Re: [BUG] With --disable-dynamic-nss, not all functions calls are protected

[Jun T <takimoto-j@xxxxxxxxxxxxxxxxx>]

> 2021/09/17 10:23, Jun T <takimoto-j@xxxxxxxxxxxxxxxxx> wrote:
> 
> I guess the problem is getlogin() called from createparamtable().

Yes, this can be confirmed by statically linking a test program
(just call getlogin() and exit). I _hope_ there are no other places
where NSS-functions are indirectly called.

Revised the Axel's patch (also attached a file):

params.c:
do not call getlogin()

Modules/parameter.c:
Special parameter $usergroups can't be supported without NSS.
So the possibilities are:
(1) issue an error message when user try to use $usergroups
(2) do not issue an error but the parameter exists
(3) remove the parameter (remove from the table partab[])
The patch below uses (1), but I have no idea which is the best.

hashnameddir.c, options.c, utils.c:
HAVE_xxx --> USE_xxx (same as the Axel's patch)

Modules/{stat.c,files.c}:
These (and tcp.c, zftp.c) use NSS but are not patched since they are
disabled by default in static build.


diff --git a/Src/Modules/parameter.c b/Src/Modules/parameter.c
index ef9148d7b..b44555323 100644
--- a/Src/Modules/parameter.c
+++ b/Src/Modules/parameter.c
@@ -2011,6 +2011,9 @@ scanpmdissaliases(HashTable ht, ScanFunc func, int flags)
 /**/
 static Groupset get_all_groups(void)
 {
+#ifdef DISABLE_DYNAMIC_NSS
+    return NULL;
+#else
     Groupset gs = zhalloc(sizeof(*gs));
     Groupmap gaptr;
     gid_t *list, *lptr, egid;
@@ -2063,6 +2066,7 @@ static Groupset get_all_groups(void)
     }
 
     return gs;
+#endif /* DISABLE_DYNAMIC_NSS */
 }
 
 /* Standard hash element lookup. */
@@ -2081,7 +2085,11 @@ getpmusergroups(UNUSED(HashTable ht), const char *name)
     pm->gsu.s = &nullsetscalar_gsu;
 
     if (!gs) {
+#ifdef DISABLE_DYNAMIC_NSS
+	zerr("parameter 'usergroups' not available: NSS is disabled");
+#else
 	zerr("failed to retrieve groups for user: %e", errno);
+#endif
 	pm->u.str = dupstring("");
 	pm->node.flags |= (PM_UNSET|PM_SPECIAL);
 	return &pm->node;
@@ -2113,7 +2121,11 @@ scanpmusergroups(UNUSED(HashTable ht), ScanFunc func, int flags)
     Groupmap gaptr;
 
     if (!gs) {
+#ifdef DISABLE_DYNAMIC_NSS
+	zerr("parameter 'usergroups' not available: NSS is disabled");
+#else
 	zerr("failed to retrieve groups for user: %e", errno);
+#endif
 	return;
     }
 
diff --git a/Src/hashnameddir.c b/Src/hashnameddir.c
index bed43d025..cbd1344ef 100644
--- a/Src/hashnameddir.c
+++ b/Src/hashnameddir.c
@@ -178,7 +178,7 @@ fillnameddirtable(UNUSED(HashTable ht))
 	    /* Using NIS or NIS+ didn't add any user directories. This seems
 	     * fishy, so we fall back to using getpwent(). If we don't have
 	     * that, we only use the passwd file. */
-#ifdef HAVE_GETPWENT
+#ifdef USE_GETPWENT
 	    struct passwd *pw;
 
 	    setpwent();
@@ -190,7 +190,7 @@ fillnameddirtable(UNUSED(HashTable ht))
 
 	    endpwent();
 	    usepwf = 0;
-#endif /* HAVE_GETPWENT */
+#endif /* USE_GETPWENT */
 	}
 	if (usepwf) {
 	    /* Don't forget the non-NIS matches from the flat passwd file */
@@ -229,7 +229,7 @@ fillnameddirtable(UNUSED(HashTable ht))
 	    adduserdir(pw->pw_name, pw->pw_dir, ND_USERNAME, 1);
 
