xref: /titanic_44/usr/src/lib/nsswitch/compat/common/compat_common.c (revision 337fc9e235877b459e389f54daf9833bbc645439)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright 2006 Sun Microsystems, Inc.  All rights reserved.
23  * Use is subject to license terms.
24  *
25  * Common code and structures used by name-service-switch "compat" backends.
26  *
27  * Most of the code in the "compat" backend is a perverted form of code from
28  * the "files" backend;  this file is no exception.
29  */
30 
31 #pragma ident	"%Z%%M%	%I%	%E% SMI"
32 
33 #include <stdio.h>
34 #include <stdlib.h>
35 #include <string.h>
36 #include <ctype.h>
37 #include <bsm/libbsm.h>
38 #include <user_attr.h>
39 #include <pwd.h>
40 #include <shadow.h>
41 #include <grp.h>
42 #include <unistd.h>	/* for GF_PATH */
43 #include <dlfcn.h>
44 #include "compat_common.h"
45 
46 /*
47  * This should be in a header.
48  */
49 
50 extern int yp_get_default_domain(char **domain);
51 
52 /* from libc */
53 extern int str2passwd(const char *instr, int lenstr, void *ent,
54 		char *buffer, int buflen);
55 extern int str2spwd(const char *instr, int lenstr, void *ent,
56 		char *buffer, int buflen);
57 extern int str2group(const char *instr, int lenstr, void *ent,
58 		char *buffer, int buflen);
59 
60 /* from libnsl */
61 extern char *_strtok_escape(char *, char *, char **);
62 
63 /*
64  * str2auuser_s and str2userattr_s are very simple version
65  * of the str2auuser() and str2userattr() that can be found in
66  * libnsl. They only copy the user name into the userstr_t
67  * or au_user_str_t structure (so check on user name can be
68  * performed).
69  */
70 static int
71 str2auuser_s(
72 	const char	*instr,
73 	int		lenstr,
74 	void		*ent,
75 	char		*buffer,
76 	int		buflen)
77 {
78 	char		*last = NULL;
79 	char		*sep = KV_TOKEN_DELIMIT;
80 	au_user_str_t	*au_user = (au_user_str_t *)ent;
81 
82 	if (lenstr >= buflen)
83 		return (NSS_STR_PARSE_ERANGE);
84 	(void) strncpy(buffer, instr, buflen);
85 	au_user->au_name = _strtok_escape(buffer, sep, &last);
86 	return (0);
87 }
88 
89 static int
90 str2userattr_s(
91 	const char	*instr,
92 	int		lenstr,
93 	void		*ent,
94 	char		*buffer,
95 	int		buflen)
96 {
97 	char		*last = NULL;
98 	char		*sep = KV_TOKEN_DELIMIT;
99 	userstr_t	*user = (userstr_t *)ent;
100 
101 	if (lenstr >= buflen)
102 		return (NSS_STR_PARSE_ERANGE);
103 	(void) strncpy(buffer, instr, buflen);
104 	user->name = _strtok_escape(buffer, sep, &last);
105 	return (0);
106 }
107 
108 /*
109  * Routines to manage list of "-" users for get{pw, sp, gr}ent().  Current
110  *   implementation is completely moronic; we use a linked list.  But then
111  *   that's what it's always done in 4.x...
112  */
113 
114 struct setofstrings {
115 	char			*name;
116 	struct setofstrings	*next;
117 	/*
118 	 * === Should get smart and malloc the string and pointer as one
119 	 *	object rather than two.
120 	 */
121 };
122 
123 static void
124 strset_free(ssp)
125 	strset_t	*ssp;
126 {
127 	strset_t	cur, nxt;
128 
129 	for (cur = *ssp;  cur != 0;  cur = nxt) {
130 		nxt = cur->next;
131 		free(cur->name);
132 		free(cur);
133 	}
134 	*ssp = 0;
135 }
136 
137 static boolean_t
138 strset_add(ssp, nam)
139 	strset_t	*ssp;
140 	const char	*nam;
141 {
142 	strset_t	new;
143 
144 	if (0 == (new = (strset_t)malloc(sizeof (*new)))) {
145 		return (B_FALSE);
146 	}
147 	if (0 == (new->name = malloc(strlen(nam) + 1))) {
148 		free(new);
149 		return (B_FALSE);
150 	}
151 	(void) strcpy(new->name, nam);
152 	new->next = *ssp;
153 	*ssp = new;
154 	return (B_TRUE);
155 }
156 
157 static boolean_t
158 strset_in(ssp, nam)
159 	const strset_t	*ssp;
160 	const char	*nam;
161 {
162 	strset_t	cur;
163 
164 	for (cur = *ssp;  cur != 0;  cur = cur->next) {
165 		if (strcmp(cur->name, nam) == 0) {
166 			return (B_TRUE);
167 		}
168 	}
169 	return (B_FALSE);
170 }
171 
172 /*
173  * Lookup and enumeration routines for +@group and -@group.
174  *
175  * This code knows a lot more about lib/libc/port/gen/getnetgrent.c than
176  *   is really healthy.  The set/get/end routines below duplicate code
177  *   from that file, but keep the state information per-backend-instance
178  *   instead of just per-process.
