From ba32c1cf2612f4c343dce9551c242ea504cb9da1 Mon Sep 17 00:00:00 2001
From: Karol Lewandowski <k.lewandowsk@samsung.com>
Date: Thu, 13 Sep 2018 14:32:49 +0200
Subject: [PATCH] Hack: Always check /etc/{passwd,shadow} in addition to
 defined files

When some users (eg. owner) might be in /opt/etc/passwd and some
("non-stock") are added to /opt/etc/passwd it means we have to
check both files.

Please note group is taken from /etc/group only.  Group membership
must not be managed by GUM due to the fact that assigning user to
given group requires altering file which defines the group.  Eg.
to add new user to system group 'audio' we would need to modify
/etc/group.  This breaks the requirement for rootfs to be read-only.

Change-Id: Ic63605b5f3964f166d3d5cf5332d5ee5175a7d18
---
 src/daemon/core/gumd-daemon-group.c | 17 ++++++++++++-----
 src/daemon/core/gumd-daemon-user.c  | 31 +++++++++++++++++++++----------
 2 files changed, 33 insertions(+), 15 deletions(-)

diff --git a/src/daemon/core/gumd-daemon-group.c b/src/daemon/core/gumd-daemon-group.c
index 6b1213e..4b500c9 100644
--- a/src/daemon/core/gumd-daemon-group.c
+++ b/src/daemon/core/gumd-daemon-group.c
@@ -923,7 +923,10 @@ gumd_daemon_group_delete (
      * remaining user. i.e. scan through pwent and see if it is still
      * being used as primary group by any user.
      */
-    if (gum_file_find_user_by_gid (self->priv->group->gr_gid,
+
+    /* XXX Forcibly check /etc/passwd (multiple db support) */
+    if (gum_file_find_user_by_gid (self->priv->group->gr_gid, "/etc/passwd") != NULL ||
+        gum_file_find_user_by_gid (self->priv->group->gr_gid,
             gum_config_get_string (self->priv->config,
                     GUM_CONFIG_GENERAL_PASSWD_FILE)) != NULL) {
         gum_lock_pwdf_unlock ();
@@ -1065,8 +1068,10 @@ gumd_daemon_group_add_member (
                 "Database already locked", error, FALSE);
     }
 
-    if ((pent = gum_file_getpwuid (uid, gum_config_get_string (
-            self->priv->config, GUM_CONFIG_GENERAL_PASSWD_FILE))) == NULL) {
+    /* XXX Forcibly check /etc/passwd (multiple db support) */
+    pent = gum_file_getpwuid (uid, "/etc/passwd") ?:
+           gum_file_getpwuid (uid, gum_config_get_string (self->priv->config, GUM_CONFIG_GENERAL_PASSWD_FILE));
+    if (pent == NULL) {
         gum_lock_pwdf_unlock ();
         GUM_RETURN_WITH_ERROR (GUM_ERROR_USER_NOT_FOUND, "User not found", error,
                 FALSE);
@@ -1145,8 +1150,10 @@ gumd_daemon_group_delete_member (
                 "Database already locked", error, FALSE);
     }
 
-    if ((pent = gum_file_getpwuid (uid, gum_config_get_string (
-            self->priv->config, GUM_CONFIG_GENERAL_PASSWD_FILE))) == NULL) {
+    /* XXX Forcibly check /etc/passwd (multiple db support) */
+    pent = gum_file_getpwuid (uid, "/etc/passwd") ?:
+           gum_file_getpwuid (uid, gum_config_get_string (self->priv->config, GUM_CONFIG_GENERAL_PASSWD_FILE));
+    if (pent == NULL) {
         gum_lock_pwdf_unlock ();
         GUM_RETURN_WITH_ERROR (GUM_ERROR_USER_NOT_FOUND, "User not found", error,
                 FALSE);
diff --git a/src/daemon/core/gumd-daemon-user.c b/src/daemon/core/gumd-daemon-user.c
index d92c4b1..d84ac84 100755
--- a/src/daemon/core/gumd-daemon-user.c
+++ b/src/daemon/core/gumd-daemon-user.c
@@ -825,7 +825,9 @@ _find_free_uid (
     /* Select the first available uid */
     tmp_uid = uid_min;
     while (tmp_uid <= uid_max) {
-        if (gum_file_getpwuid (tmp_uid, gum_config_get_string (
+        /* XXX Forcibly check /etc/passwd (multiple db support) */
+        if (gum_file_getpwuid (tmp_uid, "/etc/passwd") == NULL &&
+            gum_file_getpwuid (tmp_uid, gum_config_get_string (
                 self->priv->config, GUM_CONFIG_GENERAL_PASSWD_FILE)) == NULL) {
             *uid = tmp_uid;
             return TRUE;
@@ -845,7 +847,9 @@ _set_uid (
         return FALSE;
     }
 
