diff options
| author | Lennart Poettering <lennart@poettering.net> | 2021-05-05 15:53:07 +0200 |
|---|---|---|
| committer | Lennart Poettering <lennart@poettering.net> | 2021-05-08 14:25:24 +0200 |
| commit | 09001dbdc88f447656d79822bbff9c6d7ed7e5cf (patch) | |
| tree | 0f156b419ce3771e71dd2025385900200f3e1966 /src/nss-systemd | |
| parent | 3d56acef7f73fd7a2e9f23b89340e0849283078d (diff) | |
| download | systemd-09001dbdc88f447656d79822bbff9c6d7ed7e5cf.tar.gz | |
nss-systemd: set USERDB_SUPPRESS_SHADOW flag when looking up user records
Setting the flags means we won#t try to read the data from /etc/shadow
when reading a user record, thus slightly making conversion quicker and
reducing the chance of generating MAC faults, because we needlessly
access a privileged resource. Previously, passing the flag didn't
matter, when converting our JSON records to NSS since the flag only had
an effect on whether to use NSS getspnam() and related calls or not. But
given that we turn off NSS anyway as backend for this conversion (since
we want to avoid NSS loops, where we turn NSS data to our JSON user
records, and then to NSS forever and ever) it was unnecessary to pass
it.
This changed in one of the previous commits however, where we added
support for reading user definitions from drop-in files, with separate
drop-in files for the shadow data.
Diffstat (limited to 'src/nss-systemd')
| -rw-r--r-- | src/nss-systemd/userdb-glue.c | 12 |
1 files changed, 6 insertions, 6 deletions
diff --git a/src/nss-systemd/userdb-glue.c b/src/nss-systemd/userdb-glue.c index 73941b2ba5..4b04d03c95 100644 --- a/src/nss-systemd/userdb-glue.c +++ b/src/nss-systemd/userdb-glue.c @@ -79,7 +79,7 @@ enum nss_status userdb_getpwnam( if (_nss_systemd_is_blocked()) return NSS_STATUS_NOTFOUND; - r = userdb_by_name(name, nss_glue_userdb_flags(), &hr); + r = userdb_by_name(name, nss_glue_userdb_flags()|USERDB_SUPPRESS_SHADOW, &hr); if (r == -ESRCH) return NSS_STATUS_NOTFOUND; if (r < 0) { @@ -112,7 +112,7 @@ enum nss_status userdb_getpwuid( if (_nss_systemd_is_blocked()) return NSS_STATUS_NOTFOUND; - r = userdb_by_uid(uid, nss_glue_userdb_flags(), &hr); + r = userdb_by_uid(uid, nss_glue_userdb_flags()|USERDB_SUPPRESS_SHADOW, &hr); if (r == -ESRCH) return NSS_STATUS_NOTFOUND; if (r < 0) { @@ -209,13 +209,13 @@ enum nss_status userdb_getgrnam( if (_nss_systemd_is_blocked()) return NSS_STATUS_NOTFOUND; - r = groupdb_by_name(name, nss_glue_userdb_flags(), &g); + r = groupdb_by_name(name, nss_glue_userdb_flags()|USERDB_SUPPRESS_SHADOW, &g); if (r < 0 && r != -ESRCH) { *errnop = -r; return NSS_STATUS_UNAVAIL; } - r = membershipdb_by_group_strv(name, nss_glue_userdb_flags(), &members); + r = membershipdb_by_group_strv(name, nss_glue_userdb_flags()|USERDB_SUPPRESS_SHADOW, &members); if (r < 0 && r != -ESRCH) { *errnop = -r; return NSS_STATUS_UNAVAIL; @@ -277,7 +277,7 @@ enum nss_status userdb_getgrgid( if (_nss_systemd_is_blocked()) return NSS_STATUS_NOTFOUND; - r = groupdb_by_gid(gid, nss_glue_userdb_flags(), &g); + r = groupdb_by_gid(gid, nss_glue_userdb_flags()|USERDB_SUPPRESS_SHADOW, &g); if (r < 0 && r != -ESRCH) { *errnop = -r; return NSS_STATUS_UNAVAIL; @@ -308,7 +308,7 @@ enum nss_status userdb_getgrgid( } else from_nss = false; - r = membershipdb_by_group_strv(g->group_name, nss_glue_userdb_flags(), &members); + r = membershipdb_by_group_strv(g->group_name, nss_glue_userdb_flags()|USERDB_SUPPRESS_SHADOW, &members); if (r < 0 && r != -ESRCH) { *errnop = -r; return NSS_STATUS_UNAVAIL; |