From 6672978f340fdd6b56a920f4f15e7b0147f17f66 Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Wed, 17 Jul 2013 16:13:22 +0200 Subject: [PATCH] nsswitch: Don't enumerate all domains with wbinfo -u|-g. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit By default wbinfo -u|-g should only enumerate the domain winbindd is joined to. The command can be harmfull if you have e.g. 30 domains and 700k users. Then the parent will collect all information and the oom-killer will kill winbind. As we still want to support it, you can enable it the old behaviour with wbinfo --domain='*' -u. This is a measure that sysadmins don't shoot themself. https://bugzilla.samba.org/show_bug.cgi?id=10034 Signed-off-by: Andreas Schneider Reviewed-by: Volker Lendecke Reviewed-by: Günther Deschner Autobuild-User(master): Andreas Schneider Autobuild-Date(master): Thu Jul 18 11:54:58 CEST 2013 on sn-devel-104 (cherry picked from commit 33bce26fcf2e82b9c381eeb32e1d731d3965e22f) --- docs-xml/manpages/wbinfo.1.xml | 9 +++++---- nsswitch/wbinfo.c | 22 ++++++++++++++++++---- 2 files changed, 23 insertions(+), 8 deletions(-) diff --git a/docs-xml/manpages/wbinfo.1.xml b/docs-xml/manpages/wbinfo.1.xml index d886082..5b0045a 100644 --- a/docs-xml/manpages/wbinfo.1.xml +++ b/docs-xml/manpages/wbinfo.1.xml @@ -146,8 +146,9 @@ This parameter sets the domain on which any specified operations will performed. If special domain name '.' is used to represent the current domain to which winbindd - 8 belongs. Currently only the - , and options honor this parameter. + 8 belongs. A '*' as the domain name + means to enumerate over all domains (NOTE: This can take a long time and use + a lot of memory). @@ -181,7 +182,7 @@ This option will list all groups available in the Windows NT domain for which the samba 7 daemon is operating in. Groups in all trusted domains - will also be listed. Note that this operation does not assign + can be listed with the --domain='*' option. Note that this operation does not assign group ids to any groups that have not already been seen by winbindd 8. @@ -390,7 +391,7 @@ This option will list all users available in the Windows NT domain for which the winbindd 8 daemon is operating in. Users in all trusted domains - will also be listed. Note that this operation does not assign + can be listed with the --domain='*' option. Note that this operation does not assign user ids to any users that have not already been seen by winbindd8 . diff --git a/nsswitch/wbinfo.c b/nsswitch/wbinfo.c index 1d1557d..a1ca7fc 100644 --- a/nsswitch/wbinfo.c +++ b/nsswitch/wbinfo.c @@ -1926,9 +1926,16 @@ static bool print_domain_users(const char *domain) /* Send request to winbind daemon */ - /* '.' is the special sign for our own domain */ - if (domain && strcmp(domain, ".") == 0) { + if (domain == NULL) { domain = get_winbind_domain(); + } else { + /* '.' is the special sign for our own domain */ + if ((domain[0] == '\0') || strcmp(domain, ".") == 0) { + domain = get_winbind_domain(); + /* '*' is the special sign for all domains */ + } else if (strcmp(domain, "*") == 0) { + domain = NULL; + } } wbc_status = wbcListUsers(domain, &num_users, &users); @@ -1956,9 +1963,16 @@ static bool print_domain_groups(const char *domain) /* Send request to winbind daemon */ - /* '.' is the special sign for our own domain */ - if (domain && strcmp(domain, ".") == 0) { + if (domain == NULL) { domain = get_winbind_domain(); + } else { + /* '.' is the special sign for our own domain */ + if ((domain[0] == '\0') || strcmp(domain, ".") == 0) { + domain = get_winbind_domain(); + /* '*' is the special sign for all domains */ + } else if (strcmp(domain, "*") == 0) { + domain = NULL; + } } wbc_status = wbcListGroups(domain, &num_groups, &groups); -- 1.8.3.1