xref: /freebsd-10-stable/lib/libc/gen/getpwent.c

/*-
 * Copyright (c) 2003 Networks Associates Technology, Inc.
 * All rights reserved.
 *
 * This software was developed for the FreeBSD Project by
 * Jacques A. Vidrine, Safeport Network Services, and Network
 * Associates Laboratories, the Security Research Division of Network
 * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035
 * ("CBOSS"), as part of the DARPA CHATS research program.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 *
 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
 *
 */
#include <sys/cdefs.h>
__FBSDID("$FreeBSD: head/lib/libc/gen/getpwent.c 128537 2004-04-21 21:15:08Z jon $");

#include "namespace.h"
#include <sys/param.h>
#ifdef YP
#include <rpc/rpc.h>
#include <rpcsvc/yp_prot.h>
#include <rpcsvc/ypclnt.h>
#endif
#include <arpa/inet.h>
#include <errno.h>
#include <fcntl.h>
#ifdef HESIOD
#include <hesiod.h>
#endif
#include <netdb.h>
#include <nsswitch.h>
#include <pthread.h>
#include <pthread_np.h>
#include <pwd.h>
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <syslog.h>
#include <unistd.h>
#include "un-namespace.h"
#include <db.h>
#include "libc_private.h"
#include "pw_scan.h"
#include "nss_tls.h"

#ifndef CTASSERT
#define CTASSERT(x)		_CTASSERT(x, __LINE__)
#define _CTASSERT(x, y)		__CTASSERT(x, y)
#define __CTASSERT(x, y)	typedef char __assert_ ## y [(x) ? 1 : -1]
#endif

/* Counter as stored in /etc/pwd.db */
typedef	int		pwkeynum;

CTASSERT(MAXLOGNAME > sizeof(uid_t));
CTASSERT(MAXLOGNAME > sizeof(pwkeynum));

enum constants {
	PWD_STORAGE_INITIAL	= 1 << 10, /* 1 KByte */
	PWD_STORAGE_MAX		= 1 << 20, /* 1 MByte */
	SETPWENT		= 1,
	ENDPWENT		= 2,
	HESIOD_NAME_MAX		= 256
};

static const ns_src defaultsrc[] = {
	{ NSSRC_COMPAT, NS_SUCCESS },
	{ NULL, 0 }
};

int	__pw_match_entry(const char *, size_t, enum nss_lookup_type,
	    const char *, uid_t);
int	__pw_parse_entry(char *, size_t, struct passwd *, int, int *errnop);

static	void	 pwd_init(struct passwd *);

union key {
	const char	*name;
	uid_t		 uid;
};

static	struct passwd *getpw(int (*fn)(union key, struct passwd *, char *,
		    size_t, struct passwd **), union key);
static	int	 wrap_getpwnam_r(union key, struct passwd *, char *,
		    size_t, struct passwd **);
static	int	 wrap_getpwuid_r(union key, struct passwd *, char *, size_t,
		    struct passwd **);
static	int	 wrap_getpwent_r(union key, struct passwd *, char *, size_t,
		    struct passwd **);

static	int	 pwdb_match_entry_v3(char *, size_t, enum nss_lookup_type,
		    const char *, uid_t);
static	int	 pwdb_parse_entry_v3(char *, size_t, struct passwd *, int *);
static	int	 pwdb_match_entry_v4(char *, size_t, enum nss_lookup_type,
		    const char *, uid_t);
static	int	 pwdb_parse_entry_v4(char *, size_t, struct passwd *, int *);


struct {
	int	(*match)(char *, size_t, enum nss_lookup_type, const char *,
		    uid_t);
	int	(*parse)(char *, size_t, struct passwd *, int *);
} pwdb_versions[] = {
	{ NULL, NULL },					/* version 0 */
	{ NULL, NULL },					/* version 1 */
	{ NULL, NULL },					/* version 2 */
	{ pwdb_match_entry_v3, pwdb_parse_entry_v3 },	/* version 3 */
	{ pwdb_match_entry_v4, pwdb_parse_entry_v4 },	/* version 4 */
};


struct files_state {
	DB		*db;
	pwkeynum	 keynum;
	int		 stayopen;
	int		 version;
};
static	void	files_endstate(void *);
NSS_TLS_HANDLING(files);
static	DB	*pwdbopen(int *);
static	void	 files_endstate(void *);
static	int	 files_setpwent(void *, void *, va_list);
static	int	 files_passwd(void *, void *, va_list);


