diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-15 20:46:53 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-15 20:46:53 +0000 |
commit | 19da58be2d9359a9641381feb559be0b918ef710 (patch) | |
tree | 109724175f07436696f51b14b5abbd3f4d704d6d /lib/subordinateio.c | |
parent | Initial commit. (diff) | |
download | shadow-19da58be2d9359a9641381feb559be0b918ef710.tar.xz shadow-19da58be2d9359a9641381feb559be0b918ef710.zip |
Adding upstream version 1:4.13+dfsg1.upstream/1%4.13+dfsg1
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'lib/subordinateio.c')
-rw-r--r-- | lib/subordinateio.c | 1102 |
1 files changed, 1102 insertions, 0 deletions
diff --git a/lib/subordinateio.c b/lib/subordinateio.c new file mode 100644 index 0000000..bd1af26 --- /dev/null +++ b/lib/subordinateio.c @@ -0,0 +1,1102 @@ +/* + * SPDX-FileCopyrightText: 2012 - Eric Biederman + */ + +#include <config.h> + +#ifdef ENABLE_SUBIDS + +#include "prototypes.h" +#include "defines.h" +#include <stdio.h> +#include "commonio.h" +#include "subordinateio.h" +#include "../libsubid/subid.h" +#include <sys/types.h> +#include <pwd.h> +#include <ctype.h> +#include <fcntl.h> + +#define ID_SIZE 31 + +/* + * subordinate_dup: create a duplicate range + * + * @ent: a pointer to a subordinate_range struct + * + * Returns a pointer to a newly allocated duplicate subordinate_range struct + * or NULL on failure + */ +static /*@null@*/ /*@only@*/void *subordinate_dup (const void *ent) +{ + const struct subordinate_range *rangeent = ent; + struct subordinate_range *range; + + range = (struct subordinate_range *) malloc (sizeof *range); + if (NULL == range) { + return NULL; + } + range->owner = strdup (rangeent->owner); + if (NULL == range->owner) { + free(range); + return NULL; + } + range->start = rangeent->start; + range->count = rangeent->count; + + return range; +} + +/* + * subordinate_free: free a subordinate_range struct + * + * @ent: pointer to a subordinate_range struct to free. + */ +static void subordinate_free (/*@out@*/ /*@only@*/void *ent) +{ + struct subordinate_range *rangeent = ent; + + free ((void *)(rangeent->owner)); + free (rangeent); +} + +/* + * subordinate_parse: + * + * @line: a line to parse + * + * Returns a pointer to a subordinate_range struct representing the values + * in @line, or NULL on failure. Note that the returned value should not + * be freed by the caller. + */ +static void *subordinate_parse (const char *line) +{ + static struct subordinate_range range; + static char rangebuf[1024]; + int i; + char *cp; + char *fields[SUBID_NFIELDS]; + + /* + * Copy the string to a temporary buffer so the substrings can + * be modified to be NULL terminated. + */ + if (strlen (line) >= sizeof rangebuf) + return NULL; /* fail if too long */ + strcpy (rangebuf, line); + + /* + * Save a pointer to the start of each colon separated + * field. The fields are converted into NUL terminated strings. + */ + + for (cp = rangebuf, i = 0; (i < SUBID_NFIELDS) && (NULL != cp); i++) { + fields[i] = cp; + while (('\0' != *cp) && (':' != *cp)) { + cp++; + } + + if ('\0' != *cp) { + *cp = '\0'; + cp++; + } else { + cp = NULL; + } + } + + /* + * There must be exactly SUBID_NFIELDS colon separated fields or + * the entry is invalid. Also, fields must be non-blank. + */ + if (i != SUBID_NFIELDS || *fields[0] == '\0' || *fields[1] == '\0' || *fields[2] == '\0') + return NULL; + range.owner = fields[0]; + if (getulong (fields[1], &range.start) == 0) + return NULL; + if (getulong (fields[2], &range.count) == 0) + return NULL; + + return ⦥ +} + +/* + * subordinate_put: print a subordinate_range value to a file + * + * @ent: a pointer to a subordinate_range struct to print out. + * @file: file to which to print. + * + * Returns 0 on success, -1 on