From 03ebf05e4f7646d4574acbc952b23976e4f8a175 Mon Sep 17 00:00:00 2001 From: Luke Shumaker Date: Thu, 4 Dec 2014 01:08:26 -0500 Subject: get strict (-Wall -Werror -Wextra), clean up --- nslcd/Makefile.am | 2 +- nslcd/cfg.c | 158 -------------------------------------------------- nslcd/cfg.h | 10 ---- nslcd/common.c | 66 --------------------- nslcd/common.h | 41 +++++++------ nslcd/db_config.c | 1 - nslcd/db_pam.c | 26 ++++----- nslcd/db_passwd.c | 7 +-- nslcd/db_shadow.c | 6 +- nslcd/hackers_parse.c | 5 +- nslcd/hackers_watch.c | 1 - nslcd/nslcd.c | 1 - 12 files changed, 44 insertions(+), 280 deletions(-) (limited to 'nslcd') diff --git a/nslcd/Makefile.am b/nslcd/Makefile.am index 8983778..d5f908c 100644 --- a/nslcd/Makefile.am +++ b/nslcd/Makefile.am @@ -21,7 +21,7 @@ sbin_PROGRAMS = nslcd AM_CPPFLAGS=-I$(top_srcdir) -AM_CFLAGS = -std=c99 $(PTHREAD_CFLAGS) +AM_CFLAGS = -std=c99 $(PTHREAD_CFLAGS) -Wall -Werror -Wextra -Wno-unused-parameter nslcd_SOURCES = nslcd.c ../nslcd.h ../common/nslcd-prot.h \ ../common/inotify_helpers.h \ diff --git a/nslcd/cfg.c b/nslcd/cfg.c index 6a9811a..d9a800f 100644 --- a/nslcd/cfg.c +++ b/nslcd/cfg.c @@ -339,24 +339,6 @@ static enum ldap_map_selector parse_map(const char *value) return LM_NONE; } -/* check to see if the line begins with a named map */ -static enum ldap_map_selector get_map(char **line) -{ - char token[32]; - char *old; - enum ldap_map_selector map; - /* get the token */ - old = *line; - if (get_token(line, token, sizeof(token)) == NULL) - return LM_NONE; - /* see if we found a map */ - map = parse_map(token); - /* unknown map, return to the previous state */ - if (map == LM_NONE) - *line = old; - return map; -} - static const char *print_map(enum ldap_map_selector map) { switch (map) @@ -479,53 +461,6 @@ static void handle_validnames(const char *filename, int lnr, free(value); } -static void handle_pam_authz_search( - const char *filename, int lnr, - const char *keyword, char *line, struct ldap_config *cfg) -{ - SET *set; - const char **list; - int i; - check_argumentcount(filename, lnr, keyword, (line != NULL) && (*line != '\0')); - /* find free spot for search filter */ - for (i = 0; (i < NSS_LDAP_CONFIG_MAX_AUTHZ_SEARCHES) && (cfg->pam_authz_searches[i] != NULL); - i++) - /* nothing */ ; - if (i >= NSS_LDAP_CONFIG_MAX_AUTHZ_SEARCHES) - { - log_log(LOG_ERR, "%s:%d: maximum number of pam_authz_search options (%d) exceeded", - filename, lnr, NSS_LDAP_CONFIG_MAX_AUTHZ_SEARCHES); - exit(EXIT_FAILURE); - } - cfg->pam_authz_searches[i] = xstrdup(line); - /* check the variables used in the expression */ - set = expr_vars(cfg->pam_authz_searches[i], NULL); - list = set_tolist(set); - if (list == NULL) - { - log_log(LOG_CRIT, "malloc() failed to allocate memory"); - exit(EXIT_FAILURE); - } - for (i = 0; list[i] != NULL; i++) - { - if ((strcmp(list[i], "username") != 0) && - (strcmp(list[i], "service") != 0) && - (strcmp(list[i], "ruser") != 0) && - (strcmp(list[i], "rhost") != 0) && - (strcmp(list[i], "tty") != 0) && - (strcmp(list[i], "hostname") != 0) && - (strcmp(list[i], "fqdn") != 0) && - (strcmp(list[i], "dn") != 0) && (strcmp(list[i], "uid") != 