diff -up shadow-4.8.1/lib/nss.c.libsubid_fix_newusers_nss_provides_subids shadow-4.8.1/lib/nss.c --- shadow-4.8.1/lib/nss.c.libsubid_fix_newusers_nss_provides_subids 2021-05-25 09:37:14.772741048 +0200 +++ shadow-4.8.1/lib/nss.c 2021-05-25 09:37:14.782741188 +0200 @@ -116,14 +116,6 @@ void nss_init(char *nsswitch_path) { subid_nss = NULL; goto done; } - subid_nss->has_any_range = dlsym(h, "shadow_subid_has_any_range"); - if (!subid_nss->has_any_range) { - fprintf(shadow_logfd, "%s did not provide @has_any_range@\n", libname); - dlclose(h); - free(subid_nss); - subid_nss = NULL; - goto done; - } subid_nss->find_subid_owners = dlsym(h, "shadow_subid_find_subid_owners"); if (!subid_nss->find_subid_owners) { fprintf(shadow_logfd, "%s did not provide @find_subid_owners@\n", libname); diff -up shadow-4.8.1/lib/prototypes.h.libsubid_fix_newusers_nss_provides_subids shadow-4.8.1/lib/prototypes.h --- shadow-4.8.1/lib/prototypes.h.libsubid_fix_newusers_nss_provides_subids 2021-05-25 09:37:14.780741160 +0200 +++ shadow-4.8.1/lib/prototypes.h 2021-05-25 09:37:14.782741188 +0200 @@ -279,18 +279,6 @@ extern bool nss_is_initialized(); struct subid_nss_ops { /* - * nss_has_any_range: does a user own any subid range - * - * @owner: username - * @idtype: subuid or subgid - * @result: true if a subid allocation was found for @owner - * - * returns success if the module was able to determine an answer (true or false), - * else an error status. - */ - enum subid_status (*has_any_range)(const char *owner, enum subid_type idtype, bool *result); - - /* * nss_has_range: does a user own a given subid range * * @owner: username diff -up shadow-4.8.1/lib/subordinateio.c.libsubid_fix_newusers_nss_provides_subids shadow-4.8.1/lib/subordinateio.c --- shadow-4.8.1/lib/subordinateio.c.libsubid_fix_newusers_nss_provides_subids 2021-05-25 09:37:14.780741160 +0200 +++ shadow-4.8.1/lib/subordinateio.c 2021-05-25 09:37:14.782741188 +0200 @@ -598,19 +598,8 @@ int sub_uid_open (int mode) return commonio_open (&subordinate_uid_db, mode); } -bool sub_uid_assigned(const char *owner) +bool local_sub_uid_assigned(const char *owner) { - struct subid_nss_ops *h; - bool found; - enum subid_status status; - h = get_subid_nss_handle(); - if (h) { - status = h->has_any_range(owner, ID_TYPE_UID, &found); - if (status == SUBID_STATUS_SUCCESS && found) - return true; - return false; - } - return range_exists (&subordinate_uid_db, owner); } @@ -720,18 +709,8 @@ bool have_sub_gids(const char *owner, gi return have_range(&subordinate_gid_db, owner, start, count); } -bool sub_gid_assigned(const char *owner) +bool local_sub_gid_assigned(const char *owner) { - struct subid_nss_ops *h; - bool found; - enum subid_status status; - h = get_subid_nss_handle(); - if (h) { - status = h->has_any_range(owner, ID_TYPE_GID, &found); - if (status == SUBID_STATUS_SUCCESS && found) - return true; - return false; - } return range_exists (&subordinate_gid_db, owner); } diff -up shadow-4.8.1/lib/subordinateio.h.libsubid_fix_newusers_nss_provides_subids shadow-4.8.1/lib/subordinateio.h --- shadow-4.8.1/lib/subordinateio.h.libsubid_fix_newusers_nss_provides_subids 2021-05-25 09:37:14.780741160 +0200 +++ shadow-4.8.1/lib/subordinateio.h 2021-05-25 09:37:14.782741188 +0200 @@ -16,7 +16,7 @@ extern int sub_uid_close(void); extern bool have_sub_uids(const char *owner, uid_t start, unsigned long count); extern bool sub_uid_file_present (void); -extern bool sub_uid_assigned(const char *owner); +extern bool local_sub_uid_assigned(const char *owner); extern int sub_uid_lock (void); extern int sub_uid_setdbname (const char *filename); extern /*@observer@*/const char *sub_uid_dbname (void); @@ -34,7 +34,7 @@ extern void free_subordinate_ranges(stru extern int sub_gid_close(void); extern bool have_sub_gids(const char *owner, gid_t start, unsigned long count); extern bool sub_gid_file_present (void); -extern bool sub_gid_assigned(const char *owner); +extern bool local_sub_gid_assigned(const char *owner); extern int sub_gid_lock (void); extern int sub_gid_setdbname (const char *filename); extern /*@observer@*/const char *sub_gid_dbname (void); diff -up shadow-4.8.1/src/newusers.c.libsubid_fix_newusers_nss_provides_subids shadow-4.8.1/src/newusers.c --- shadow-4.8.1/src/newusers.c.libsubid_fix_newusers_nss_provides_subids 2021-05-25 09:37:14.776741104 +0200 +++ shadow-4.8.1/src/newusers.c 2021-05-25 09:37:25.955897160 +0200 @@ -1021,6 +1021,24 @@ static void close_files (void) #endif /* ENABLE_SUBIDS */ } +static bool want_subuids(void) +{ + if (get_subid_nss_handle() != NULL) + return false; + if (getdef_ulong ("SUB_UID_COUNT", 65536) == 0) + return false; + return true; +} + +static bool want_subgids(void) +{ + if (get_subid_nss_handle() != NULL) + return false; + if (getdef_ulong ("SUB_GID_COUNT", 65536) == 0) + return false; + return true; +} + int main (int argc, char **argv) { char buf[BUFSIZ]; @@ -1250,7 +1268,7 @@ int main (int argc, char **argv) /* * Add subordinate uids if the user does not have them. */ - if (is_sub_uid && !sub_uid_assigned(fields[0])) { + if (is_sub_uid && want_subuids() && !local_sub_uid_assigned(fields[0])) { uid_t sub_uid_start = 0; unsigned long sub_uid_count = 0; if (find_new_sub_uids(fields[0], &sub_uid_start, &sub_uid_count) == 0) { @@ -1270,7 +1288,7 @@ int main (int argc, char **argv) /* * Add subordinate gids if the user does not have them. */ - if (is_sub_gid && !sub_gid_assigned(fields[0])) { + if (is_sub_gid && want_subgids() && !local_sub_gid_assigned(fields[0])) { gid_t sub_gid_start = 0; unsigned long sub_gid_count = 0; if (find_new_sub_gids(fields[0], &sub_gid_start, &sub_gid_count) == 0) {