffer, length, 1715 NULL, &initf, &contextp, &arg); 1716 if (status != NSS_SUCCESS) { 1717 clear_initf_key(); 1718 _nscd_free_ctx_if_aborted( 1719 (nscd_getent_context_t *)contextp->ctx); 1720 NSCD_SET_STATUS(pbuf, status, -1); 1721 return; 1722 } 1723 1724 /* Perform local search and pack results into return buffer */ 1725 status = nss_getent(NULL, initf, contextp, &arg); 1726 NSCD_SET_STATUS(pbuf, status, -1); 1727 nss_packed_set_status(buffer, length, status, &arg); 1728 1729 /* increment sequence number in the buffer and nscd context */ 1730 if (status == NSS_SUCCESS) { 1731 ctx = (nscd_getent_context_t *)contextp->ctx; 1732 ctx->seq_num++; 1733 *seqnum_p = ctx->seq_num; 1734 *cookie_num_p = ctx->cookie_num; 1735 1736 _NSCD_LOG(NSCD_LOG_SWITCH_ENGINE, NSCD_LOG_LEVEL_DEBUG) 1737 (me, "getent OK, new sequence # = %lld, len = %lld," 1738 " data = >>%s<<\n", *seqnum_p, 1739 pbuf->data_len, (char *)buffer + pbuf->data_off); 1740 1741 _nscd_free_ctx_if_aborted(ctx); 1742 } else { 1743 /* release the resources used */ 1744 ctx = (nscd_getent_context_t *)contextp->ctx; 1745 if (ctx != NULL && _nscd_is_getent_ctx_in_use(ctx) == 0) { 1746 _nscd_put_getent_ctx(ctx); 1747 contextp->ctx = NULL; 1748 } 1749 _NSCD_LOG(NSCD_LOG_SWITCH_ENGINE, NSCD_LOG_LEVEL_DEBUG) 1750 (me, "getent failed, status = %d, sequence # = %lld\n", 1751 status, *seqnum_p); 1752 } 1753 1754 /* clear the TSD key used by the generic initf */ 1755 clear_initf_key(); 1756 } 1757 1758 void 1759 nss_pendent(void *buffer, size_t length) 1760 { 1761 nss_getent_t context = { 0 }; 1762 nss_getent_t *contextp = &context; 1763 nssuint_t *seqnum_p; 1764 nssuint_t *cookie_num_p; 1765 nss_pheader_t *pbuf = (nss_pheader_t *)buffer; 1766 char *me = "nss_pendent"; 1767 1768 if (buffer == NULL || length == 0) { 1769 NSCD_SET_STATUS(pbuf, NSS_ERROR, EFAULT); 1770 return; 1771 } 1772 1773 /* map the contextp from the cookie information */ 1774 nscd_map_contextp(buffer, contextp, &cookie_num_p, &seqnum_p, 0); 1775 if (NSCD_STATUS_IS_NOT_OK(pbuf)) 1776 return; 1777 1778 if (contextp->ctx == NULL) 1779 return; 1780 1781 _NSCD_LOG(NSCD_LOG_SWITCH_ENGINE, NSCD_LOG_LEVEL_DEBUG) 1782 (me, "endent, cookie = %lld, sequence # = %lld\n", 1783 *cookie_num_p, *seqnum_p); 1784 1785 /* Perform local endent and reset context */ 1786 nss_endent(NULL, NULL, contextp); 1787 1788 NSCD_SET_STATUS(pbuf, NSS_SUCCESS, 0); 1789 } 1790 1791 /*ARGSUSED*/ 1792 void 1793 nss_pdelete(void *buffer, size_t length) 1794 { 1795 nss_pheader_t *pbuf = (nss_pheader_t *)buffer; 1796 1797 /* unnecessary, kept for completeness */ 1798 NSCD_SET_STATUS_SUCCESS(pbuf); 1799 } 1800