Use the older patch and add the fix

DavidZagury · DavidZagury · commit ef8e4d6436f3 · 2025-05-13T19:42:06.000+03:00
diff --git a/src/tacacs/nss/patch/0001-Modify-user-map-profile.patch b/src/tacacs/nss/patch/0001-Modify-user-map-profile.patch
@@ -1,7 +1,7 @@
-From 43096cf9813d6def1d1f8f1d8a0c122466c8c06b Mon Sep 17 00:00:00 2001
-From: Liuqu <chenchen.qcc@alibaba-inc.com>
-Date: Mon, 9 Oct 2017 02:44:37 -0700
-Subject: [PATCH] Modify user map profile
+From 93f39fa62f3f9dc54012ab8668fe48a4b313c7a0 Mon Sep 17 00:00:00 2001
+From: "david.zagury" <davidza@nvidia.com>
+Date: Tue, 13 May 2025 19:25:09 +0300
+Subject: [PATCH] [PATCH] Modify user map profile
 
 * Removed dependence from libtacplus_map and libaudit
 * Removed NSS entry point for getpwuid()
@@ -18,9 +18,9 @@ Subject: [PATCH] Modify user map profile
  debian/changelog              |   11 +
  debian/control                |   11 +-
  debian/libnss-tacplus.symbols |    1 -
- nss_tacplus.c                 | 1015 +++++++++++++++------------------
+ nss_tacplus.c                 | 1022 +++++++++++++++------------------
  tacplus_nss.conf              |   91 ++-
- 8 files changed, 525 insertions(+), 612 deletions(-)
+ 8 files changed, 532 insertions(+), 612 deletions(-)
 
 diff --git a/Makefile.am b/Makefile.am
 index 293951e..b33c455 100644
@@ -124,7 +124,7 @@ index 2bf9b88..f476e7d 100644
   _nss_tacplus_getpwnam_r@Base 1.0.1
 - _nss_tacplus_getpwuid_r@Base 1.0.1
 diff --git a/nss_tacplus.c b/nss_tacplus.c
-index 79e62b9..ecfa0b0 100644
+index 79e62b9..ff4f492 100644
 --- a/nss_tacplus.c
 +++ b/nss_tacplus.c
 @@ -1,7 +1,9 @@
@@ -180,7 +180,7 @@ index 79e62b9..ecfa0b0 100644
  