179  */
180 
181 extern void _nss_initf_netgroup(nss_db_params_t *);
182 /*
183  * Should really share the db_root in getnetgrent.c in order to get the
184  *   resource-management quotas right, but this will have to do.
185  */
186 static DEFINE_NSS_DB_ROOT(netgr_db_root);
187 
188 static boolean_t
189 netgr_in(compat_backend_ptr_t be, const char *group, const char *user)
190 {
191 	if (be->yp_domain == 0) {
192 		if (yp_get_default_domain((char **)&be->yp_domain) != 0) {
193 			return (B_FALSE);
194 		}
195 	}
196 	return (innetgr(group, 0, user, be->yp_domain));
197 }
198 
199 static void
200 netgr_set(be, netgroup)
201 	compat_backend_ptr_t	be;
202 	const char		*netgroup;
203 {
204 	/*
205 	 * ===> Need comment to explain that this first "if" is optimizing
206 	 *	for the same-netgroup-as-last-time case
207 	 */
208 	if (be->getnetgrent_backend != 0 &&
209 	    NSS_INVOKE_DBOP(be->getnetgrent_backend,
210 			    NSS_DBOP_SETENT,
211 			    (void *) netgroup) != NSS_SUCCESS) {
212 		NSS_INVOKE_DBOP(be->getnetgrent_backend, NSS_DBOP_DESTRUCTOR,
213 				0);
214 		be->getnetgrent_backend = 0;
215 	}
216 	if (be->getnetgrent_backend == 0) {
217 		struct nss_setnetgrent_args	args;
218 
219 		args.netgroup	= netgroup;
220 		args.iterator	= 0;
221 		(void) nss_search(&netgr_db_root, _nss_initf_netgroup,
222 			NSS_DBOP_NETGROUP_SET, &args);
223 		be->getnetgrent_backend = args.iterator;
224 	}
225 }
226 
227 static boolean_t
228 netgr_next_u(be, up)
229 	compat_backend_ptr_t	be;
230 	char			**up;
231 {
232 	if (be->netgr_buffer == 0 &&
233 	    (be->netgr_buffer = malloc(NSS_BUFLEN_NETGROUP)) == 0) {
234 		/* Out of memory */
235 		return (B_FALSE);
236 	}
237 
238 	do {
239 		struct nss_getnetgrent_args	args;
240 
241 		args.buffer	= be->netgr_buffer;
242 		args.buflen	= NSS_BUFLEN_NETGROUP;
243 		args.status	= NSS_NETGR_NO;
244 
245 		if (be->getnetgrent_backend != 0) {
246 			NSS_INVOKE_DBOP(be->getnetgrent_backend,
247 					NSS_DBOP_GETENT, &args);
248 		}
249 
250 		if (args.status == NSS_NETGR_FOUND) {
251 			*up	  = args.retp[NSS_NETGR_USER];
252 		} else {
253 			return (B_FALSE);
254 		}
255 	} while (*up == 0);
256 	return (B_TRUE);
257 }
258 
259 static void
260 netgr_end(be)
261 	compat_backend_ptr_t	be;
262 {
263 	if (be->getnetgrent_backend != 0) {
264 		NSS_INVOKE_DBOP(be->getnetgrent_backend,
265 				NSS_DBOP_DESTRUCTOR, 0);
266 		be->getnetgrent_backend = 0;
267 	}
268 	if (be->netgr_buffer != 0) {
269 		free(be->netgr_buffer);
270 		be->netgr_buffer = 0;
271 	}
272 }
273 
274 
275 #define	MAXFIELDS 9	/* Sufficient for passwd (7), shadow (9), group (4) */
276 
277 static nss_status_t
278 do_merge(be, args, instr, linelen)
279 	compat_backend_ptr_t	be;
280 	nss_XbyY_args_t		*args;
281 	const char		*instr;
282 	int			linelen;
283 {
284 	char			*fields[MAXFIELDS];
285 	int			i;
286 	int			overrides;
287 	const char		*p;
288 	const char		*end = instr + linelen;
289 	nss_status_t		res = NSS_NOTFOUND;
290 
291 	/*
292 	 * Potential optimization:  only perform the field-splitting nonsense
293 	 *   once per input line (at present, "+" and "+@netgroup" entries
294 	 *   will cause us to do this multiple times in getent() requests).