#ifdef HESIOD
struct dns_state {
	long	counter;
};
static	void	dns_endstate(void *);
NSS_TLS_HANDLING(dns);
static	int	 dns_setpwent(void *, void *, va_list);
static	int	 dns_passwd(void *, void *, va_list);
#endif


#ifdef YP
struct nis_state {
	char	 domain[MAXHOSTNAMELEN];
	int	 done;
	char	*key;
	int	 keylen;
};
static	void	 nis_endstate(void *);
NSS_TLS_HANDLING(nis);
static	int	 nis_setpwent(void *, void *, va_list);
static	int	 nis_passwd(void *, void *, va_list);
static	int	 nis_map(char *, enum nss_lookup_type, char *, size_t, int *);
static	int	 nis_adjunct(char *, const char *, char *, size_t);
#endif


struct compat_state {
	DB		*db;
	pwkeynum	 keynum;
	int		 stayopen;
	int		 version;
	DB		*exclude;
	struct passwd	 template;
	char		*name;
	enum _compat {
		COMPAT_MODE_OFF = 0,
		COMPAT_MODE_ALL,
		COMPAT_MODE_NAME,
		COMPAT_MODE_NETGROUP
	}		 compat;
};
static	void	 compat_endstate(void *);
NSS_TLS_HANDLING(compat);
static	int	 compat_setpwent(void *, void *, va_list);
static	int	 compat_passwd(void *, void *, va_list);
static	void	 compat_clear_template(struct passwd *);
static	int	 compat_set_template(struct passwd *, struct passwd *);
static	int	 compat_use_template(struct passwd *, struct passwd *, char *,
		    size_t);
static	int	 compat_redispatch(struct compat_state *, enum nss_lookup_type,
		    enum nss_lookup_type, const char *, const char *, uid_t,
		    struct passwd *, char *, size_t, int *);
void
setpwent(void)
{
	static const ns_dtab dtab[] = {
		{ NSSRC_FILES, files_setpwent, (void *)SETPWENT },
#ifdef HESIOD
		{ NSSRC_DNS, dns_setpwent, (void *)SETPWENT },
#endif
#ifdef YP
		{ NSSRC_NIS, nis_setpwent, (void *)SETPWENT },
#endif
		{ NSSRC_COMPAT, compat_setpwent, (void *)SETPWENT },
		{ NULL, NULL, NULL }
	};
	(void)_nsdispatch(NULL, dtab, NSDB_PASSWD, "setpwent", defaultsrc, 0);
}


int
setpassent(int stayopen)
{
	static const ns_dtab dtab[] = {
		{ NSSRC_FILES, files_setpwent, (void *)SETPWENT },
#ifdef HESIOD
		{ NSSRC_DNS, dns_setpwent, (void *)SETPWENT },
#endif
#ifdef YP
		{ NSSRC_NIS, nis_setpwent, (void *)SETPWENT },
#endif
		{ NSSRC_COMPAT, compat_setpwent, (void *)SETPWENT },
		{ NULL, NULL, NULL }
	};
	(void)_nsdispatch(NULL, dtab, NSDB_PASSWD, "setpwent", defaultsrc,
	    stayopen);
	return (1);
}