  /*
   * pwbuf is used to reduce number of arguments passed around; the strings in
-@@ -63,255 +59,245 @@ struct pwbuf {
+@@ -63,255 +59,244 @@ struct pwbuf {
  typedef struct {
      struct addrinfo *addr;
      char *key;
@@ -437,8 +437,11 @@ index 79e62b9..ecfa0b0 100644
 +                    syslog(LOG_ERR, "%s: invalid server: %s (getaddrinfo: %s)",
 +                        nssname, srv, gai_strerror(rv));
 +                    return -1;
-+                }
-+            }
+                 }
+             }
+-            else {
+-                syslog(LOG_WARNING, "%s: maximum number of servers (%d) "
+-                    "exceeded, skipping", nssname, TAC_PLUS_MAXSERVERS);
 +            else if(!strncmp(token, "secret=", 7)) {
 +                if(tac_srv[tac_srv_no].key)
 +                    free(tac_srv[tac_srv_no].key);
@@ -458,11 +461,15 @@ index 79e62b9..ecfa0b0 100644
 +                 * for a long time*/
 +                if(tac_srv[tac_srv_no].timeout > 5)
 +                    tac_srv[tac_srv_no].timeout = 5;
-+            }
-+        }
+             }
+         }
+-        else if(debug) /* ignore unrecognized lines, unless debug on */
+-            syslog(LOG_WARNING, "%s: unrecognized parameter: %s",
+-                nssname, lbuf);
 +        token = strsep(&srv_buf, delim);
-+    }
-+
+     }
+-    fclose(conf);
+ 
 +    return 0;
 +}
 +
@@ -486,11 +493,8 @@ index 79e62b9..ecfa0b0 100644
 +                    priv = 0;
 +                    syslog(LOG_WARNING, "%s: user_priv %d out of range",
 +                        nssname, priv);
-                 }
-             }
--            else {
--                syslog(LOG_WARNING, "%s: maximum number of servers (%d) "
--                    "exceeded, skipping", nssname, TAC_PLUS_MAXSERVERS);
++                }
++            }
 +            else if(!strncmp(token, "pw_info=", 8)) {
 +                if(!info)
 +                    info = strdup(token + 8);
@@ -505,15 +509,11 @@ index 79e62b9..ecfa0b0 100644
 +            else if(!strncmp(token, "shell=", 6)) {
 +                if(!shell)
 +                    shell = strdup(token + 6);
-             }
-         }
--        else if(debug) /* ignore unrecognized lines, unless debug on */
--            syslog(LOG_WARNING, "%s: unrecognized parameter: %s",
--                nssname, lbuf);
++            }
++        }
 +        token = strsep(&buf, delim);
-     }
--    fclose(conf);
- 
++    }
++
 +    if(priv && gid && info && group && shell) {
 +        useradd_info_t *user = &useradd_grp_list[priv];
 +        if(user->info)
@@ -588,7 +588,6 @@ index 79e62b9..ecfa0b0 100644
 +    FILE *fp;
 +    char buf[512] = {0};
 +
-+    init_useradd_info();
 +    fp = fopen(file, "r");
 +    if(!fp) {
 +        syslog(LOG_ERR, "%s: %s fopen failed", nssname, file);
@@ -647,7 +646,7 @@ index 79e62b9..ecfa0b0 100644
  }
  
  /*
-@@ -324,15 +304,13 @@ static void print_servers(void)
+@@ -324,15 +309,13 @@ static void print_servers(void)
   */
  static int
  pwcopy(char *buf, size_t len, struct passwd *srcpw, struct passwd *destpw,
@@ -667,7 +666,7 @@ index 79e62b9..ecfa0b0 100644
  
      needlen = usename ? strlen(usename) + 1 : 1 +
          srcpw->pw_dir ? strlen(srcpw->pw_dir) + 1 : 1 +
-@@ -341,8 +319,8 @@ pwcopy(char *buf, size_t len, struct passwd *srcpw, struct passwd *destpw,
+@@ -341,8 +324,8 @@ pwcopy(char *buf, size_t len, struct passwd *srcpw, struct passwd *destpw,
          srcpw->pw_passwd ? strlen(srcpw->pw_passwd) + 1 : 1;
      if(needlen > len) {
          if(debug)
@@ -678,7 +677,7 @@ index 79e62b9..ecfa0b0 100644
          return 1;
      }
  
