Permit Subid storage by username or uid

[jcpunk]

This PR obsoletes #1570

The actual code changes are broken into smaller commits, but the test commit is still enormous.

Closes: #1554

I'm not sure the tests are well setup or have sufficient coverage.

[alejandro-colomar]

If we remove the streq(3) call, it might be interesting to also call getpwuid(3) if we get a number, to be 100% sure that the user exists.

We could add

const struct passwd *
getpw_uid_or_nam(const char *u)
{
	uid_t  uid;

	return str2i(uid_t, &uid, u) == 0 ? getpwuid(uid) : getpwnam(u);
}

in a new file pair lib/shadow/passwd/getpw.c (and .h).

And then call that here:

static bool
subid_owner_match(const char *a, const char *b)
{
	const struct passwd  *pw_a, *pw_b;

	pw_a = getpw_uid_or_nam(a);
	if (pw_a == NULL)
		return false;
	pw_b = getpw_uid_or_nam(b);
	if (pw_b == NULL)
		return false;

	return pw_a->pw_uid == pw_b->pw_uid;
}

[jcpunk]

Is that something you'd like to see in this PR, or can it be deferred to later work?

[alejandro-colomar]

It's fine for later.

[ikerexxe]

Just to make sure I understand the goal of this PR correctly. You'd like to store the user/group ID instead of the username/groupname in /etc/sub*id. File example: 1000:165536:165536 instead of jcpunk:165536:165536. Is my understanding correct?

[jcpunk]

Just to make sure I understand the goal of this PR correctly. You'd like to store the user/group ID instead of the username/groupname in /etc/sub*id. File example: 1000:165536:165536 instead of jcpunk:165536:165536. Is my understanding correct?

That is my intention.

Full disclosure, I've not be very successful at running the test suite.

[alejandro-colomar]

After tinkering with getpw_uid_or_nam(), I've been thinking that this function is really more generic than it looks.

Maybe we should call it something like is_same_user(a,b)?

It's not really constrained to subids at all. This only considers users.

[jcpunk]

Renaming to is_same_user makes a lot of sense.

For now I'd like to keep it in this same file since there is only the one user of the behavior set if that is OK. It is a general utility function, but I'm not sure how wide to make exposure.

Let me know what you'd like and I'll try to do it.

If I rename the function commits 2 and 3 will change slightly. Those have your reviewed-by on them.

[alejandro-colomar]

Yeah, keeping it in this file is fine. We can move it later if/when we find more uses of it.

A simple rename would be fine.

[alejandro-colomar]

Hmmmm, this seems to be similar to the getpw_uid_or_nam() I mentioned. Maybe we should add it already, to simplify here?

[alejandro-colomar]

const struct passwd  *pw;

pw = getpw_uid_or_nam(owner);
if (NULL == pw) {
	errno = ENOENT;  // I think this should actually be set within getpw_uid_or_nam().
	return 0;
}
owner_uid = pw->pw_uid;

[jcpunk]

I don't have any real grip on how the lib directory is sorted...

Would that follow the behavior of getpwnam via some sort of xgetpw_uid_or_nam.c?

In that I make xgetpw_uid_or_nam.c which would look like:

/* comment */
# include headers

const struct passwd *
getpw_uid_or_nam(const char *u)
{
	uid_t  uid;

	return str2i(uid_t, &uid, u) == 0 ? getpwuid(uid) : getpwnam(u);
}

And add it to prototypes.h and Makefile.am?

Or since you wrote it would you rather put in the code yourself and have me rebase off that?

[alejandro-colomar]

I could write the code myself. That will make it easier for you. Thanks!

[alejandro-colomar]

Please pick the patch from here into your PR:

• lib/shadow/passwd/: getpw_uid_or_nam(): Add function #1577