295 	 */
296 
297 	for (i = 0;  i < MAXFIELDS;  i++) {
298 		fields[i] = 0;
299 	}
300 	for (p = instr, overrides = 0, i = 0; /* no test */; i++) {
301 		const char	*q = memchr(p, ':', end - p);
302 		const char	*r = (q == 0) ? end : q;
303 		ssize_t		len = r - p;
304 
305 		if (len > 0) {
306 			char	*s = malloc(len + 1);
307 			if (s == 0) {
308 				overrides = -1;	/* Indicates "you lose" */
309 				break;
310 			}
311 			(void) memcpy(s, p, len);
312 			s[len] = '\0';
313 			fields[i] = s;
314 			overrides++;
315 		}
316 		if (q == 0) {
317 			/* End of line */
318 			break;
319 		} else {
320 			/* Skip the colon at (*q) */
321 			p = q + 1;
322 		}
323 	}
324 	if (overrides == 1) {
325 		/*
326 		 * return result here if /etc file format is requested
327 		 */
328 		if (be->return_string_data != 1) {
329 			/* No real overrides, return (*args) intact */
330 			res = NSS_SUCCESS;
331 		} else {
332 			free(fields[0]);
333 			fields[0] = NULL;
334 		}
335 	}
336 
337 	if (overrides > 1 || be->return_string_data == 1) {
338 		/*
339 		 * The zero'th field is always nonempty (+/-...), but at least
340 		 *   one other field was also nonempty, i.e. wants to override
341 		 */
342 		switch ((*be->mergef)(be, args, (const char **)fields)) {
343 		    case NSS_STR_PARSE_SUCCESS:
344 			if (be->return_string_data != 1)
345 				args->returnval	= args->buf.result;
346 			else
347 				args->returnval	= args->buf.buffer;
348 			args->erange	= 0;
349 			res = NSS_SUCCESS;
350 			break;
351 		    case NSS_STR_PARSE_ERANGE:
352 			args->returnval	= 0;
353 			args->erange	= 1;
354 			res = NSS_NOTFOUND;
355 			break;
356 		    case NSS_STR_PARSE_PARSE:
357 			args->returnval	= 0;
358 			args->erange	= 0;
359 /* ===> Very likely the wrong thing to do... */
360 			res = NSS_NOTFOUND;
361 			break;
362 		}
363 	} else if (res != NSS_SUCCESS) {
364 		args->returnval	= 0;
365 		args->erange	= 0;
366 		res = NSS_UNAVAIL;	/* ==> Right? */
367 	}
368 
369 	for (i = 0;  i < MAXFIELDS;  i++) {
370 		if (fields[i] != 0) {
371 			free(fields[i]);
372 		}
373 	}
374 
375 	return (res);
376 }
377 
378 /*ARGSUSED*/
379 nss_status_t
380 _nss_compat_setent(be, dummy)
381 	compat_backend_ptr_t	be;
382 	void			*dummy;
383 {
384 	if (be->f == 0) {
385 		if (be->filename == 0) {
386 			/* Backend isn't initialized properly? */
387 			return (NSS_UNAVAIL);
388 		}
389 		if ((be->f = fopen(be->filename, "rF")) == 0) {
390 			return (NSS_UNAVAIL);
391 		}
392 	} else {
393 		rewind(be->f);
394 	}
395 	strset_free(&be->minuses);
396 	/* ===> ??? nss_endent(be->db_rootp, be->db_initf, &be->db_context); */
397 
398 	if ((strcmp(be->filename, USERATTR_FILENAME) == 0) ||
399 	    (strcmp(be->filename, AUDITUSER_FILENAME) == 0))
400 		be->state = GETENT_ATTRDB;
401 	else
402 		be->state = GETENT_FILE;
403 
404 	/* ===> ??  netgroup stuff? */
405 	return (NSS_SUCCESS);
406 }
407 
408 /*ARGSUSED*/
409 nss_status_t
410 _nss_compat_endent(be, dummy)
411 	compat_backend_ptr_t	be;
412 	void			*dummy;
413 {
414 	if (be->f != 0) {
415 		(void) fclose(be->f);
416 		be->f = 0;
417 	}
418 	if (be->buf != 0) {
419 		free(be->buf);
420 		be->buf = 0;
421 	}
422 	nss_endent(be->db_rootp, be->db_initf, &be->db_context);
423 
424 	be->state = GETENT_FILE; /* Probably superfluous but comforting */
425 	strset_free(&be->minuses);
426 	netgr_end(be);
427 
428 	/*
429 	 * Question: from the point of view of resource-freeing vs. time to
430 	 *   start up again, how much should we do in endent() and how much
431 	 *   in the destructor?
432 	 */
433 	return (NSS_SUCCESS);
434 }
435 
436 /*ARGSUSED*/
437 nss_status_t
438 _nss_compat_destr(be, dummy)
439 	compat_backend_ptr_t	be;
440 	void			*dummy;
441 {
442 	if (be != 0) {
443 		if (be->f != 0) {
444 			(void) _nss_compat_endent(be, 0);
445 		}
446 		nss_delete(be->db_rootp);
447 		nss_delete(&netgr_db_root);
448 		free(be->workarea);
449 		free(be);
450 	}
451 	return (NSS_SUCCESS);	/* In case anyone is dumb enough to check */
452 }
453 
454 static int
455 read_line(f, buffer, buflen)
456 	FILE			*f;
457 	char			*buffer;
458 	int			buflen;
459 {
460 	/*CONSTCOND*/
461 	while (1) {
462 		int	linelen;
463 
464 		if (fgets(buffer, buflen, f) == 0) {
465 			/* End of file */
466 			return (-1);
467 		}
468 		linelen = strlen(buffer);
469 		/* linelen >= 1 (since fgets didn't return 0) */
470 
471 		if (buffer[linelen - 1] == '\n') {
472 			/*
473 			 * ===> The code below that calls read_line() doesn't
474 			 *	play by the rules;  it assumes in places that
475 			 *	the line is null-terminated.  For now we'll
476 			 *	humour it.