-@@ -354,21 +332,14 @@ pwcopy(char *buf, size_t len, struct passwd *srcpw, struct passwd *destpw,
+@@ -354,21 +337,14 @@ pwcopy(char *buf, size_t len, struct passwd *srcpw, struct passwd *destpw,
      cnt++; /* allow for null byte also */
      buf += cnt;
      len -= cnt;
@@ -702,7 +701,7 @@ index 79e62b9..ecfa0b0 100644
      cnt++;
      buf += cnt;
      len -= cnt;
-@@ -377,148 +348,227 @@ pwcopy(char *buf, size_t len, struct passwd *srcpw, struct passwd *destpw,
+@@ -377,148 +353,227 @@ pwcopy(char *buf, size_t len, struct passwd *srcpw, struct passwd *destpw,
      cnt++;
      buf += cnt;
      len -= cnt;
@@ -875,8 +874,7 @@ index 79e62b9..ecfa0b0 100644
 +        syslog(LOG_ERR, "%s: %s fopen failed", nssname, user_conf);
 +        return -1;
 +    }
- 
--    if(!tacuser) {
++
 +    while(fgets(buf, sizeof buf, fp)) {
 +        if('#' == *buf || isspace(*buf))
 +            continue;
@@ -888,7 +886,8 @@ index 79e62b9..ecfa0b0 100644
 +            break;
 +        }
 +    }
-+
+ 
+-    if(!tacuser) {
 +    /*
 +     * If user is found in user_conf, it means that getpwnam is called by
 +     * useradd in this NSS module.
@@ -911,7 +910,7 @@ index 79e62b9..ecfa0b0 100644
 +        syslog(LOG_ERR, "%s: %s write local user failed", nssname, name);
 +        fclose(fp);
 +        return -1;
-+    }
+     }
 +    fclose(fp);
 +
 +    lvl = level;
@@ -937,7 +936,13 @@ index 79e62b9..ecfa0b0 100644
 +
 +    return -1;
 +}
-+
+ 
+-    pb->pw->pw_name = NULL; /* be paranoid */
+-    for(ret = 1; ret && (ent = fgetpwent(pwfile)); ) {
+-        if(!ent->pw_name)
+-            continue; /* shouldn't happen */
+-        if(!strcmp(ent->pw_name, tacuser)) {
+-            ret = pwcopy(pb->buf, pb->buflen, ent, pb->pw, logname, usetachome);
 +/*
 + * Lookup user in /etc/passwd, and fill up passwd info if found.
 + */
@@ -950,14 +955,8 @@ index 79e62b9..ecfa0b0 100644
 +    if(!username) {
 +        syslog(LOG_ERR, "%s: username invalid in check passwd", nssname);
 +        return -1;
-     }
- 
--    pb->pw->pw_name = NULL; /* be paranoid */
--    for(ret = 1; ret && (ent = fgetpwent(pwfile)); ) {
--        if(!ent->pw_name)
--            continue; /* shouldn't happen */
--        if(!strcmp(ent->pw_name, tacuser)) {
--            ret = pwcopy(pb->buf, pb->buflen, ent, pb->pw, logname, usetachome);
++    }
++
 +    fp = fopen("/etc/passwd", "r");
 +    if(!fp) {
 +        syslog(LOG_ERR, "%s: /etc/passwd fopen failed", nssname);
@@ -1041,15 +1040,15 @@ index 79e62b9..ecfa0b0 100644
  
      return ret;
  }
-@@ -532,6 +582,7 @@ static int
+@@ -532,6 +587,7 @@ static int
  got_tacacs_user(struct tac_attrib *attr, struct pwbuf *pb)
  {
      unsigned long priv_level = 0;
 +    int ret;
  
      while(attr != NULL)  {
          /* we are looking for the privilege attribute, can be in several forms,
-@@ -550,14 +601,20 @@ got_tacacs_user(struct tac_attrib *attr, struct pwbuf *pb)
+@@ -550,14 +606,20 @@ got_tacacs_user(struct tac_attrib *attr, struct pwbuf *pb)
              /* if this fails, we leave priv_level at 0, which is
               * least privileged, so that's OK, but at least report it
               */
@@ -1074,7 +1073,7 @@ index 79e62b9..ecfa0b0 100644
  }
  
  /*
-@@ -570,9 +627,13 @@ connect_tacacs(struct tac_attrib **attr, int srvr)
+@@ -570,9 +632,13 @@ connect_tacacs(struct tac_attrib **attr, int srvr)
  {
      int fd;
  