-    if (gum_file_getpwnam (self->priv->pw->pw_name, gum_config_get_string (
+    /* XXX Forcibly check /etc/passwd (multiple db support) */
+    if (gum_file_getpwnam (self->priv->pw->pw_name, "/etc/passwd") != NULL ||
+        gum_file_getpwnam (self->priv->pw->pw_name, gum_config_get_string (
             self->priv->config, GUM_CONFIG_GENERAL_PASSWD_FILE))
             != NULL) {
         GUM_RETURN_WITH_ERROR (GUM_ERROR_USER_ALREADY_EXISTS,
@@ -1455,17 +1459,19 @@ _get_passwd (
     /* If uid or name is set, get the passwd accordingly along with basic
      * checks */
 
+    /* XXX Forcibly check /etc/passwd (multiple db support) */
     if (self->priv->pw->pw_uid != GUM_USER_INVALID_UID) {
         s_uid = self->priv->pw->pw_uid;
-        pwd = gum_file_getpwuid (s_uid, gum_config_get_string (
+        pwd = gum_file_getpwuid (s_uid, "/etc/passwd") ?: gum_file_getpwuid (s_uid, gum_config_get_string (
                 self->priv->config, GUM_CONFIG_GENERAL_PASSWD_FILE));
     }
 
     if (self->priv->pw->pw_name) {
         s_name = self->priv->pw->pw_name;
         if (!pwd) {
-            pwd = gum_file_getpwnam (s_name, gum_config_get_string (
-                    self->priv->config, GUM_CONFIG_GENERAL_PASSWD_FILE));
+            /* XXX Forcibly check /etc/passwd (multiple db support) */
+            pwd = gum_file_getpwnam (s_name, "/etc/passwd") ?:
+                  gum_file_getpwnam (s_name, gum_config_get_string (self->priv->config, GUM_CONFIG_GENERAL_PASSWD_FILE));
         }
     }
 
@@ -1532,7 +1538,8 @@ _copy_passwd_data (
     if ((pent = _get_passwd (self, error)) == NULL) {
         return FALSE;
     }
-    spent = gum_file_getspnam (pent->pw_name, gum_config_get_string (
+    /* XXX Forcibly check /etc/shadow (multiple db support) */
+    spent = gum_file_getspnam (pent->pw_name, "/etc/shadow") ?: gum_file_getspnam (pent->pw_name, gum_config_get_string (
             self->priv->config, GUM_CONFIG_GENERAL_SHADOW_FILE));
     if (!spent) {
         GUM_RETURN_WITH_ERROR (GUM_ERROR_USER_NOT_FOUND, "User not found",
@@ -1981,8 +1988,10 @@ gumd_daemon_user_update (
         return FALSE;
     }
 
-    if ((shadow = gum_file_getspnam (pw->pw_name, gum_config_get_string (
-            self->priv->config, GUM_CONFIG_GENERAL_SHADOW_FILE))) == NULL) {
+    /* XXX Forcibly check /etc/shadow (multiple db support) */
+    shadow = gum_file_getspnam (pw->pw_name, "/etc/shadow") ?:
+             gum_file_getspnam (pw->pw_name, gum_config_get_string (self->priv->config, GUM_CONFIG_GENERAL_SHADOW_FILE));
+    if (shadow == NULL) {
         gum_lock_pwdf_unlock ();
         GUM_RETURN_WITH_ERROR (GUM_ERROR_USER_NOT_FOUND,
                 "User not found in Shadow", error, FALSE);
@@ -2109,8 +2118,10 @@ gumd_daemon_user_get_uid_by_name (
         if (!gum_lock_pwdf_lock ()) {
             return uid;
         }
-        struct passwd *pwd = gum_file_getpwnam (username,
-                gum_config_get_string (config, GUM_CONFIG_GENERAL_PASSWD_FILE));
+
+        /* XXX Forcibly check /etc/passwd (multiple db support) */
+        struct passwd *pwd = gum_file_getpwnam (username, "/etc/passwd") ?:
+                             gum_file_getpwnam (username, gum_config_get_string (config, GUM_CONFIG_GENERAL_PASSWD_FILE));
         gum_lock_pwdf_unlock ();
         if (pwd) {
             return pwd->pw_uid;
-- 
2.7.4