void
endpwent(void)
{
	static const ns_dtab dtab[] = {
		{ NSSRC_FILES, files_setpwent, (void *)ENDPWENT },
#ifdef HESIOD
		{ NSSRC_DNS, dns_setpwent, (void *)ENDPWENT },
#endif
#ifdef YP
		{ NSSRC_NIS, nis_setpwent, (void *)ENDPWENT },
#endif
		{ NSSRC_COMPAT, compat_setpwent, (void *)ENDPWENT },
		{ NULL, NULL, NULL }
	};
	(void)_nsdispatch(NULL, dtab, NSDB_PASSWD, "endpwent", defaultsrc);
}


int
getpwent_r(struct passwd *pwd, char *buffer, size_t bufsize,
    struct passwd **result)
{
	static const ns_dtab dtab[] = {
		{ NSSRC_FILES, files_passwd, (void *)nss_lt_all },
#ifdef HESIOD
		{ NSSRC_DNS, dns_passwd, (void *)nss_lt_all },
#endif
#ifdef YP
		{ NSSRC_NIS, nis_passwd, (void *)nss_lt_all },
#endif
		{ NSSRC_COMPAT, compat_passwd, (void *)nss_lt_all },
		{ NULL, NULL, NULL }
	};
	int	rv, ret_errno;

	pwd_init(pwd);
	ret_errno = 0;
	*result = NULL;
	rv = _nsdispatch(result, dtab, NSDB_PASSWD, "getpwent_r", defaultsrc,
	    pwd, buffer, bufsize, &ret_errno);
	if (rv == NS_SUCCESS)
		return (0);
	else
		return (ret_errno);
}


int
getpwnam_r(const char *name, struct passwd *pwd, char *buffer, size_t bufsize,
    struct passwd **result)
{
	static const ns_dtab dtab[] = {
		{ NSSRC_FILES, files_passwd, (void *)nss_lt_name },
#ifdef HESIOD
		{ NSSRC_DNS, dns_passwd, (void *)nss_lt_name },
#endif
#ifdef YP
		{ NSSRC_NIS, nis_passwd, (void *)nss_lt_name },
#endif
		{ NSSRC_COMPAT, compat_passwd, (void *)nss_lt_name },
		{ NULL, NULL, NULL }
	};
	int	rv, ret_errno;

	pwd_init(pwd);
	ret_errno = 0;
	*result = NULL;
	rv = _nsdispatch(result, dtab, NSDB_PASSWD, "getpwnam_r", defaultsrc,
	    name, pwd, buffer, bufsize, &ret_errno);
	if (rv == NS_SUCCESS)
		return (0);
	else
		return (ret_errno);
}


int
getpwuid_r(uid_t uid, struct passwd *pwd, char *buffer, size_t bufsize,
    struct passwd **result)
{
	static const ns_dtab dtab[] = {
		{ NSSRC_FILES, files_passwd, (void *)nss_lt_id },
#ifdef HESIOD
		{ NSSRC_DNS, dns_passwd, (void *)nss_lt_id },
#endif
#ifdef YP
		{ NSSRC_NIS, nis_passwd, (void *)nss_lt_id },
#endif
		{ NSSRC_COMPAT, compat_passwd, (void *)nss_lt_id },
		{ NULL, NULL, NULL }
	};
	int	rv, ret_errno;

	pwd_init(pwd);
	ret_errno = 0;
	*result = NULL;
	rv = _nsdispatch(result, dtab, NSDB_PASSWD, "getpwuid_r", defaultsrc,
	    uid, pwd, buffer, bufsize, &ret_errno);
	if (rv == NS_SUCCESS)
		return (0);
	else
		return (ret_errno);
}


static void
pwd_init(struct passwd *pwd)
{
	static char nul[] = "";

	memset(pwd, 0, sizeof(*pwd));
	pwd->pw_uid = (uid_t)-1;  /* Considered least likely to lead to */
	pwd->pw_gid = (gid_t)-1;  /* a security issue.                  */
	pwd->pw_name = nul;
	pwd->pw_passwd = nul;
	pwd->pw_class = nul;
	pwd->pw_gecos = nul;
	pwd->pw_dir = nul;
	pwd->pw_shell = nul;
}