 	endpwent();
-#endif /* HAVE_GETPWENT */
+#endif /* USE_GETPWENT */
 #endif
 	allusersadded = 1;
     }
diff --git a/Src/options.c b/Src/options.c
index 783022591..a1fe918fc 100644
--- a/Src/options.c
+++ b/Src/options.c
@@ -811,7 +811,7 @@ dosetopt(int optno, int value, int force, char *new_opts)
 	    return -1;
 	}
 
-# ifdef HAVE_INITGROUPS
+# ifdef USE_INITGROUPS
 	/* Set the supplementary groups list.
 	 *
 	 * Note that on macOS, FreeBSD, and possibly some other platforms,
diff --git a/Src/params.c b/Src/params.c
index 4f6b361f9..704aad588 100644
--- a/Src/params.c
+++ b/Src/params.c
@@ -843,9 +843,12 @@ createparamtable(void)
     setsparam("HOST", ztrdup_metafy(hostnam));
     zfree(hostnam, 256);
 
-    setsparam("LOGNAME",
-	      ztrdup_metafy((str = getlogin()) && *str ?
-			    str : cached_username));
+    setsparam("LOGNAME", ztrdup_metafy(
+#ifndef DISABLE_DYNAMIC_NSS
+			(str = getlogin()) && *str ?  str :
+#endif
+				cached_username
+			));
 
 #if !defined(HAVE_PUTENV) && !defined(USE_SET_UNSET_ENV)
     /* Copy the environment variables we are inheriting to dynamic *
@@ -4430,7 +4433,7 @@ usernamegetfn(UNUSED(Param pm))
 void
 usernamesetfn(UNUSED(Param pm), char *x)
 {
-#if defined(HAVE_SETUID) && defined(HAVE_GETPWNAM)
+#if defined(HAVE_SETUID) && defined(USE_GETPWNAM)
     struct passwd *pswd;
 
     if (x && (pswd = getpwnam(x)) && (pswd->pw_uid != cached_uid)) {
@@ -4447,7 +4450,7 @@ usernamesetfn(UNUSED(Param pm), char *x)
 	    cached_uid = pswd->pw_uid;
 	}
     }
-#endif /* HAVE_SETUID && HAVE_GETPWNAM */
+#endif /* HAVE_SETUID && USE_GETPWNAM */
     zsfree(x);
 }
 
diff --git a/Src/utils.c b/Src/utils.c
index c32741ca7..a74c8bd2c 100644
--- a/Src/utils.c
+++ b/Src/utils.c
@@ -1119,7 +1119,7 @@ char *cached_username;
 char *
 get_username(void)
 {
-#ifdef HAVE_GETPWUID
+#ifdef USE_GETPWUID
     struct passwd *pswd;
     uid_t current_uid;
 
@@ -1132,9 +1132,9 @@ get_username(void)
 	else
 	    cached_username = ztrdup("");
     }
-#else /* !HAVE_GETPWUID */
+#else /* !USE_GETPWUID */
     cached_uid = getuid();
-#endif /* !HAVE_GETPWUID */
+#endif /* !USE_GETPWUID */
     return cached_username;
 }
 
@@ -1310,7 +1310,7 @@ getnameddir(char *name)
 	return str;
     }
 
-#ifdef HAVE_GETPWNAM
+#ifdef USE_GETPWNAM
     {
 	/* Retrieve an entry from the password table/database for this user. */
 	struct passwd *pw;
@@ -1326,7 +1326,7 @@ getnameddir(char *name)
 		return dupstring(pw->pw_dir);
 	}
     }
-#endif /* HAVE_GETPWNAM */
+#endif /* USE_GETPWNAM */
 
     /* There are no more possible sources of directory names, so give up. */
     return NULL;

Attachment: nss.patch
Description: Binary data