Hi, I sent this to sssd-devel already, but probably it was the wrong channel, so I'm trying it here.
I'm using Dovecot with its "passwd" userdb, which effectivly uses NSS.
NSS services are provided by the files and by the sss "plugins".
The `doveadm user *` command enumerates the list of users. Repeating the
command doesn't enumerate the users provided by sssd again.
Analyzing this issue reveals:
Dovecot uses a long living process talking to NSS. For user
enumeration it uses
setpwent()
while (…) { getpwent(); }
and then misses the call to endpwent(). This bug is already confirmed by
the Dovecot developers.
I'm not sure about the semantics of setpwent()/endpwend(), especially
about calling sequences like
setpwent()
while (…) { getpwent(); }
setpwent()
while (…) { getpwent(); }
According to setpwent(3) it should rewind to the beginning. Calling
endpwent() seems to be for curtesy only (to have resources freed)
I suggest calling a preventive endpwent() before using setpwent() again
in nss_cmd.c.
Attached you'll find my patch. I'd be happy about review and integration into
upstream.
Best regards from Dresden/Germany
Viele Grüße aus Dresden
Heiko Schlittermann
--
SCHLITTERMANN.de ---------------------------- internet & unix support -
Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
gnupg encrypted messages are welcome --------------- key ID: F69376CE -
From: Heiko Schlittermann <[email protected]> Subject: Add preventive endpwent() to setpwent() --- a/src/responder/nss/nss_cmd.c +++ b/src/responder/nss/nss_cmd.c @@ -936,10 +936,19 @@ SSS_MC_PASSWD, nss_protocol_fill_pwent); } +static errno_t nss_cmd_endpwent(struct cli_ctx *cli_ctx) +{ + struct nss_state_ctx *state_ctx; + + state_ctx = talloc_get_type(cli_ctx->state_ctx, struct nss_state_ctx); + + return nss_endent(cli_ctx, &state_ctx->pwent); +} + static errno_t nss_cmd_setpwent(struct cli_ctx *cli_ctx) { struct nss_ctx *nss_ctx; - + nss_cmd_endpwent(cli_ctx); nss_ctx = talloc_get_type(cli_ctx->rctx->pvt_ctx, struct nss_ctx); return nss_setent(cli_ctx, CACHE_REQ_ENUM_USERS, &nss_ctx->pwent); @@ -958,15 +967,6 @@ &nss_ctx->pwent); } -static errno_t nss_cmd_endpwent(struct cli_ctx *cli_ctx) -{ - struct nss_state_ctx *state_ctx; - - state_ctx = talloc_get_type(cli_ctx->state_ctx, struct nss_state_ctx); - - return nss_endent(cli_ctx, &state_ctx->pwent); -} - static errno_t nss_cmd_getgrnam(struct cli_ctx *cli_ctx) { return nss_getby_name(cli_ctx, false, CACHE_REQ_GROUP_BY_NAME, NULL,
signature.asc
Description: PGP signature
_______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