static struct passwd	 pwd;
static char		*pwd_storage;
static size_t		 pwd_storage_size;


static struct passwd *
getpw(int (*fn)(union key, struct passwd *, char *, size_t, struct passwd **),
    union key key)
{
	int		 rv;
	struct passwd	*res;

	if (pwd_storage == NULL) {
		pwd_storage = malloc(PWD_STORAGE_INITIAL);
		if (pwd_storage == NULL)
			return (NULL);
		pwd_storage_size = PWD_STORAGE_INITIAL;
	}
	do {
		rv = fn(key, &pwd, pwd_storage, pwd_storage_size, &res);
		if (res == NULL && rv == ERANGE) {
			free(pwd_storage);
			if ((pwd_storage_size << 1) > PWD_STORAGE_MAX) {
				pwd_storage = NULL;
				return (NULL);
			}
			pwd_storage_size <<= 1;
			pwd_storage = malloc(pwd_storage_size);
			if (pwd_storage == NULL)
				return (NULL);
		}
	} while (res == NULL && rv == ERANGE);
	return (res);
}


static int
wrap_getpwnam_r(union key key, struct passwd *pwd, char *buffer,
    size_t bufsize, struct passwd **res)
{
	return (getpwnam_r(key.name, pwd, buffer, bufsize, res));
}


static int
wrap_getpwuid_r(union key key, struct passwd *pwd, char *buffer,
    size_t bufsize, struct passwd **res)
{
	return (getpwuid_r(key.uid, pwd, buffer, bufsize, res));
}


static int
wrap_getpwent_r(union key key __unused, struct passwd *pwd, char *buffer,
    size_t bufsize, struct passwd **res)
{
	return (getpwent_r(pwd, buffer, bufsize, res));
}


struct passwd *
getpwnam(const char *name)
{
	union key key;

	key.name = name;
	return (getpw(wrap_getpwnam_r, key));
}


struct passwd *
getpwuid(uid_t uid)
{
	union key key;

	key.uid = uid;
	return (getpw(wrap_getpwuid_r, key));
}


struct passwd *
getpwent(void)
{
	union key key;

	key.uid = 0; /* not used */
	return (getpw(wrap_getpwent_r, key));
}


/*
 * files backend
 */
static DB *
pwdbopen(int *version)
{
	DB	*res;
	DBT	 key, entry;
	int	 rv;

	if (geteuid() != 0 ||
	    (res = dbopen(_PATH_SMP_DB, O_RDONLY, 0, DB_HASH, NULL)) == NULL)
		res = dbopen(_PATH_MP_DB, O_RDONLY, 0, DB_HASH, NULL);
	if (res == NULL)
		return (NULL);
	key.data = _PWD_VERSION_KEY;
	key.size = strlen(_PWD_VERSION_KEY);
	rv = res->get(res, &key, &entry, 0);
	if (rv == 0)
		*version = *(unsigned char *)entry.data;
	else
		*version = 3;
	if (*version < 3 ||
	    *version >= sizeof(pwdb_versions)/sizeof(pwdb_versions[0])) {
		syslog(LOG_CRIT, "Unsupported password database version %d",
		    *version);
		res->close(res);
		res = NULL;
	}
	return (res);
}


static void
files_endstate(void *p)
{
	DB	*db;

	if (p == NULL)
		return;
	db = ((struct files_state *)p)->db;
	if (db != NULL)
		db->close(db);
	free(p);
}


static int
files_setpwent(void *retval, void *mdata, va_list ap)
{
	struct files_state	*st;
	int			 rv, stayopen;

	rv = files_getstate(&st);
	if (rv != 0)
		return (NS_UNAVAIL);
	switch ((enum constants)mdata) {
	case SETPWENT:
		stayopen = va_arg(ap, int);
		st->keynum = 0;
		if (stayopen)
			st->db = pwdbopen(&st->version);
		st->stayopen = stayopen;
		break;
	case ENDPWENT:
		if (st->db != NULL) {
			(void)st->db->close(st->db);
			st->db = NULL;
		}
		break;
	default:
		break;
	}
	return (NS_UNAVAIL);
}