477 			 */
478 			buffer[--linelen] = '\0';
479 			return (linelen);
480 		}
481 		if (feof(f)) {
482 			/* Line is last line in file, and has no newline */
483 			return (linelen);
484 		}
485 		/* Line too long for buffer;  toss it and loop for next line */
486 		/* ===== should syslog() in cases where previous code did */
487 		while (fgets(buffer, buflen, f) != 0 &&
488 		    buffer[strlen(buffer) - 1] != '\n') {
489 			;
490 		}
491 	}
492 	/*NOTREACHED*/
493 }
494 
495 static int
496 is_nss_lookup_by_name(int attrdb, nss_dbop_t op)
497 {
498 	int result = 0;
499 
500 	if ((attrdb != 0) &&
501 	    ((op == NSS_DBOP_AUDITUSER_BYNAME) ||
502 	    (op == NSS_DBOP_USERATTR_BYNAME))) {
503 		result = 1;
504 	} else if ((attrdb == 0) &&
505 	    ((op == NSS_DBOP_GROUP_BYNAME) ||
506 	    (op == NSS_DBOP_PASSWD_BYNAME) ||
507 	    (op == NSS_DBOP_SHADOW_BYNAME))) {
508 		result = 1;
509 	}
510 
511 	return (result);
512 }
513 
514 /*ARGSUSED*/
515 nss_status_t
516 _attrdb_compat_XY_all(be, argp, netdb, check, op_num)
517     compat_backend_ptr_t be;
518     nss_XbyY_args_t *argp;
519     int netdb;
520     compat_XY_check_func check;
521     nss_dbop_t op_num;
522 {
523 	int		parsestat;
524 	int		(*func)();
525 	const char	*filter = argp->key.name;
526 	nss_status_t	res;
527 
528 #ifdef	DEBUG
529 	(void) fprintf(stdout, "\n[compat_common.c: _attrdb_compat_XY_all]\n");
530 #endif	/* DEBUG */
531 
532 	if (be->buf == 0 &&
533 	    (be->buf = malloc(be->minbuf)) == 0) {
534 		return (NSS_UNAVAIL);
535 	}
536 	if (check != NULL)
537 		if ((res = _nss_compat_setent(be, 0)) != NSS_SUCCESS)
538 			return (res);
539 
540 	res = NSS_NOTFOUND;
541 
542 	/*
543 	 * assume a NULL buf.result pointer is an indication
544 	 * that the lookup result should be returned in /etc
545 	 * file format
546 	 */
547 	if (argp->buf.result == NULL) {
548 		be->return_string_data = 1;
549 
550 		/*
551 		 * the code executed later needs the result struct
552 		 * as working area
553 		 */
554 		argp->buf.result = be->workarea;
555 		func = be->str2ent_alt;
556 	} else
557 		func = argp->str2ent;
558 
559 	/*CONSTCOND*/
560 	while (1) {
561 		int	linelen;
562 		char	*instr	= be->buf;
563 
564 		if ((linelen = read_line(be->f, instr, be->minbuf)) < 0) {
565 			/* End of file */
566 			argp->returnval = 0;
567 			argp->erange    = 0;
568 			break;
569 		}
570 		if (filter != 0 && strstr(instr, filter) == 0) {
571 			/*
572 			 * Optimization:  if the entry doesn't contain the
573 			 * filter string then it can't be the entry we want,
574 			 * so don't bother looking more closely at it.
575 			 */
576 			continue;
577 		}
578 		if (netdb) {
579 			char	*first;
580 			char	*last;
581 
582 			if ((last = strchr(instr, '#')) == 0) {
583 				last = instr + linelen;
584 			}
585 			*last-- = '\0';		/* Nuke '\n' or #comment */
586 
587 			/*
588 			 * Skip leading whitespace.  Normally there isn't
589 			 * any, so it's not worth calling strspn().
590 			 */
591 			for (first = instr;  isspace(*first);  first++) {
592 				;
593 			}
594 			if (*first == '\0') {
595 				continue;
596 			}
597 			/*
598 			 * Found something non-blank on the line.  Skip back
599 			 * over any trailing whitespace;  since we know
600 			 * there's non-whitespace earlier in the line,
601 			 * checking for termination is easy.
602 			 */
603 			while (isspace(*last)) {
604 				--last;
605 			}
606 			linelen = last - first + 1;
607 			if (first != instr) {
608 				instr = first;
609 			}
610 		}
611 		argp->returnval = 0;
612 		parsestat = (*func)(instr, linelen, argp->buf.result,
613 					argp->buf.buffer, argp->buf.buflen);
614 		if (parsestat == NSS_STR_PARSE_SUCCESS) {
615 				argp->returnval = argp->buf.result;
616 			if (check == 0 || (*check)(argp)) {
617 				int	len;
618 
619 				if (be->return_string_data != 1) {
620 					res = NSS_SUCCESS;
621 					break;
622 				}
623 
624 				/* copy string data to result buffer */
625 				argp->buf.result = NULL;
626 				argp->returnval = argp->buf.buffer;
627 				if ((len = strlcpy(argp->buf.buffer, instr,
628 					argp->buf.buflen)) >=
629 					argp->buf.buflen) {
630 					argp->returnval = NULL;
631 					res = NSS_NOTFOUND;
632 					argp->erange = 1;
633 					break;
634 				}
635 
636 				argp->returnlen = len;
637 				res = NSS_SUCCESS;
638 				break;
639 			}
640 		} else if (parsestat == NSS_STR_PARSE_ERANGE) {
641 			res = NSS_NOTFOUND;
642 			argp->erange = 1;
643 			break;
644 		}
645 	}
646 	/*
647 	 * stayopen is set to 0 by default in order to close the opened
648 	 * file.  Some applications may break if it is set to 1.
