From c7c49d87af5e9a0bef058e6d79188d8b11fefc02 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Sun, 14 Jul 2002 23:45:55 +0000 Subject: after thinking about the env variable hack for avoiding group membership enumeration I realised it could be a security hole for setuid progs. This adds a proper nss function instead. --- source/nsswitch/winbind_nss.c | 34 ++++++++++++++++++++-------------- 1 file changed, 20 insertions(+), 14 deletions(-) diff --git a/source/nsswitch/winbind_nss.c b/source/nsswitch/winbind_nss.c index 681bcd2bf7b..5dc3d32279a 100644 --- a/source/nsswitch/winbind_nss.c +++ b/source/nsswitch/winbind_nss.c @@ -1054,14 +1054,15 @@ _nss_winbind_endgrent(void) /* Get next entry from ntdom group database */ -NSS_STATUS -_nss_winbind_getgrent_r(struct group *result, - char *buffer, size_t buflen, int *errnop) +static NSS_STATUS +winbind_getgrent(enum winbindd_cmd cmd, + struct group *result, + char *buffer, size_t buflen, int *errnop) { NSS_STATUS ret; static struct winbindd_request request; static int called_again; - enum winbindd_cmd cmd; + #ifdef DEBUG_NSS fprintf(stderr, "[%5d]: getgrent\n", getpid()); @@ -1085,16 +1086,6 @@ _nss_winbind_getgrent_r(struct group *result, request.data.num_entries = MAX_GETGRENT_USERS; - /* this is a hack to work around the fact that posix doesn't - define a 'list groups' call and listing all group members can - be *very* expensive. We use an environment variable to give - us a saner call (tridge) */ - if (getenv("WINBIND_GETGRLST")) { - cmd = WINBINDD_GETGRLST; - } else { - cmd = WINBINDD_GETGRENT; - } - ret = winbindd_request(cmd, &request, &getgrent_response); @@ -1153,6 +1144,21 @@ _nss_winbind_getgrent_r(struct group *result, return ret; } + +NSS_STATUS +_nss_winbind_getgrent_r(struct group *result, + char *buffer, size_t buflen, int *errnop) +{ + return winbind_getgrent(WINBINDD_GETGRENT, result, buffer, buflen, errnop); +} + +NSS_STATUS +_nss_winbind_getgrlst_r(struct group *result, + char *buffer, size_t buflen, int *errnop) +{ + return winbind_getgrent(WINBINDD_GETGRLST, result, buffer, buflen, errnop); +} + /* Return group struct from group name */ NSS_STATUS -- cgit