error. + */ +static int subordinate_put (const void *ent, FILE * file) +{ + const struct subordinate_range *range = ent; + + return fprintf(file, "%s:%lu:%lu\n", + range->owner, + range->start, + range->count) < 0 ? -1 : 0; +} + +static struct commonio_ops subordinate_ops = { + subordinate_dup, /* dup */ + subordinate_free, /* free */ + NULL, /* getname */ + subordinate_parse, /* parse */ + subordinate_put, /* put */ + fgets, /* fgets */ + fputs, /* fputs */ + NULL, /* open_hook */ + NULL, /* close_hook */ +}; + +/* + * range_exists: Check whether @owner owns any ranges + * + * @db: database to query + * @owner: owner being queried + * + * Returns true if @owner owns any subuid ranges, false otherwise. + */ +static bool range_exists(struct commonio_db *db, const char *owner) +{ + const struct subordinate_range *range; + commonio_rewind(db); + while ((range = commonio_next(db)) != NULL) { + if (0 == strcmp(range->owner, owner)) + return true; + } + return false; +} + +/* + * find_range: find a range which @owner is authorized to use which includes + * subuid @val. + * + * @db: database to query + * @owner: owning uid being queried + * @val: subuid being searched for. + * + * Returns a range of subuids belonging to @owner and including the subuid + * @val, or NULL if no such range exists. + */ +static const struct subordinate_range *find_range(struct commonio_db *db, + const char *owner, unsigned long val) +{ + const struct subordinate_range *range; + + /* + * Search for exact username/group specification + * + * This is the original method - go fast through the db, doing only + * exact username/group string comparison. Therefore we leave it as-is + * for the time being, in order to keep it equally fast as it was + * before. + */ + commonio_rewind(db); + while ((range = commonio_next(db)) != NULL) { + unsigned long first = range->start; + unsigned long last = first + range->count - 1; + + if (0 != strcmp(range->owner, owner)) + continue; + + if ((val >= first) && (val <= last)) + return range; + } + + + /* + * We only do special handling for these two files + */ + if ((0 != strcmp(db->filename, "/etc/subuid")) && (0 != strcmp(db->filename, "/etc/subgid"))) + return NULL; + + /* + * Search loop above did not produce any result. Let's rerun it, + * but this time try to match actual UIDs. The first entry that + * matches is considered a success. + * (It may be specified as literal UID or as another username which + * has the same UID as the username we are looking for.) + */ + struct passwd *pwd; + uid_t owner_uid; + char owner_uid_string[33] = ""; + + + /* Get UID of the username we are looking for */ + pwd = getpwnam(owner); + if (NULL == pwd) { + /* Username not defined in /etc/passwd, or error occurred during lookup */ + return NULL; + } + owner_uid = pwd->pw_uid; + sprintf(owner_uid_string, "%lu", (unsigned long int)owner_uid); + + commonio_rewind(db); + while ((range = commonio_next(db)) != NULL) { + unsigned long first = range->start; + unsigned long last = first + range->count - 1; + + /* For performance reasons check range before using getpwnam() */ + if ((val < first) || (val > last)) { + continue; + } + + /* + * Range matches. Check if range owner is specified + * as numeric UID and if it matches. + */ + if (0 == strcmp(range->owner, owner_uid_string)) { + return range; + } + + /* + * Ok, this range owner is not specified as numeric UID + * we are looking for. It may be specified as another + * UID or as a literal username. + * + * If specified as another UID, the call to getpwnam() + * will return NULL. + * + * If specified as literal username, we will get its + * UID and compare that to UID we are looking for. + */ + const struct passwd *range_owner_pwd; + + range_owner_pwd = getpwnam(range->owner); + if (NULL == range_owner_pwd) { + continue; + } + + if (owner_uid == range_owner_pwd->pw_uid) { + return range; + } + } + + return NULL; +} + +/* + * have_range: check whether @owner is authorized to use the range + * (@start .. @start+@count-1). + * @db: database to check + * @owner: owning uid being queried + * @start: start of range + * @count: number of uids in range + * + * Returns true if @owner is authorized to use the range, false otherwise. + */ +static bool have_range(struct commonio_db *db, + const char *owner, unsigned long start, unsigned long count) +{ + const struct subordinate_range *range; + unsigned long end; + + if (count == 0) + return false; + + end = start + count - 1; + range = find_range (db, owner, start); + while (range) { + unsigned long last; + + last = range->start + range->count - 1; + if (last >= (start + count - 1)) + return true; + + count = end - last; + start = last + 1; + range = find_range(db, owner, start); + } + return false; +} + +static bool append_range(struct subid_range **ranges, const struct subordinate_range *new, int n) +{ + if (!*ranges) { + *ranges = malloc(sizeof(struct subid_range)); + if (!*ranges) + return false; + } else { + struct subid_range *alloced; + alloced = realloc(*ranges, (n + 1) * (sizeof(struct subid_range))); + if (!alloced) + return false; + *ranges = alloced; + } + (*ranges)[n].start = new->start; + (*ranges)[n].count = new->count; + return true; +} + +void free_subordinate_ranges(struct subordinate_range **ranges, int count) +{ + int i; + + if (!ranges) + return; + for (i = 0; i < count; i++) + subordinate_free(ranges[i]); + free(ranges); +} + +/* + * subordinate_range_cmp: compare uid ranges + * + * @p1: pointer to a commonio_entry struct to compare + * @p2: pointer to second commonio_entry struct to compare + * + * Returns 0 if the entries are the same. Otherwise return -1 + * if the range in p1 is lower than that in p2, or (if the ranges are + * equal) if the owning uid in p1 is lower than p2's. Return 1 if p1's + * range or owning uid is great than p2's. + */ +static int subordinate_range_cmp (const void *p1, const void *p2) +{ + struct subordinate_range *range1, *range2; + + if ((*(struct commonio_entry **) p1)->eptr == NULL) + return 1; + if ((*(struct commonio_entry **) p2)->eptr == NULL) + return -1; + + range1 = ((struct subordinate_range *) (*(struct commonio_entry **) p1)->eptr); + range2 = ((struct subordinate_range *) (*(struct commonio_entry **) p2)->eptr); + + if (range1->start < range2->start) + return -1; + else if (range1->start > range2->start) + return 1; + else if (range1->count < range2->count) + return -1; + else if (range1->count > range2->count) + return 1; + else + return strcmp(range1->owner, range2->owner); +} + +/* + * find_free_range: find an unused consecutive sequence of ids to allocate + * to a user. + * @db: database to search + * @min: the first uid in the range to find + * @max: the highest uid to find + * @count: the number of uids needed + * + * Return the lowest new uid, or ULONG_MAX on failure. + */ +static unsigned long find_free_range(struct commonio_db *db, + unsigned long min, unsigned long max, + unsigned long count) +{ + const struct subordinate_range *range; + unsigned long low, high; + + /* When given invalid parameters fail */ + if ((count == 0) || (max < min)) + goto fail; + + /* Sort by range then by owner */ + commonio_sort (db, subordinate_range_cmp); + commonio_rewind(db); + + low = min; + while ((range = commonio_next(db)) != NULL) { + unsigned long first = range->start; + unsigned long last = first + range->count - 1; + + /* Find the top end of the hole before this range */ + high = first; + + /* Don't allocate IDs after max (included) */ + if (high > max + 