static int
files_passwd(void *retval, void *mdata, va_list ap)
{
	char			 keybuf[MAXLOGNAME + 1];
	DBT			 key, entry;
	struct files_state	*st;
	enum nss_lookup_type	 how;
	const char		*name;
	struct passwd		*pwd;
	char			*buffer;
	size_t			 bufsize, namesize;
	uid_t			 uid;
	uint32_t		 store;
	int			 rv, stayopen, *errnop;

	name = NULL;
	uid = (uid_t)-1;
	how = (enum nss_lookup_type)mdata;
	switch (how) {
	case nss_lt_name:
		name = va_arg(ap, const char *);
		keybuf[0] = _PW_KEYBYNAME;
		break;
	case nss_lt_id:
		uid = va_arg(ap, uid_t);
		keybuf[0] = _PW_KEYBYUID;
		break;
	case nss_lt_all:
		keybuf[0] = _PW_KEYBYNUM;
		break;
	default:
		rv = NS_NOTFOUND;
		goto fin;
	}
	pwd = va_arg(ap, struct passwd *);
	buffer = va_arg(ap, char *);
	bufsize = va_arg(ap, size_t);
	errnop = va_arg(ap, int *);
	*errnop = files_getstate(&st);
	if (*errnop != 0)
		return (NS_UNAVAIL);
	if (how == nss_lt_all && st->keynum < 0) {
		rv = NS_NOTFOUND;
		goto fin;
	}
	if (st->db == NULL &&
	    (st->db = pwdbopen(&st->version)) == NULL) {
		*errnop = errno;
		rv = NS_UNAVAIL;
		goto fin;
	}
	if (how == nss_lt_all)
		stayopen = 1;
	else
		stayopen = st->stayopen;
	key.data = keybuf;
	do {
		switch (how) {
		case nss_lt_name:
			/* MAXLOGNAME includes NUL byte, but we do not
			 * include the NUL byte in the key.
			 */
			namesize = strlcpy(&keybuf[1], name, sizeof(keybuf)-1);
			if (namesize >= sizeof(keybuf)-1) {
				*errnop = EINVAL;
				rv = NS_NOTFOUND;
				goto fin;
			}
			key.size = namesize + 1;
			break;
		case nss_lt_id:
			if (st->version < _PWD_CURRENT_VERSION) {
				memcpy(&keybuf[1], &uid, sizeof(uid));
				key.size = sizeof(uid) + 1;
			} else {
				store = htonl(uid);
				memcpy(&keybuf[1], &store, sizeof(store));
				key.size = sizeof(store) + 1;
			}
			break;
		case nss_lt_all:
			st->keynum++;
			if (st->version < _PWD_CURRENT_VERSION) {
				memcpy(&keybuf[1], &st->keynum,
				    sizeof(st->keynum));
				key.size = sizeof(st->keynum) + 1;
			} else {
				store = htonl(st->keynum);
				memcpy(&keybuf[1], &store, sizeof(store));
				key.size = sizeof(store) + 1;
			}
			break;
		}
		keybuf[0] = _PW_VERSIONED(keybuf[0], st->version);
		rv = st->db->get(st->db, &key, &entry, 0);
		if (rv < 0 || rv > 1) { /* should never return > 1 */
			*errnop = errno;
			rv = NS_UNAVAIL;
			goto fin;
		} else if (rv == 1) {
			if (how == nss_lt_all)
				st->keynum = -1;
			rv = NS_NOTFOUND;
			goto fin;
		}
		rv = pwdb_versions[st->version].match(entry.data, entry.size,
		    how, name, uid);
		if (rv != NS_SUCCESS)
			continue;
		if (entry.size > bufsize) {
			*errnop = ERANGE;
			rv = NS_RETURN;
			break;
		}
		memcpy(buffer, entry.data, entry.size);
		rv = pwdb_versions[st->version].parse(buffer, entry.size, pwd,
		    errnop);
	} while (how == nss_lt_all && !(rv & NS_TERMINATE));
fin:
	if (!stayopen && st->db != NULL) {
		(void)st->db->close(st->db);
		st->db = NULL;
	}
	if (rv == NS_SUCCESS) {
		pwd->pw_fields &= ~_PWF_SOURCE;
		pwd->pw_fields |= _PWF_FILES;
		if (retval != NULL)
			*(struct passwd **)retval = pwd;
	}
	return (rv);
}