0)) - { - log_log(LOG_ERR, "%s:%d: unknown variable $%s", filename, lnr, list[i]); - exit(EXIT_FAILURE); - } - } - /* free memory */ - set_free(set); - free(list); -} - static void handle_pam_password_prohibit_message( const char *filename, int lnr, const char *keyword, char *line, struct ldap_config *cfg) @@ -578,28 +513,6 @@ static void handle_reconnect_invalidate( } } -/* check that the file is not world readable */ -static void check_permissions(const char *filename, const char *keyword) -{ - struct stat sb; - /* get file status */ - if (stat(filename, &sb)) - { - log_log(LOG_ERR, "cannot stat() %s: %s", filename, strerror(errno)); - exit(EXIT_FAILURE); - } - /* check permissions */ - if ((sb.st_mode & 0007) != 0) - { - if (keyword != NULL) - log_log(LOG_ERR, "%s: file should not be world readable if %s is set", - filename, keyword); - else - log_log(LOG_ERR, "%s: file should not be world readable", filename); - exit(EXIT_FAILURE); - } -} - /* set the configuration information to the defaults */ static void cfg_defaults(struct ldap_config *cfg) { @@ -618,8 +531,6 @@ static void cfg_defaults(struct ldap_config *cfg) "/^[a-z0-9._@$()]([a-z0-9._@$() \\~-]*[a-z0-9._@$()~-])?$/i", cfg); cfg->ignorecase = 0; - for (i = 0; i < NSS_LDAP_CONFIG_MAX_AUTHZ_SEARCHES; i++) - cfg->pam_authz_searches[i] = NULL; cfg->pam_password_prohibit_message = NULL; for (i = 0; i < LM_NONE; i++) cfg->reconnect_invalidate[i] = 0; @@ -632,7 +543,6 @@ static void cfg_read(const char *filename, struct ldap_config *cfg) char linebuf[MAX_LINE_LENGTH]; char *line; char keyword[32]; - char token[64]; int i; /* open config file */ if ((fp = fopen(filename, "r")) == NULL) @@ -712,10 +622,6 @@ static void cfg_read(const char *filename, struct ldap_config *cfg) cfg->ignorecase = get_boolean(filename, lnr, keyword, &line); get_eol(filename, lnr, keyword, &line); } - else if (strcasecmp(keyword, "pam_authz_search") == 0) - { - handle_pam_authz_search(filename, lnr, keyword, line, cfg); - } else if (strcasecmp(keyword, "pam_password_prohibit_message") == 0) { handle_pam_password_prohibit_message(filename, lnr, keyword, line, cfg); @@ -737,73 +643,12 @@ static void cfg_read(const char *filename, struct ldap_config *cfg) fclose(fp); } -#ifdef NSLCD_BINDPW_PATH -static void bindpw_read(const char *filename, struct ldap_config *cfg) -{ - FILE *fp; - char linebuf[MAX_LINE_LENGTH]; - int i; - /* open config file */ - errno = 0; - if ((fp = fopen(filename, "r")) == NULL) - { - if (errno == ENOENT) - { - log_log(LOG_DEBUG, "no bindpw file (%s)", filename); - return; /* ignore */ - } - else - { - log_log(LOG_ERR, "cannot open bindpw file (%s): %s", - filename, strerror(errno)); - exit(EXIT_FAILURE); - } - } - /* check permissions */ - check_permissions(filename, NULL); - /* read the first line */ - if (fgets(linebuf, sizeof(linebuf), fp) == NULL) - { - log_log(LOG_ERR, "%s: error reading first line", filename); - exit(EXIT_FAILURE); - } - /* chop the last char off and save the rest as bindpw */ - i = (int)strlen(linebuf); - if ((i <= 0) || (linebuf[i - 1] != '\n')) - { - log_log(LOG_ERR, "%s:1: line too long or missing newline", filename); - exit(EXIT_FAILURE); - } - linebuf[i - 1] = '\0'; - if (strlen(linebuf) == 0) - { - log_log(LOG_ERR, "%s:1: the password is empty", filename); - exit(EXIT_FAILURE); - } - cfg->bindpw = strdup(linebuf); - /* check if there is no more data in the file */ - if (fgets(linebuf, sizeof(linebuf), fp) != NULL) - { - log_log(LOG_ERR, "%s:2: there is more than one line in the bindpw file", - filename); - exit(EXIT_FAILURE); - } - fclose(fp); -} -#endif /* NSLCD_BINDPW_PATH */ - /* dump configuration */ static void cfg_dump(void) { int i; -#ifdef LDAP_OPT_X_TLS - int rc; -#endif /* LDAP_OPT_X_TLS */ - enum ldap_map_selector map; - char *str; const char **strp; char buffer[1024]; - int *scopep; log_log(LOG_DEBUG, "CFG: threads %d", nslcd_cfg->threads); if (nslcd_cfg->uidname != NULL) log_log(LOG_DEBUG, "CFG: uid %s", nslcd_cfg->uidname); @@ -844,9 +689,6 @@ static void cfg_dump(void) log_log(LOG_DEBUG, "CFG: nss_nested_groups %s", print_boolean(nslcd_cfg->nss_nested_groups)); log_log(LOG_DEBUG, "CFG: validnames %s", nslcd_cfg->validnames_str); log_log(LOG_DEBUG, "CFG: ignorecase %s", print_boolean(nslcd_cfg->ignorecase)); - for (i = 0; i < NSS_LDAP_CONFIG_MAX_AUTHZ_SEARCHES; i++) - if (nslcd_cfg->pam_authz_searches[i] != NULL) - log_log(LOG_DEBUG, "CFG: pam_authz_search %s", nslcd_cfg->pam_authz_searches[i]); if (nslcd_cfg->pam_password_prohibit_message != NULL) log_log(LOG_DEBUG, "CFG: pam_password_prohibit_message \"%s\"", nslcd_cfg->pam_password_prohibit_message); /* build a comma-separated list */ diff --git a/nslcd/cfg.h b/nslcd/cfg.h index 5fc3147..890974c 100644 --- a/nslcd/cfg.h +++ b/nslcd/cfg.h @@ -35,15 +35,6 @@ #define NOUID ((gid_t)-1) #define NOGID ((gid_t)-1) -/* maximum number of URIs */ -#define NSS_LDAP_CONFIG_MAX_URIS 31 - -/* maximum number of search bases */ -#define NSS_LDAP_CONFIG_MAX_BASES 31 - -/* maximum number of pam_authz_search options */ -#define NSS_LDAP_CONFIG_MAX_AUTHZ_SEARCHES 8 - /* selectors for different maps */ enum ldap_map_selector { LM_ALIASES, @@ -74,7 +65,6 @@ struct ldap_config { regex_t validnames; /* the regular expression to determine valid names */ char *validnames_str; /* string version of validnames regexp */ int ignorecase; /* whether or not case should be ignored in lookups */ - char *pam_authz_searches[NSS_LDAP_CONFIG_MAX_AUTHZ_SEARCHES]; /* the searches that should be performed to do autorisation checks */ char *pam_password_prohibit_message; /* whether password changing should be denied and user prompted with this message */ char reconnect_invalidate[LM_NONE]; /* set to 1 if the corresponding map should be invalidated */ }; diff --git a/nslcd/common.c b/nslcd/common.c index 3c82d71..da508f6 100644 --- a/nslcd/common.c +++ b/nslcd/common.c @@ -113,72 +113,6 @@ const char *signame(int signum) } } -/* return the fully qualified domain name of the current host */ -const char *getfqdn(void) -{ - static char *fqdn = NULL; - char hostname[BUFLEN_HOSTNAME]; - int hostnamelen; - int i; - struct hostent *host = NULL; - /* if we already have a fqdn return that */ - if (fqdn != NULL) - return fqdn; - /* get system hostname */ - if (gethostname(hostname, sizeof(hostname)) < 