@@ -1089,7 +1088,7 @@ index 79e62b9..ecfa0b0 100644
          tac_add_attrib(attr, "service", tac_service);
          if(tac_protocol[0])
              tac_add_attrib(attr, "protocol", tac_protocol);
-@@ -598,52 +659,25 @@ lookup_tacacs_user(struct pwbuf *pb)
+@@ -598,52 +664,25 @@ lookup_tacacs_user(struct pwbuf *pb)
  {
      struct areply arep;
      int ret = 1, done = 0;
@@ -1149,7 +1148,7 @@ index 79e62b9..ecfa0b0 100644
                      tac_ntop(tac_srv[srvr].addr->ai_addr) : "unknown", ret,
                      pb->name);
          }
-@@ -668,14 +702,11 @@ lookup_tacacs_user(struct pwbuf *pb)
+@@ -668,14 +707,11 @@ lookup_tacacs_user(struct pwbuf *pb)
          if(arep.status == AUTHOR_STATUS_PASS_ADD ||
             arep.status == AUTHOR_STATUS_PASS_REPL) {
              ret = got_tacacs_user(arep.attr, pb);
@@ -1166,7 +1165,7 @@ index 79e62b9..ecfa0b0 100644
              done = 1; /* break out of loop after arep cleanup */
          }
          else {
-@@ -685,6 +716,10 @@ lookup_tacacs_user(struct pwbuf *pb)
+@@ -685,6 +721,10 @@ lookup_tacacs_user(struct pwbuf *pb)
                      " invalid (%d)", nssname,
                      tac_ntop(tac_srv[srvr].addr->ai_addr), pb->name,
                      arep.status);
@@ -1177,7 +1176,7 @@ index 79e62b9..ecfa0b0 100644
          }
          if(arep.msg)
              free(arep.msg);
-@@ -692,30 +727,12 @@ lookup_tacacs_user(struct pwbuf *pb)
+@@ -692,30 +732,12 @@ lookup_tacacs_user(struct pwbuf *pb)
              tac_free_attrib(&arep.attr);
      }
  
@@ -1210,7 +1209,7 @@ index 79e62b9..ecfa0b0 100644
   *
   * We try the lookup to the tacacs server first.  If we can't make a
   * connection to the server for some reason, we also try looking up
-@@ -730,20 +747,25 @@ enum nss_status _nss_tacplus_getpwnam_r(const char *name, struct passwd *pw,
+@@ -730,20 +752,26 @@ enum nss_status _nss_tacplus_getpwnam_r(const char *name, struct passwd *pw,
      int result;
      struct pwbuf pbuf;
  
@@ -1225,6 +1224,7 @@ index 79e62b9..ecfa0b0 100644
 +        return NSS_STATUS_NOTFOUND;
  
 -    get_remote_addr();
++    init_useradd_info();
 +    result = parse_config(config_file);
  
 -    if(result) { /* no config file, no servers, etc. */
@@ -1245,7 +1245,7 @@ index 79e62b9..ecfa0b0 100644
          /* marshal the args for the lower level functions */
          pbuf.name = (char *)name;
          pbuf.pw = pw;
-@@ -751,126 +773,13 @@ enum nss_status _nss_tacplus_getpwnam_r(const char *name, struct passwd *pw,
+@@ -751,126 +779,14 @@ enum nss_status _nss_tacplus_getpwnam_r(const char *name, struct passwd *pw,
          pbuf.buflen = buflen;
          pbuf.errnop = errnop;
  
@@ -1346,6 +1346,7 @@ index 79e62b9..ecfa0b0 100644
 -    else if((auid != (uid_t)-1 || session != ~0U) &&
 -        !lookup_mapped_uid(&pb, uid, (uid_t)-1, ~0))
 -        status = NSS_STATUS_SUCCESS;
++    free_useradd_info();
      return status;
  }
 -
@@ -1479,4 +1480,5 @@ index bb4eb1e..7cb756f 100644
 +# Default: many_to_one=n
 +# many_to_one=y
 -- 
-2.7.4
+2.49.0
+
diff --git a/src/tacacs/nss/patch/0013-Partial-memleak-fix-due-to-unfreed-strdup.patch b/src/tacacs/nss/patch/0013-Partial-memleak-fix-due-to-unfreed-strdup.patch
diff --git a/src/tacacs/nss/patch/series b/src/tacacs/nss/patch/series
@@ -10,4 +10,3 @@
 0010-Send-remote-address-in-TACACS-authorization-message.patch
 0011-Replace-popen-shell-execution-with-safer-execle.patch
 0012-fix-compile-error-conditionals.patch
-0013-Partial-memleak-fix-due-to-unfreed-strdup.patch