649 	 */
650 	if (check != 0 && !argp->stayopen) {
651 		(void) _nss_compat_endent(be, 0);
652 	}
653 
654 	if (res != NSS_SUCCESS) {
655 		/*
656 		 * tell the nss_search() and nss_getent() below
657 		 * if the result should be returned in the /etc
658 		 * file format
659 		 */
660 		if (be->return_string_data == 1)
661 			argp->buf.result = NULL;
662 
663 		if ((op_num == NSS_DBOP_USERATTR_BYNAME) ||
664 		    (op_num == NSS_DBOP_AUDITUSER_BYNAME)) {
665 			res = nss_search(be->db_rootp,
666 			    be->db_initf,
667 			    op_num,
668 			    argp);
669 		} else {
670 			res = nss_getent(be->db_rootp,
671 			    be->db_initf, &be->db_context, argp);
672 		}
673 		if (res != NSS_SUCCESS) {
674 			argp->returnval	= 0;
675 			argp->erange	= 0;
676 		}
677 	}
678 
679 	return (res);
680 }
681 
682 nss_status_t
683 _nss_compat_XY_all(be, args, check, op_num)
684 	compat_backend_ptr_t	be;
685 	nss_XbyY_args_t		*args;
686 	compat_XY_check_func	check;
687 	nss_dbop_t		op_num;
688 {
689 	nss_status_t		res;
690 	int			parsestat;
691 
692 
693 	if (be->buf == 0 &&
694 	    (be->buf = malloc(be->minbuf)) == 0) {
695 		return (NSS_UNAVAIL); /* really panic, malloc failed */
696 	}
697 
698 	if ((res = _nss_compat_setent(be, 0)) != NSS_SUCCESS) {
699 		return (res);
700 	}
701 
702 	res = NSS_NOTFOUND;
703 
704 	/*
705 	 * assume a NULL buf.result pointer is an indication
706 	 * that the lookup result should be returned in /etc
707 	 * file format
708 	 */
709 	if (args->buf.result == NULL) {
710 
711 		be->return_string_data = 1;
712 
713 		/*
714 		 * the code executed later needs the result struct
715 		 * as working area
716 		 */
717 		args->buf.result = be->workarea;
718 
719 		be->str2ent_save = args->str2ent;
720 		args->str2ent = be->str2ent_alt;
721 	}
722 
723 	/*CONSTCOND*/
724 	while (1) {
725 		int		linelen;
726 		char		*instr	= be->buf;
727 		char		*colon;
728 
729 		linelen = read_line(be->f, instr, be->minbuf);
730 		if (linelen < 0) {
731 			/* End of file */
732 			args->returnval = 0;
733 			args->erange    = 0;
734 			break;
735 		}
736 
737 		args->returnval = 0;	/* reset for both types of entries */
738 
739 		if (instr[0] != '+' && instr[0] != '-') {
740 			/* Simple, wholesome, God-fearing entry */
741 			parsestat = (*args->str2ent)(instr, linelen,
742 						    args->buf.result,
743 						    args->buf.buffer,
744 						    args->buf.buflen);
745 			if (parsestat == NSS_STR_PARSE_SUCCESS) {
746 				args->returnval = args->buf.result;
747 				if ((*check)(args) != 0) {
748 					int len;
749 					if (be->return_string_data != 1) {
750 						res = NSS_SUCCESS;
751 						break;
752 					}
753 
754 					/*
755 					 * copy string data to
756 					 * result buffer
757 					 */
758 					args->buf.result = NULL;
759 					args->str2ent = be->str2ent_save;
760 					if ((len = strlcpy(args->buf.buffer,
761 						instr, args->buf.buflen)) >=
762 							args->buf.buflen)
763 						parsestat =
764 							NSS_STR_PARSE_ERANGE;
765 					else {
766 						args->returnval =
767 							args->buf.buffer;
768 						args->returnlen = len;
769 						res = NSS_SUCCESS;
770 						break;
771 					}
772 				} else
773 					continue;
774 			}
775 
776 /* ===> Check the Dani logic here... */
777 
778 			if (parsestat == NSS_STR_PARSE_ERANGE) {
779 				args->erange = 1;
780 				res = NSS_NOTFOUND;
781 				break;
782 				/* should we just skip this one long line ? */
783 			} /* else if (parsestat == NSS_STR_PARSE_PARSE) */
784 				/* don't care ! */
785 
786 /* ==> ?? */		continue;
787 		}
788 
789 
790 		/*
791 		 * Process "+", "+name", "+@netgroup", "-name" or "-@netgroup"
792 		 *
793 		 * This code is optimized for lookups by name.
794 		 *
795 		 * For lookups by identifier search key cannot be matched with
796 		 * the name of the "+" or "-" entry. So nss_search() is to be
797 		 * called before extracting the name i.e. via (*be->getnamef)().
