| Commit message (Collapse) | Author | Age | Files | Lines |
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
-1 was used everywhere, but -EBADF or -EBADFD started being used in various
places. Let's make things consistent in the new style.
Note that there are two candidates:
EBADF 9 Bad file descriptor
EBADFD 77 File descriptor in bad state
Since we're initializating the fd, we're just assigning a value that means
"no fd yet", so it's just a bad file descriptor, and the first errno fits
better. If instead we had a valid file descriptor that became invalid because
of some operation or state change, the other errno would fit better.
In some places, initialization is dropped if unnecessary.
|
|
|
|
| |
ESRCH is literally "No such process".
|
|
|
|
|
| |
Sometimes we want to suppress strerror() message because the are providing
something better. But in those cases, it seems it was just forgotten.
|
| |
|
|
|
|
|
|
| |
correctly
Fixes: #21215 #21222
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The lower-level userdb code will return ENOLINK if varlink lookups are
disabled explicitly and we couldn#t find an answer any other way. Let's
not propagate this to clients, since they don't have control over this
feature anyway: we decide internally when to disable varlink lookups
(e.g. if DropIn lookups are requested we disable them) and to the client
side that should not be visible: if we can't find a record with the
flags we pick then we should report then we can't find any, and that's
it.
Fixes: #21223
|
|
|
|
| |
Fixes: #20809. Bug introduced in 8fbb1941f1a8c3d9eda920891b2b51a67f2a2375
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We want user records to be extensible, hence we shouldn't complain about
fields we can't parse. In particular we want them to be extensible for
our own future extensions.
Some code already turned the permissive flag when parsing the JSON data,
but most did not. Fix that. A few select cases remain where the bit is
not set: where we just gnerated the JSON data ourselves, and thus can be
reasonably sure that if we can't parse it it's our immediate programming
error and not just us processing a user record from some other tool or a
newer version of ourselves.
|
|
|
|
|
| |
Let's explicitly support looking things up via dropin as a varlink
service.
|
|
|
|
| |
Hopefully fixes CID#1452937.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
So far we basically had two ways to iterate through NSS records: one via
the varlink IPC and one via the userdb.[ch] infra, with slightly
different implementations.
Let's clean this up, and always use userdb.[ch] also when resolving via
userdbd. The different codepaths for the NameServiceSwitch and the
Multiplexer varlink service now differ only in the different flags
passed to the userdb lookup.
Behaviour shouldn't change by this. This is mostly refactoring, reducing
redundant codepaths.
|
|
|
|
| |
It may be useful when debugging daemons.
|
| |
|
|
|
|
|
| |
They both are both short and contain similar parts and various helper will be
shared between both parts of the code so it's easier to use a single file.
|
|\
| |
| | |
rework nss-systemd recursion lock
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Previously we'd used the existance of a specific AF_UNIX socket in the
abstract namespace as lock for disabling lookup recursions. (for
breaking out of the loop: userdb synthesized from nss → nss synthesized
from userdb → userdb synthesized from nss → …)
I did it like that because it promised to work the same both in static
and in dynmically linked environments and is accessible easily from any
programming language.
However, it has a weakness regarding reuse attacks: the socket is
securely hashed (siphash) from the thread ID in combination with the
AT_RANDOM secret. Thus it should not be guessable from an attacker in
advance. That's only true if a thread takes the lock only once and
keeps it forever. However, if a thread takes and releases it multiple
times an attacker might monitor that and quickly take the lock
after the first iteration for follow-up iterations.
It's not a big issue given that userdb (as the primary user for this)
never released the lock and we never made the concept a public
interface, and it was only included in one release so far, but it's
something that deserves fixing. (moreover it's a local DoS only, only
permitting to disable native userdb lookups)
With this rework the libnss_systemd.so.2 module will now export two
additional symbols. These symbols are not used by glibc, but can be used
by arbitrary programs: one can be used to disable nss-systemd, the other
to check if it is currently disabled.
The lock is per-thread. It's slightly less pretty, since it requires
people to manually link against C code via dlopen()/dlsym(), but it
should work safely without the aforementioned weakness.
|
| |
| |
| |
| |
| |
| |
| |
| | |
Prompted by the discussion on #16110, let's migrate more code to
fd_wait_for_event().
This only leaves 7 places where we call into poll()/poll() directly in
our entire codebase. (one of which is fd_wait_for_event() itself)
|
|/
|
|
|
|
|
|
|
|
|
|
|
| |
poll() sets POLLNVAL inside of the poll structures if an invalid fd is
passed. So far we generally didn't check for that, thus not taking
notice of the error. Given that this specific kind of error is generally
indication of a programming error, and given that our code is embedded
into our projects via NSS or because people link against our library,
let's explicitly check for this and convert it to EBADF.
(I ran into a busy loop because of this missing check when some of my
test code accidentally closed an fd it shouldn't close, so this is a
real thing)
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
|
| |
That's what you get for changing these signals around, after checking
everything works, not before.
Bad, Lennart, bad!
Fixes: #15085
|
|
|