after thinking about the env variable hack for avoiding group membership

enumeration I realised it could be a security hole for setuid progs.

This adds a proper nss function instead.

1 files changed, 20 insertions, 14 deletions

diff --git a/source/nsswitch/winbind_nss.c b/source/nsswitch/winbind_nss.c
index 681bcd2bf7b..5dc3d32279a 100644
--- a/source/nsswitch/winbind_nss.c
+++ b/source/nsswitch/winbind_nss.c
@@ -1054,14 +1054,15 @@ _nss_winbind_endgrent(void)
 
 /* Get next entry from ntdom group database */
 
-NSS_STATUS
-_nss_winbind_getgrent_r(struct group *result,
-			char *buffer, size_t buflen, int *errnop)
+static NSS_STATUS
+winbind_getgrent(enum winbindd_cmd cmd,
+		 struct group *result,
+		 char *buffer, size_t buflen, int *errnop)
 {
 	NSS_STATUS ret;
 	static struct winbindd_request request;
 	static int called_again;
-	enum winbindd_cmd cmd;
+	
 
 #ifdef DEBUG_NSS
 	fprintf(stderr, "[%5d]: getgrent\n", getpid());
@@ -1085,16 +1086,6 @@ _nss_winbind_getgrent_r(struct group *result,
 
 	request.data.num_entries = MAX_GETGRENT_USERS;
 
-	/* this is a hack to work around the fact that posix doesn't
-	 define a 'list groups' call and listing all group members can
-	 be *very* expensive. We use an environment variable to give
-	 us a saner call (tridge) */
-	if (getenv("WINBIND_GETGRLST")) {
-		cmd = WINBINDD_GETGRLST;
-	} else {
-		cmd = WINBINDD_GETGRENT;
-	}
-
 	ret = winbindd_request(cmd, &request, 
 			       &getgrent_response);
 
@@ -1153,6 +1144,21 @@ _nss_winbind_getgrent_r(struct group *result,
 	return ret;
 }
 
+
+NSS_STATUS
+_nss_winbind_getgrent_r(struct group *result,
+			char *buffer, size_t buflen, int *errnop)
+{
+	return winbind_getgrent(WINBINDD_GETGRENT, result, buffer, buflen, errnop);
+}
+
+NSS_STATUS
+_nss_winbind_getgrlst_r(struct group *result,
+			char *buffer, size_t buflen, int *errnop)
+{
+	return winbind_getgrent(WINBINDD_GETGRLST, result, buffer, buflen, errnop);
+}
+
 /* Return group struct from group name */
 
 NSS_STATUS