798 		 *
799 		 * But for lookups by name, search key is compared with the name
800 		 * of the "+" or "-" entry to acquire a match and thus
801 		 * unnesessary calls to nss_search() is eliminated. Also for
802 		 * matching "-" entries, calls to nss_search() is eliminated.
803 		 */
804 
805 		if ((colon = strchr(instr, ':')) != 0) {
806 			*colon = '\0';	/* terminate field to extract name */
807 		}
808 
809 		if (instr[1] == '@') {
810 			/*
811 			 * Case 1:
812 			 * The entry is of the form "+@netgroup" or
813 			 * "-@netgroup".  If we're performing a lookup by name,
814 			 * we can simply extract the name from the search key
815 			 * (i.e. args->key.name).  If not, then we must call
816 			 * nss_search() before extracting the name via the
817 			 * get_XXname() function. i.e. (*be->getnamef)(args).
818 			 */
819 			if (is_nss_lookup_by_name(0, op_num) != 0) {
820 				/* compare then search */
821 				if (!be->permit_netgroups ||
822 				    !netgr_in(be, instr + 2, args->key.name))
823 					continue;
824 				if (instr[0] == '+') {
825 					/* need to search for "+" entry */
826 					(void) nss_search(be->db_rootp,
827 						be->db_initf, op_num, args);
828 					if (args->returnval == 0)
829 						continue;
830 				}
831 			} else {
832 				/* search then compare */
833 				(void) nss_search(be->db_rootp,
834 					be->db_initf, op_num, args);
835 				if (args->returnval == 0)
836 					continue;
837 				if (!be->permit_netgroups ||
838 				    !netgr_in(be, instr + 2,
839 				    (*be->getnamef)(args)))
840 					continue;
841 			}
842 		} else if (instr[1] == '\0') {
843 			/*
844 			 * Case 2:
845 			 * The entry is of the form "+" or "-".  The former
846 			 * allows all entries from name services.  The latter
847 			 * is illegal and ought to be ignored.
848 			 */
849 			if (instr[0] == '-')
850 				continue;
851 			/* need to search for "+" entry */
852 			(void) nss_search(be->db_rootp, be->db_initf,
853 				op_num, args);
854 			if (args->returnval == 0)
855 				continue;
856 		} else {
857 			/*
858 			 * Case 3:
859 			 * The entry is of the form "+name" or "-name".
860 			 * If we're performing a lookup by name, we can simply
861 			 * extract the name from the search key
862 			 * (i.e. args->key.name).  If not, then we must call
863 			 * nss_search() before extracting the name via the
864 			 * get_XXname() function. i.e. (*be->getnamef)(args).
865 			 */
866 			if (is_nss_lookup_by_name(0, op_num) != 0) {
867 				/* compare then search */
868 				if (strcmp(instr + 1, args->key.name) != 0)
869 					continue;
870 				if (instr[0] == '+') {
871 					/* need to search for "+" entry */
872 					(void) nss_search(be->db_rootp,
873 						be->db_initf, op_num, args);
874 					if (args->returnval == 0)
875 						continue;
876 				}
877 			} else {
878 				/* search then compare */
879 				(void) nss_search(be->db_rootp,
880 					be->db_initf, op_num, args);
881 				if (args->returnval == 0)
882 					continue;
883 				if (strcmp(instr + 1, (*be->getnamef)(args))
884 				    != 0)
885 					continue;
886 			}
887 		}
888 		if (instr[0] == '-') {
889 			/* no need to search for "-" entry */
890 			args->returnval = 0;
891 			args->erange = 0;
892 			res = NSS_NOTFOUND;
893 		} else {
894 			if (colon != 0)
895 				*colon = ':';	/* restoration */
896 			res = do_merge(be, args, instr, linelen);
897 		}
898 		break;
899 	}
900 
901 	/*
902 	 * stayopen is set to 0 by default in order to close the opened
903 	 * file.  Some applications may break if it is set to 1.
904 	 */
905 	if (!args->stayopen) {
906 		(void) _nss_compat_endent(be, 0);
907 	}
908 
909 	if (be->return_string_data == 1) {
910 		args->str2ent = be->str2ent_save;
911 	}
912 
913 	return (res);
914 }
915 
916 nss_status_t
917 _nss_compat_getent(be, a)
918 	compat_backend_ptr_t	be;
919 	void			*a;
920 {
921 	nss_XbyY_args_t		*args = (nss_XbyY_args_t *)a;
922 	nss_status_t		res;
923 	char			*colon = 0; /* <=== need comment re lifetime */
924 
925 	if (be->f == 0) {
926 		if ((res = _nss_compat_setent(be, 0)) != NSS_SUCCESS) {
927 			return (res);
928 		}
929 	}
930 
931 	if (be->buf == 0 &&
932 	    (be->buf = malloc(be->minbuf)) == 0) {
933 		return (NSS_UNAVAIL); /* really panic, malloc failed */
934 	}
935 
936 	/*
937 	 * assume a NULL buf.result pointer is an indication
938 	 * that the lookup result should be returned in /etc
939 	 * file format
940 	 */
941 	if (args->buf.result == NULL) {
942 		be->return_string_data = 1;
943 
944 		/*
945 		 * the code executed later needs the result struct
946 		 * as working area
947 		 */
948 		args->buf.result = be->workarea;
949 	}
950 
951 	/*CONSTCOND*/
952 	while (1) {
953 		char		*instr	= be->buf;
954 		int		linelen;
955 		char		*name;	/* === Need more distinctive label */
956 		const char	*savename;
957 
958 		/*
959 		 * In the code below...