1) { + high = max + 1; + } + + /* Is the hole before this range large enough? */ + if ((high > low) && ((high - low) >= count)) + return low; + + /* Compute the low end of the next hole */ + if (low < (last + 1)) + low = last + 1; + if (low > max) + goto fail; + } + + /* Is the remaining unclaimed area large enough? */ + if (((max - low) + 1) >= count) + return low; +fail: + return ULONG_MAX; +} + +/* + * add_range: add a subuid range to an owning uid's list of authorized + * subuids. + * @db: database to which to add + * @owner: uid which owns the subuid + * @start: the first uid in the owned range + * @count: the number of uids in the range + * + * Return 1 if the range is already present or on success. On error + * return 0 and set errno appropriately. + */ +static int add_range(struct commonio_db *db, + const char *owner, unsigned long start, unsigned long count) +{ + struct subordinate_range range; + range.owner = owner; + range.start = start; + range.count = count; + + /* See if the range is already present */ + if (have_range(db, owner, start, count)) + return 1; + + /* Otherwise append the range */ + return commonio_append(db, &range); +} + +/* + * remove_range: remove a range of subuids from an owning uid's list + * of authorized subuids. + * @db: database to work on + * @owner: owning uid whose range is being removed + * @start: start of the range to be removed + * @count: number of uids in the range. + * + * Returns 0 on failure, 1 on success. Failure means that we needed to + * create a new range to represent the new limits, and failed doing so. + */ +static int remove_range (struct commonio_db *db, + const char *owner, + unsigned long start, unsigned long count) +{ + struct commonio_entry *ent; + unsigned long end; + + if (count == 0) { + return 1; + } + + end = start + count - 1; + for (ent = db->head; NULL != ent; ent = ent->next) { + struct subordinate_range *range = ent->eptr; + unsigned long first; + unsigned long last; + + /* Skip unparsed entries */ + if (NULL == range) { + continue; + } + + first = range->start; + last = first + range->count - 1; + + /* Skip entries with a different owner */ + if (0 != strcmp (range->owner, owner)) { + continue; + } + + /* Skip entries outside of the range to remove */ + if ((end < first) || (start > last)) { + continue; + } + + if (start <= first) { + if (end >= last) { + /* to be removed: [start, end] + * range: [first, last] */ + /* entry completely contained in the + * range to remove */ + commonio_del_entry (db, ent); + } else { + /* to be removed: [start, end] + * range: [first, last] */ + /* Remove only the start of the entry */ + range->start = end + 1; + range->count = (last - range->start) + 1; + + ent->changed = true; + db->changed = true; + } + } else { + if (end >= last) { + /* to be removed: [start, end] + * range: [first, last] */ + /* Remove only the end of the entry */ + range->count = start - range->start; + + ent->changed = true; + db->changed = true; + } else { + /* to be removed: [start, end] + * range: [first, last] */ + /* Remove the middle of the range + * This requires to create a new range */ + struct subordinate_range tail; + tail.owner = range->owner; + tail.start = end + 1; + tail.count = (last - tail.start) + 1; + + if (commonio_append (db, &tail) == 0) { + return 0; + } + + range->count = start - range->start; + + ent->changed = true; + db->changed = true; + } + } + } + + return 1; +} + +static struct commonio_db subordinate_uid_db = { + "/etc/subuid", /* filename */ + &subordinate_ops, /* ops */ + NULL, /* fp */ +#ifdef WITH_SELINUX + NULL, /* scontext */ +#endif + 0644, /* st_mode */ + 0, /* st_uid */ + 0, /* st_gid */ + NULL, /* head */ + NULL, /* tail */ + NULL, /* cursor */ + false, /* changed */ + false, /* isopen */ + false, /* locked */ + false, /* readonly */ + false /* setname */ +}; + +int sub_uid_setdbname (const char *filename) +{ + return commonio_setname (&subordinate_uid_db, filename); +} + +/*@observer@*/const char *sub_uid_dbname (void) +{ + return subordinate_uid_db.filename; +} + +bool sub_uid_file_present (void) +{ + return commonio_present (&subordinate_uid_db); +} + +int sub_uid_lock (void) +{ + return commonio_lock (&subordinate_uid_db); +} + +int sub_uid_open (int mode) +{ + return commonio_open (&subordinate_uid_db, mode); +} + +bool local_sub_uid_assigned(const char *owner) +{ + return range_exists (&subordinate_uid_db, owner); +} + +bool have_sub_uids(const char *owner, uid_t start, unsigned long count) +{ + struct subid_nss_ops *h; + bool found; + enum subid_status status; + h = get_subid_nss_handle(); + if (h) { + status = h->has_range(owner, start, count, ID_TYPE_UID, &found); + if (status == SUBID_STATUS_SUCCESS && found) + return true; + return false; + } + return have_range (&subordinate_uid_db, owner, start, count); +} + +int sub_uid_add (const char *owner, uid_t start, unsigned long count) +{ + if (get_subid_nss_handle()) + return -EOPNOTSUPP; + return add_range (&subordinate_uid_db, owner, start, count); +} + +int sub_uid_remove (const char *owner, uid_t start, unsigned long count) +{ + if (get_subid_nss_handle()) + return -EOPNOTSUPP; + return remove_range (&subordinate_uid_db, owner, start, count); +} + +int sub_uid_close (void) +{ + return commonio_close (&subordinate_uid_db); +} + +int sub_uid_unlock (void) +{ + return commonio_unlock (&subordinate_uid_db); +} + +uid_t sub_uid_find_free_range(uid_t min, uid_t max, unsigned long count) +{ + unsigned long start; + start = find_free_range (&subordinate_uid_db, min, max, count); + return start == ULONG_MAX ? (uid_t) -1 : start; +} + +static struct commonio_db subordinate_gid_db = { + "/etc/subgid", /* filename */ + &subordinate_ops, /* ops */ + NULL, /* fp */ +#ifdef WITH_SELINUX + NULL, /* scontext */ +#endif + 0644, /* st_mode */ + 0, /* st_uid */ + 0, /* st_gid */ + NULL, /* head */ + NULL, /* tail */ + NULL, /* cursor */ + false, /* changed */ + false, /* isopen */ + false, /* locked */ + false, /* readonly */ + false /* setname */ +}; + +int sub_gid_setdbname (const char *filename) +{ + return commonio_setname (&subordinate_gid_db, filename); +} + +/*@observer@*/const char *sub_gid_dbname (void) +{ + return subordinate_gid_db.filename; +} + +bool sub_gid_file_present (void) +{ + return commonio_present (&subordinate_gid_db); +} + +int sub_gid_lock (void) +{ + return commonio_lock (&subordinate_gid_db); +} + +int sub_gid_open (int mode) +{ + return commonio_open (&subordinate_gid_db, mode); +} + +bool have_sub_gids(const char *owner, gid_t start, unsigned long count) +{ + struct subid_nss_ops *h; + bool found; + enum subid_status status; + h = get_subid_nss_handle(); + if (h) { + status = h->has_range(owner, start, count, ID_TYPE_GID, &found); + if (status == SUBID_STATUS_SUCCESS && found) + return true; + return false; + } + return have_range(&subordinate_gid_db, owner, start, count); +} + +bool local_sub_gid_assigned(const char *owner) +{ + return range_exists (&subordinate_gid_db, owner); +} + +int sub_gid_add (const char *owner, gid_t start, unsigned long count) +{ + if (get_subid_nss_handle()) + return -EOPNOTSUPP; + return add_range (&subordinate_gid_db, owner, start, count); +} + +int sub_gid_remove (const char *owner, gid_t start, unsigned long count) +{ + if (get_subid_nss_handle()) + return -EOPNOTSUPP; + return remove_range (&subordinate_gid_db, owner, start, count); +} + +int sub_gid_close (void) +{ + return commonio_close (&subordinate_gid_db); +} + +int sub_gid_unlock (void) +{ + return commonio_unlock (&subordinate_gid_db); +} + +gid_t sub_gid_find_free_range(gid_t min, gid_t max, unsigned long count) +{ + unsigned long start; + start = find_free_range (&subordinate_gid_db, min, max, count); + return start == ULONG_MAX ? (gid_t) -1 : start; +} + +static bool get_owner_id(const char *owner, enum subid_type id_type, char *id) +{ + struct passwd *pw; + struct group *gr; + int ret = 0; + + switch (id_type) { + case ID_TYPE_UID: + pw = getpwnam(owner); + if (pw == NULL) { + return false; + } + ret = snprintf(id, ID_SIZE, "%u", pw->pw_uid); + if (ret < 0 || ret >= ID_SIZE) { + return false; + } + break; + case ID_TYPE_GID: + gr = getgrnam(owner); + if (gr == NULL) { + return false; + } + ret = snprintf(id, ID_SIZE, "%u", gr->gr_gid); + if (ret < 0 || ret >= ID_SIZE) { + return false; + } + break; + default: + return false; + } + + return true; +} + +/* + * int list_owner_ranges(const char *owner, enum subid_type id_type, struct subordinate_range ***ranges) + * + * @owner: username + * @id_type: UID or GUID + * @ranges: pointer to array of ranges into which results will be placed. + * + * Fills in the subuid or subgid ranges which are owned by the specified + * user. Username may be a username or a string representation of a + * UID number. If id_type is UID, then subuids are returned, else + * subgids are given. + + * Returns the number of ranges found, or < 0 on error. + * + * The caller must free the subordinate range list. + */ +int list_owner_ranges(const char *owner, enum subid_type id_type, struct subid_range **in_ranges) +{ + // TODO - need to handle owner being either uid or username + struct subid_range *ranges = NULL; + const struct subordinate_range *range; + struct commonio_db *db; + enum subid_status status; + int count = 0; + struct subid_nss_ops *h; + char id[ID_SIZE]; + bool have_owner_id; + + *in_ranges = NULL; + + h = get_subid_nss_handle(); + if (h) { + status = h->list_owner_ranges(owner, id_type, in_ranges, &count); + if (status == SUBID_STATUS_SUCCESS) + return count; + return -1; + } + + switch (id_type) { + case ID_TYPE_UID: + if (!sub_uid_open(O_RDONLY)) { + return -1; + } + db = &subordinate_uid_db; + break; + case ID_TYPE_GID: + if (!sub_gid_open(O_RDONLY)) { + return -1; + } + db = &subordinate_gid_db; + break; + default: + return -1; + } + + have_owner_id = get_owner_id(owner, id_type, id); + + commonio_rewind(db); + while ((range = commonio_next(db)) != NULL) { + if (0 == strcmp(range->owner, owner)) { + if (!append_range(&ranges, range, count++)) { + free(ranges); + ranges = NULL; + count = -1; + goto out; + } + } + + // Let's also compare with the ID + if (have_owner_id == true && 0 == strcmp(range->owner, id)) { + if (!append_range(&ranges, range, count++)) { + free(ranges); + ranges = NULL; + count = -1; + goto out; + } + } + } + +out: + if (id_type == ID_TYPE_UID) + sub_uid_close(); + else + sub_gid_close(); + + *in_ranges = ranges; + return count; +} + +static bool all_digits(const char *str) +{ + int i; + + for (i = 0; str[i] != '\0'; i++) + if (!isdigit(str[i])) + return false; + return true; +} + +static int append_uids(uid_t **uids, const char *owner, int n) +{ + uid_t owner_uid; + uid_t *ret; + int i; + + if (all_digits(owner)) { + i = sscanf(owner, "%d", &owner_uid); + if (i != 1) { + // should not happen + free(*uids); + *uids = NULL; + return -1; + } + } else { + struct passwd *pwd = getpwnam(owner); + if (NULL == pwd) { + /* Username not defined in /etc/passwd, or error occurred during lookup */ + free(*uids); + *uids = NULL; + return -1; + } + owner_uid = pwd->pw_uid; + } + + for (i = 0; i < n; i++) { + if (owner_uid == (*uids)[i]) + return n; + } + + ret = realloc(*uids, (n + 1) * sizeof(uid_t)); + if (!ret) { + free(*uids); + return -1; + } + ret[n] = owner_uid; + *uids = ret; + return n+1; +} + +int find_subid_owners(unsigned long id, enum subid_type id_type, uid_t **uids) +{ + const struct subordinate_range *range; + struct subid_nss_ops *h; + enum subid_status status; + struct commonio_db *db; + int n = 0; + + h = get_subid_nss_handle(); + if (h) { + status = h->find_subid_owners(id, id_type, uids, &n); + // Several ways we could handle the error cases here. + if (status != SUBID_STATUS_SUCCESS) + return -1; + return n; + } + + switch (id_type) { + case ID_TYPE_UID: + if (!sub_uid_open(O_RDONLY)) { + return -1; + } + db = &subordinate_uid_db; + break; + case ID_TYPE_GID: + if (!sub_gid_open(O_RDONLY)) { + return -1; + } + db = &subordinate_gid_db; + break; + default: + return -1; + } + + *uids = NULL; + + commonio_rewind(db); + while ((range = commonio_next(db)) != NULL) { + if (id >= range->start && id < range->start + range-> count) { + n = append_uids(uids, range->owner, n); + if (n < 0) + break; + } + } + + if (id_type == ID_TYPE_UID) + sub_uid_close(); + else + sub_gid_close(); + + return n; +} + +bool new_subid_range(struct subordinate_range *range, enum subid_type id_type, bool reuse) +{ + struct commonio_db *db; + const struct subordinate_range *r; + bool ret; + + if (get_subid_nss_handle()) + return false; + + switch (id_type) { + case ID_TYPE_UID: + if (!sub_uid_lock()) { + printf("Failed loging subuids (errno %d)\n", errno); + return false; + } + if (!sub_uid_open(O_CREAT | O_RDWR)) { + printf("Failed opening subuids (errno %d)\n", errno); + sub_uid_unlock(); + return false; + } + db = &subordinate_uid_db; + break; + case ID_TYPE_GID: + if (!sub_gid_lock()) { + printf("Failed loging subgids (errno %d)\n", errno); + return false; + } + if (!sub_gid_open(O_CREAT | O_RDWR)) { + printf("Failed opening subgids (errno %d)\n", errno); + sub_gid_unlock(); + return false; + } + db = &subordinate_gid_db; + break; + default: + return false; + } + + commonio_rewind(db); + if (reuse) { + while ((r = commonio_next(db)) != NULL) { + // TODO account for username vs uid_t + if (0 != strcmp(r->owner, range->owner)) + continue; + if (r->count >= range->count) { + range->count = r->count; + range->start = r->start; + return true; + } + } + } + + range->start = find_free_range(db, range->start, ULONG_MAX, range->count); + + if (range->start == ULONG_MAX) { + ret = false; + goto out; + } + + ret = add_range(db, range->owner, range->start, range->count) == 1; + +out: + if (id_type == ID_TYPE_UID) { + sub_uid_close(); + sub_uid_unlock(); + } else { + sub_gid_close(); + sub_gid_unlock(); + } + + return ret; +} + +bool release_subid_range(struct subordinate_range *range, enum subid_type id_type) +{ + struct commonio_db *db; + bool ret; + + if (get_subid_nss_handle()) + return false; + + switch (id_type) { + case ID_TYPE_UID: + if (!sub_uid_lock()) { + printf("Failed loging subuids (errno %d)\n", errno); + return false; + } + if (!sub_uid_open(O_CREAT | O_RDWR)) { + printf("Failed opening subuids (errno %d)\n", errno); + sub_uid_unlock(); + return false; + } + db = &subordinate_uid_db; + break; + case ID_TYPE_GID: + if (!sub_gid_lock()) { + printf("Failed loging subgids (errno %d)\n", errno); + return false; + } + if (!sub_gid_open(O_CREAT | O_RDWR)) { + printf("Failed opening subgids (errno %d)\n", errno); + sub_gid_unlock(); + return false; + } + db = &subordinate_gid_db; + break; + default: + return false; + } + + ret = remove_range(db, range->owner, range->start, range->count) == 1; + + if (id_type == ID_TYPE_UID) { + sub_uid_close(); + sub_uid_unlock(); + } else { + sub_gid_close(); + sub_gid_unlock(); + } + + return ret; +} + +#else /* !ENABLE_SUBIDS */ +extern int errno; /* warning: ANSI C forbids an empty source file */ +#endif /* !ENABLE_SUBIDS */ + |