0) - { - log_log(LOG_ERR, "gethostname() failed: %s", strerror(errno)); - return NULL; - } - hostnamelen = strlen(hostname); - /* lookup hostent */ - host = gethostbyname(hostname); - if (host == NULL) - { - log_log(LOG_ERR, "gethostbyname(%s): %s", hostname, hstrerror(h_errno)); - /* fall back to hostname */ - fqdn = strdup(hostname); - return fqdn; - } - /* check h_name for fqdn starting with our hostname */ - if ((strncasecmp(hostname, host->h_name, hostnamelen) == 0) && - (host->h_name[hostnamelen] == '.') && - (host->h_name[hostnamelen + 1] != '\0')) - { - fqdn = strdup(host->h_name); - return fqdn; - } - /* also check h_aliases */ - for (i = 0; host->h_aliases[i] != NULL; i++) - { - if ((strncasecmp(hostname, host->h_aliases[i], hostnamelen) == 0) && - (host->h_aliases[i][hostnamelen] == '.') && - (host->h_aliases[i][hostnamelen + 1] != '\0')) - { - fqdn = strdup(host->h_aliases[i]); - return fqdn; - } - } - /* fall back to h_name if it has a dot in it */ - if (strchr(host->h_name, '.') != NULL) - { - fqdn = strdup(host->h_name); - return fqdn; - } - /* also check h_aliases */ - for (i = 0; host->h_aliases[i] != NULL; i++) - { - if (strchr(host->h_aliases[i], '.') != NULL) - { - fqdn = strdup(host->h_aliases[i]); - return fqdn; - } - } - /* nothing found, fall back to hostname */ - fqdn = strdup(hostname); - return fqdn; -} - /* Checks if the specified name seems to be a valid user or group name. */ int isvalidname(const char *name) { diff --git a/nslcd/common.h b/nslcd/common.h index 89022b8..7951588 100644 --- a/nslcd/common.h +++ b/nslcd/common.h @@ -26,6 +26,7 @@ #include #include +#include #ifdef HAVE_STDINT_H #include #endif /* HAVE_STDINT_H */ @@ -47,20 +48,26 @@ stream */ #define ERROR_OUT_WRITEERROR(fp) \ - if (errno == EPIPE) \ - log_log(LOG_DEBUG, "error writing to client: %s", strerror(errno)); \ - else \ - log_log(LOG_WARNING, "error writing to client: %s", strerror(errno)); \ - return -1; + do { \ + if (errno == EPIPE) \ + log_log(LOG_DEBUG, "error writing to client: %s", strerror(errno)); \ + else \ + log_log(LOG_WARNING, "error writing to client: %s", strerror(errno)); \ + return -1; \ + } while(0) #define ERROR_OUT_READERROR(fp) \ - log_log(LOG_WARNING, "error reading from client: %s", strerror(errno)); \ - return -1; + do { \ + log_log(LOG_WARNING, "error reading from client: %s", strerror(errno)); \ + return -1; \ + } while(0) #define ERROR_OUT_BUFERROR(fp) \ - log_log(LOG_ERR, "client supplied argument %d bytes too large", \ - tmpint32); \ - return -1; + do { \ + log_log(LOG_ERR, "client supplied argument %d bytes too large", \ + tmpint32); \ + return -1; \ + } while(0) /* a simple wrapper around snprintf, returns 0 if ok, -1 on error */ @@ -70,11 +77,6 @@ int mysnprintf(char *buffer, size_t buflen, const char *format, ...) /* get a name of a signal with a given signal number */ const char *signame(int signum); -/* return the fully qualified domain name of the current host - the returned value does not need to be freed but is re-used for every - call */ -MUST_USE const char *getfqdn(void); - /* This tries to get the user password attribute from the entry. It will try to return an encrypted password as