diff options
author | Lennart Poettering <lennart@poettering.net> | 2020-04-23 09:55:06 +0200 |
---|---|---|
committer | Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> | 2020-04-23 23:07:08 +0200 |
commit | 9494da41c271bb9519d3484b6016526a72cc6be5 (patch) | |
tree | b616cc3bbf403750948c9381d50c72b24fb0461d /src/nss-systemd | |
parent | 68b5003bc1fae2ed29b71998647b01a1a5244232 (diff) | |
download | systemd-9494da41c271bb9519d3484b6016526a72cc6be5.tar.gz |
nss-systemd: don't synthesize root/nobody when iterating
Fixes: #15160
Diffstat (limited to 'src/nss-systemd')
-rw-r--r-- | src/nss-systemd/nss-systemd.c | 10 |
1 files changed, 8 insertions, 2 deletions
diff --git a/src/nss-systemd/nss-systemd.c b/src/nss-systemd/nss-systemd.c index 4d63d8a2f0..6a2d9c885e 100644 --- a/src/nss-systemd/nss-systemd.c +++ b/src/nss-systemd/nss-systemd.c @@ -310,7 +310,12 @@ enum nss_status _nss_systemd_setpwent(int stayopen) { getpwent_data.iterator = userdb_iterator_free(getpwent_data.iterator); getpwent_data.by_membership = false; - r = userdb_all(nss_glue_userdb_flags(), &getpwent_data.iterator); + /* Don't synthesize root/nobody when iterating. Let nss-files take care of that. If the two records + * are missing there, then that's fine, after all getpwent() is known to be possibly incomplete + * (think: LDAP/NIS type situations), and our synthesizing of root/nobody is a robustness fallback + * only, which matters for getpwnam()/getpwuid() primarily, which are the main NSS entrypoints to the + * user database. */ + r = userdb_all(nss_glue_userdb_flags() | USERDB_DONT_SYNTHESIZE, &getpwent_data.iterator); return r < 0 ? NSS_STATUS_UNAVAIL : NSS_STATUS_SUCCESS; } @@ -329,7 +334,8 @@ enum nss_status _nss_systemd_setgrent(int stayopen) { getgrent_data.iterator = userdb_iterator_free(getgrent_data.iterator); getpwent_data.by_membership = false; - r = groupdb_all(nss_glue_userdb_flags(), &getgrent_data.iterator); + /* See _nss_systemd_setpwent() for an explanation why we use USERDB_DONT_SYNTHESIZE here */ + r = groupdb_all(nss_glue_userdb_flags() | USERDB_DONT_SYNTHESIZE, &getgrent_data.iterator); return r < 0 ? NSS_STATUS_UNAVAIL : NSS_STATUS_SUCCESS; } |