960 		 *    break	means "I found one, I think" (i.e. goto the
961 		 *		code after the end of the switch statement),
962 		 *    continue	means "Next candidate"
963 		 *		(i.e. loop around to the switch statement),
964 		 *    return	means "I'm quite sure" (either Yes or No).
965 		 */
966 		switch (be->state) {
967 
968 		    case GETENT_DONE:
969 			args->returnval	= 0;
970 			args->erange	= 0;
971 			return (NSS_NOTFOUND);
972 
973 		    case GETENT_ATTRDB:
974 			args->key.name = NULL;
975 			res = _attrdb_compat_XY_all(be,
976 			    args, 1, (compat_XY_check_func)NULL, 0);
977 			return (res);
978 
979 		    case GETENT_FILE:
980 			linelen = read_line(be->f, instr, be->minbuf);
981 			if (linelen < 0) {
982 				/* End of file */
983 				be->state = GETENT_DONE;
984 				continue;
985 			}
986 			if ((colon = strchr(instr, ':')) != 0) {
987 				*colon = '\0';
988 			}
989 			if (instr[0] == '-') {
990 				if (instr[1] != '@') {
991 					(void) strset_add(&be->minuses,
992 						instr + 1);
993 				} else if (be->permit_netgroups) {
994 					netgr_set(be, instr + 2);
995 					while (netgr_next_u(be, &name)) {
996 						(void) strset_add(&be->minuses,
997 							name);
998 					}
999 					netgr_end(be);
1000 				} /* Else (silently) ignore the entry */
1001 				continue;
1002 			} else if (instr[0] != '+') {
1003 				int	parsestat;
1004 				/*
1005 				 * Normal entry, no +/- nonsense
1006 				 */
1007 				if (colon != 0) {
1008 					*colon = ':';
1009 				}
1010 				args->returnval = 0;
1011 				parsestat = (*args->str2ent)(instr, linelen,
1012 							args->buf.result,
1013 							args->buf.buffer,
1014 							args->buf.buflen);
1015 				if (parsestat == NSS_STR_PARSE_SUCCESS) {
1016 					int	len;
1017 
1018 					if (be->return_string_data != 1) {
1019 						args->returnval =
1020 							args->buf.result;
1021 						return (NSS_SUCCESS);
1022 					}
1023 
1024 					/*
1025 					 * copy string data to
1026 					 * result buffer
1027 					 */
1028 					args->buf.result = NULL;
1029 					args->returnval =
1030 						args->buf.buffer;
1031 					if ((len = strlcpy(args->buf.buffer,
1032 						instr, args->buf.buflen)) >=
1033 						args->buf.buflen)
1034 						parsestat =
1035 							NSS_STR_PARSE_ERANGE;
1036 					else {
1037 						args->returnlen = len;
1038 						return (NSS_SUCCESS);
1039 					}
1040 				}
1041 				/* ==> ?? Treat ERANGE differently ?? */
1042 				if (parsestat == NSS_STR_PARSE_ERANGE) {
1043 					args->returnval = 0;
1044 					args->erange = 1;
1045 					return (NSS_NOTFOUND);
1046 				}
1047 				/* Skip the offending entry, get next */
1048 				continue;
1049 			} else if (instr[1] == '\0') {
1050 				/* Plain "+" */
1051 				nss_setent(be->db_rootp, be->db_initf,
1052 					&be->db_context);
1053 				be->state = GETENT_ALL;
1054 				be->linelen = linelen;
1055 
1056 				continue;
1057 			} else if (instr[1] == '@') {
1058 				/* "+@netgroup" */
1059 				netgr_set(be, instr + 2);
1060 				be->state = GETENT_NETGROUP;
1061 				be->linelen = linelen;
1062 				continue;
1063 			} else {
1064 				/* "+name" */
1065 				name = instr + 1;
1066 				break;
1067 			}
1068 			/* NOTREACHED */
1069 
1070 		    case GETENT_ALL:
1071 			linelen = be->linelen;
1072 			args->returnval = 0;
1073 			if (be->return_string_data == 1) {
1074 				be->str2ent_save = args->str2ent;
1075 				args->str2ent = be->str2ent_alt;
1076 			}
1077 
1078 			(void) nss_getent(be->db_rootp, be->db_initf,
1079 				&be->db_context, args);
1080 			if (args->returnval == 0) {
1081 				/* ==> ?? Treat ERANGE differently ?? */
1082 				nss_endent(be->db_rootp, be->db_initf,
1083 					&be->db_context);
1084 				be->state = GETENT_FILE;
1085 				if (be->return_string_data == 1)
1086 					args->str2ent = be->str2ent_save;
1087 				continue;
1088 			}
1089 			if (strset_in(&be->minuses, (*be->getnamef)(args)))
1090 				continue;
1091 			name = 0; /* tell code below we've done the lookup */
1092 			if (be->return_string_data == 1)
1093 				args->str2ent = be->str2ent_save;
1094 			break;
1095 
1096 		    case GETENT_NETGROUP:
1097 			linelen = be->linelen;
1098 			if (!netgr_next_u(be, &name)) {
1099 				netgr_end(be);
1100 				be->state = GETENT_FILE;
1101 				continue;
1102 			}
1103 			/* pass "name" variable to code below... */
1104 			break;
1105 		}
1106 
1107 		if (name != 0) {
1108 			if (strset_in(&be->minuses, name)) {
1109 				continue;
1110 			}
1111 			/*
1112 			 * Do a getXXXnam(name).  If we were being pure,
1113 			 *   we'd introduce yet another function-pointer
1114 			 *   that the database-specific code had to supply
1115 			 *   to us.  Instead we'll be grotty and hard-code
1116 			 *   the knowledge that
1117 			 *	(a) The username is always passwd in key.name,
1118 			 *	(b) NSS_DBOP_PASSWD_BYNAME ==
1119 			 *		NSS_DBOP_SHADOW_BYNAME ==
1120 			 *		NSS_DBOP_next_iter.