it is used in /etc/passwd, /etc/group or /etc/shadow depending upon what is in the directory. @@ -213,11 +215,12 @@ void shadow_init(void); #define NSLCD_HANDLE_BODY(db, fn, fndecls, fnread, fncheck, tentry, fnsearch, fnwrite, fnclean) \ { \ /* define common variables */ \ - int32_t tmpint32; \ tentry *entry = NULL; \ int rc = 1; \ fndecls \ tentry *search(int *rcp) { fnsearch } \ + int write(TFILE *fp, tentry *entry) { fnwrite } \ + void clean() { fnclean } \ /* read request parameters */ \ fnread \ /* validate request parameters */ \ @@ -228,8 +231,8 @@ void shadow_init(void); /* go over results */ \ while ((entry = search(&rc)) != NULL) \ { \ - if ( ({ fnwrite }) ) { \ - fnclean \ + if ( write(fp, entry) ) { \ + clean(); \ return -1; \ } \ } \ @@ -238,7 +241,7 @@ void shadow_init(void); { \ WRITE_INT32(fp, NSLCD_RESULT_END); \ } \ - fnclean \ + clean(); \ return 0; \ } diff --git a/nslcd/db_config.c b/nslcd/db_config.c index 75c9ec1..ed94bf5 100644 --- a/nslcd/db_config.c +++ b/nslcd/db_config.c @@ -35,7 +35,6 @@ int nslcd_config_get(TFILE *fp, MYLDAP_SESSION UNUSED(*session)) { - int32_t tmpint32; int32_t cfgopt; /* read request parameters */ READ_INT32(fp, cfgopt); diff --git a/nslcd/db_pam.c b/nslcd/db_pam.c index 0b101aa..08a9a4a 100644 --- a/nslcd/db_pam.c +++ b/nslcd/db_pam.c @@ -114,10 +114,9 @@ NSLCD_HANDLE_UID(PAM, AUTHC entry->authz_msg[0] = '\0'; /* try authentication */ - /* TODO */ - /*entry->authc_rc = check_password(password, hash) + entry->authc_rc = check_password(password, NULL /* TODO */) ? NSLCD_PAM_SUCCESS - : NSLCD_PAM_AUTH_ERR; */ + : NSLCD_PAM_AUTH_ERR; entry->authz_rc = entry->authc_rc; /*myldap_get_policy_response(session, &(entry->authz_rc), &(entry->authz_msg))*/ @@ -132,7 +131,7 @@ NSLCD_HANDLE_UID(PAM, AUTHC WRITE_STRING(fp, username); WRITE_INT32( fp, entry->authz_rc); WRITE_STRING(fp, entry->authz_msg); - 0; + return 0; ,/* cleanup */ memset(password, 0, sizeof(password)); ) @@ -159,11 +158,10 @@ NSLCD_HANDLE(PAM, AUTHZ ,/* check */ ,/* search(int *rcp) */ struct authz, - static size_t i = 0; struct passwd *user = NULL; struct authz *entry = &_entry; - for (; i < session->cnt; i++) + for (size_t i = 0; i < session->cnt; i++) { if (strcmp(username, session->users[i].pw_name)==0) { *rcp = 0; @@ -182,17 +180,19 @@ NSLCD_HANDLE(PAM, AUTHZ { entry->authz_rc = NSLCD_PAM_PERM_DENIED; strcpy(entry->authz_msg, "LDAP authorisation check failed"); - return entry; + } else { + /* perform shadow attribute checks */ + entry->authz_rc = check_password_age(session, username, + entry->authz_msg, sizeof(entry->authz_msg), + 0, 0); } - /* perform shadow attribute checks */ - entry->authz_rc = check_password_age(session, username, entry->authz_msg, sizeof(entry->authz_msg), 0, 0); - + return entry; ,/* write response */ WRITE_INT32(fp, NSLCD_RESULT_BEGIN); WRITE_INT32( fp, entry->authz_rc); WRITE_STRING(fp, entry->authz_msg); - 0; + return 0; ,/* cleanup */ ) @@ -237,7 +237,7 @@ NSLCD_HANDLE(PAM, SESS_O ,/* write */ WRITE_INT32(fp, NSLCD_RESULT_BEGIN); WRITE_STRING(fp, sessionid); - 0; + return 0; ,/* cleanup */ ) @@ -273,6 +273,6 @@ NSLCD_HANDLE(PAM, SESS_C } ,/* write */ WRITE_INT32(fp, NSLCD_RESULT_BEGIN); - 0; + return 0; ,/* cleanup */ ) diff --git a/nslcd/db_passwd.c b/nslcd/db_passwd.c index 4bdc17f..af6dc4c 100644 --- a/nslcd/db_passwd.c +++ b/nslcd/db_passwd.c @@ -54,7 +54,6 @@ static int write_passwd(TFILE *fp, struct passwd *entry, uid_t calleruid) { - int32_t tmpint32; const char *passwd; /* if we are using shadow maps and this entry looks like it would return shadow information, make the passwd entry indicate it */ @@ -109,7 +108,7 @@ NSLCD_HANDLE_UID(PASSWD, BYNAME } return NULL; ,/* write */ - write_passwd(fp, entry, calleruid); + return write_passwd(fp, entry, calleruid); ,/* cleanup */ ) @@ -142,7 +141,7 @@ NSLCD_HANDLE_UID(PASSWD, BYUID } return NULL; ,/* write */ - write_passwd(fp, entry, calleruid); + return write_passwd(fp, entry, calleruid); ,/* cleanup */ ) @@ -164,6 +163,6 @@ NSLCD_HANDLE_UID(PASSWD, ALL } return NULL; ,/* write */ - write_passwd(fp, entry, calleruid); + return write_passwd(fp, entry, calleruid); ,/* cleanup */ ) diff --git a/nslcd/db_shadow.c b/nslcd/db_shadow.c index 06c4312..cfc7cb8 100644 --- a/nslcd/db_shadow.c +++ b/nslcd/db_shadow.c @@ -56,8 +56,6 @@ static void passwd2shadow(struct passwd *p, struct shadow *s) static int write_shadow(TFILE *fp, struct shadow *entry, uid_t calleruid) { - int32_t tmpint32; - if (calleruid == 0) { WRITE_INT32(fp, NSLCD_RESULT_BEGIN); @@ -103,7 +101,7 @@ NSLCD_HANDLE_UID(SHADOW, BYNAME } return NULL; ,/* write */ - write_shadow(fp, entry, calleruid); + return write_shadow(fp, entry, calleruid); ,/* cleanup */ ) @@ -126,6 +124,6 @@ NSLCD_HANDLE_UID(SHADOW, ALL } return NULL; ,/* write */ - write_shadow(fp, entry, calleruid); + return write_shadow(fp, entry, calleruid); ,/* cleanup */ ) diff --git a/nslcd/hackers_parse.c b/nslcd/hackers_parse.c index 0146197..bdcb6a5 100644 --- a/nslcd/hackers_parse.c +++ b/nslcd/hackers_parse.c @@ -143,7 +143,7 @@ load_user_yaml(const char *filename, struct passwd *user) { PASSWD_FREE(*user); - FILE *yaml_file; + FILE *yaml_file = NULL; yaml_parser_t yaml_parser; ZERO(yaml_parser); yaml_document_t yaml_document; ZERO(yaml_document); @@ -209,6 +209,7 @@ load_user_yaml(const char *filename, struct passwd *user) { end: yaml_document_delete(&yaml_document); yaml_parser_delete(&yaml_parser); - fclose(yaml_file); + if (yaml_file != NULL) + fclose(yaml_file); return ret; } diff --git a/nslcd/hackers_watch.c b/nslcd/hackers_watch.c index b6295a9..ee26e4d 100644 --- a/nslcd/hackers_watch.c +++ b/nslcd/hackers_watch.c @@ -139,7 +139,6 @@ worker_handle_del_yaml(struct session *sess, uid_t uid) { int hackers_worker(struct session *sess) { chdir(sess->yamldir); - struct inotify_event *event; for (INOTIFY_ITERATOR(sess->in_fd, event)) { if (event->wd == sess->in_wd_yaml) { /* handle updates to yaml files */ diff --git a/nslcd/nslcd.c b/nslcd/nslcd.c index bc763eb..3c61bfb 100644 --- a/nslcd/nslcd.c +++ b/nslcd/nslcd.c @@ -210,7 +210,6 @@ static int get_socket() this function returns the read action in location pointer to by action */ static int read_header(TFILE *fp, int32_t *action) { - int32_t tmpint32; int32_t protocol; /* read the protocol version */ READ_INT32(fp, protocol); -- cgit v1.2.2