nsswitch: Don't enumerate all domains with wbinfo -u|-g.

By default wbinfo -u|-g should only enumerate the domain winbindd is
joined to. The command can be harmfull if you have e.g. 30 domains and
700k users. Then the parent will collect all information and the
oom-killer will kill winbind. As we still want to support it, you can
enable it the old behaviour with wbinfo --domain='*' -u. This is
a measure that sysadmins don't shoot themself.

https://bugzilla.samba.org/show_bug.cgi?id=10034

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Thu Jul 18 11:54:58 CEST 2013 on sn-devel-104

diff --git a/docs-xml/manpages/wbinfo.1.xml b/docs-xml/manpages/wbinfo.1.xml
index e0d2b6a74082f9024b64fcd3d3adb9546885e38c..f970a5e36100fe753305d3ef3d9f3b9a625d3b91 100644 (file)
--- a/docs-xml/manpages/wbinfo.1.xml
+++ b/docs-xml/manpages/wbinfo.1.xml
@@ -146,8 +146,9 @@
                <listitem><para>This parameter sets the domain on which any specified
                operations will performed.  If special domain name '.' is used to represent
                the current domain to which <citerefentry><refentrytitle>winbindd</refentrytitle>
-               <manvolnum>8</manvolnum></citerefentry> belongs.  Currently only the
-               <option>-u</option>, and <option>-g</option> options honor this parameter.
+               <manvolnum>8</manvolnum></citerefentry> belongs. A '*' as the domain name
+               means to enumerate over all domains (NOTE: This can take a long time and use
+               a lot of memory).
                </para></listitem>
                </varlistentry>
 
@@ -181,7 +182,7 @@
                <listitem><para>This option will list all groups available
                in the Windows NT domain for which the <citerefentry><refentrytitle>samba</refentrytitle>
                <manvolnum>7</manvolnum></citerefentry> daemon is operating in. Groups in all trusted domains
-               will also be listed.  Note that this operation does not assign
+               can be listed with the --domain='*' option.  Note that this operation does not assign
                group ids to any groups that have not already been
                seen by <citerefentry><refentrytitle>winbindd</refentrytitle>
                <manvolnum>8</manvolnum></citerefentry>. </para></listitem>
@@ -390,7 +391,7 @@
                <listitem><para>This option will list all users available
                in the Windows NT domain for which the <citerefentry><refentrytitle>winbindd</refentrytitle>
                <manvolnum>8</manvolnum></citerefentry> daemon is operating in. Users in all trusted domains
-               will also be listed.  Note that this operation does not assign
+               can be listed with the --domain='*' option.  Note that this operation does not assign
                user ids to any users that have not already been seen by <citerefentry>
                <refentrytitle>winbindd</refentrytitle><manvolnum>8</manvolnum></citerefentry>
                .</para></listitem>

diff --git a/nsswitch/wbinfo.c b/nsswitch/wbinfo.c
index 1d1557dcb1d0601cf390bc045d78c193e3ca1dcb..a1ca7fc57418f7b3a8317b52c75732b357e8d74f 100644 (file)
--- a/nsswitch/wbinfo.c
+++ b/nsswitch/wbinfo.c
@@ -1926,9 +1926,16 @@ static bool print_domain_users(const char *domain)
 
        /* Send request to winbind daemon */
 
-       /* '.' is the special sign for our own domain */
-       if (domain && strcmp(domain, ".") == 0) {
+       if (domain == NULL) {
                domain = get_winbind_domain();
+       } else {
+               /* '.' is the special sign for our own domain */
+               if ((domain[0] == '\0') || strcmp(domain, ".") == 0) {
+                       domain = get_winbind_domain();
+               /* '*' is the special sign for all domains */
+               } else if (strcmp(domain, "*") == 0) {
+                       domain = NULL;
+               }
        }
 
        wbc_status = wbcListUsers(domain, &num_users, &users);
@@ -1956,9 +1963,16 @@ static bool print_domain_groups(const char *domain)
 
        /* Send request to winbind daemon */
 
-       /* '.' is the special sign for our own domain */
-       if (domain && strcmp(domain, ".") == 0) {
+       if (domain == NULL) {
                domain = get_winbind_domain();
+       } else {
+               /* '.' is the special sign for our own domain */
+               if ((domain[0] == '\0') || strcmp(domain, ".") == 0) {
+                       domain = get_winbind_domain();
+               /* '*' is the special sign for all domains */
+               } else if (strcmp(domain, "*") == 0) {
+                       domain = NULL;
+               }
        }
 
        wbc_status = wbcListGroups(domain, &num_groups, &groups);