1121 			 */
1122 			savename = args->key.name;
1123 			args->key.name	= name;
1124 			args->returnval	= 0;
1125 			if (be->return_string_data == 1) {
1126 				be->str2ent_save = args->str2ent;
1127 				args->str2ent = be->str2ent_alt;
1128 			}
1129 
1130 			(void) nss_search(be->db_rootp, be->db_initf,
1131 				NSS_DBOP_next_iter, args);
1132 
1133 			if (be->return_string_data == 1)
1134 				args->str2ent = be->str2ent_save;
1135 			args->key.name = savename;  /* In case anyone cares */
1136 		}
1137 		/*
1138 		 * Found one via "+", "+name" or "@netgroup".
1139 		 * Override some fields if the /etc file says to do so.
1140 		 */
1141 		if (args->returnval == 0) {
1142 			/* ==> ?? Should treat erange differently? */
1143 			continue;
1144 		}
1145 		/* 'colon' was set umpteen iterations ago in GETENT_FILE */
1146 		if (colon != 0) {
1147 			*colon = ':';
1148 			colon = 0;
1149 		}
1150 		return (do_merge(be, args, instr, linelen));
1151 	}
1152 	/*NOTREACHED*/
1153 }
1154 
1155 /* We don't use this directly;  we just copy the bits when we want to	 */
1156 /* initialize the variable (in the compat_backend struct) that we do use */
1157 static DEFINE_NSS_GETENT(context_initval);
1158 
1159 nss_backend_t *
1160 _nss_compat_constr(ops, n_ops, filename, min_bufsize, rootp, initf, netgroups,
1161 		getname_func, merge_func)
1162 	compat_backend_op_t	ops[];
1163 	int			n_ops;
1164 	const char		*filename;
1165 	int			min_bufsize;
1166 	nss_db_root_t		*rootp;
1167 	nss_db_initf_t		initf;
1168 	int			netgroups;
1169 	compat_get_name		getname_func;
1170 	compat_merge_func	merge_func;
1171 {
1172 	compat_backend_ptr_t	be;
1173 
1174 	if ((be = (compat_backend_ptr_t)malloc(sizeof (*be))) == 0) {
1175 		return (0);
1176 	}
1177 	be->ops		= ops;
1178 	be->n_ops	= n_ops;
1179 	be->filename	= filename;
1180 	be->f		= 0;
1181 	be->minbuf	= min_bufsize;
1182 	be->buf		= 0;
1183 
1184 	be->db_rootp	= rootp;
1185 	be->db_initf	= initf;
1186 	be->db_context	= context_initval;
1187 
1188 	be->getnamef	= getname_func;
1189 	be->mergef	= merge_func;
1190 
1191 	be->state = GETENT_FILE;    /* i.e. do Automatic setent(); */
1192 	if (strcmp(be->filename, USERATTR_FILENAME) == 0) {
1193 		be->state = GETENT_ATTRDB;
1194 		be->str2ent_alt = str2userattr_s;
1195 		be->workarea = calloc(1, sizeof (userstr_t));
1196 	} else if (strcmp(be->filename, AUDITUSER_FILENAME) == 0) {
1197 		be->state = GETENT_ATTRDB;
1198 		be->str2ent_alt = str2auuser_s;
1199 		be->workarea = calloc(1, sizeof (au_user_str_t));
1200 	} else if (strcmp(be->filename, PASSWD) == 0) {
1201 		be->str2ent_alt = str2passwd;
1202 		be->workarea = calloc(1, sizeof (struct passwd));
1203 	} else if (strcmp(be->filename, SHADOW) == 0) {
1204 		be->str2ent_alt = str2spwd;
1205 		be->workarea = calloc(1, sizeof (struct spwd));
1206 	} else { /* group */
1207 		be->str2ent_alt = str2group;
1208 		be->workarea = calloc(1, sizeof (struct group));
1209 	}
1210 	if (be->workarea == NULL)
1211 		return (NULL);
1212 
1213 	be->minuses	= 0;
1214 
1215 	be->permit_netgroups = netgroups;
1216 	be->yp_domain	= 0;
1217 	be->getnetgrent_backend	= 0;
1218 	be->netgr_buffer = 0;
1219 	be->return_string_data = 0;
1220 
1221 	return ((nss_backend_t *)be);
1222 }
1223