static int
pwdb_match_entry_v3(char *entry, size_t entrysize, enum nss_lookup_type how,
    const char *name, uid_t uid)
{
	const char	*p, *eom;
	uid_t		 uid2;

	eom = &entry[entrysize];
	for (p = entry; p < eom; p++)
		if (*p == '\0')
			break;
	if (*p != '\0')
		return (NS_NOTFOUND);
	if (how == nss_lt_all)
		return (NS_SUCCESS);
	if (how == nss_lt_name)
		return (strcmp(name, entry) == 0 ? NS_SUCCESS : NS_NOTFOUND);
	for (p++; p < eom; p++)
		if (*p == '\0')
			break;
	if (*p != '\0' || (++p) + sizeof(uid) >= eom)
		return (NS_NOTFOUND);
	memcpy(&uid2, p, sizeof(uid2));
	return (uid == uid2 ? NS_SUCCESS : NS_NOTFOUND);
}


static int
pwdb_parse_entry_v3(char *buffer, size_t bufsize, struct passwd *pwd,
    int *errnop)
{
	char		*p, *eom;
	int32_t		 pw_change, pw_expire;

	/* THIS CODE MUST MATCH THAT IN pwd_mkdb. */
	p = buffer;
	eom = &buffer[bufsize];
#define STRING(field)	do {			\
		(field) = p;			\
		while (p < eom && *p != '\0')	\
			p++;			\
		if (p >= eom)			\
			return (NS_NOTFOUND);	\
		p++;				\
	} while (0)
#define SCALAR(field)	do {				\
		if (p + sizeof(field) > eom)		\
			return (NS_NOTFOUND);		\
		memcpy(&(field), p, sizeof(field));	\
		p += sizeof(field);			\
	} while (0)
	STRING(pwd->pw_name);
	STRING(pwd->pw_passwd);
	SCALAR(pwd->pw_uid);
	SCALAR(pwd->pw_gid);
	SCALAR(pw_change);
	STRING(pwd->pw_class);
	STRING(pwd->pw_gecos);
	STRING(pwd->pw_dir);
	STRING(pwd->pw_shell);
	SCALAR(pw_expire);
	SCALAR(pwd->pw_fields);
#undef STRING
#undef SCALAR
	pwd->pw_change = pw_change;
	pwd->pw_expire = pw_expire;
	return (NS_SUCCESS);
}


static int
pwdb_match_entry_v4(char *entry, size_t entrysize, enum nss_lookup_type how,
    const char *name, uid_t uid)
{
	const char	*p, *eom;
	uint32_t	 uid2;

	eom = &entry[entrysize];
	for (p = entry; p < eom; p++)
		if (*p == '\0')
			break;
	if (*p != '\0')
		return (NS_NOTFOUND);
	if (how == nss_lt_all)
		return (NS_SUCCESS);
	if (how == nss_lt_name)
		return (strcmp(name, entry) == 0 ? NS_SUCCESS : NS_NOTFOUND);
	for (p++; p < eom; p++)
		if (*p == '\0')
			break;
	if (*p != '\0' || (++p) + sizeof(uid) >= eom)
		return (NS_NOTFOUND);
	memcpy(&uid2, p, sizeof(uid2));
	uid2 = ntohl(uid2);
	return (uid == (uid_t)uid2 ? NS_SUCCESS : NS_NOTFOUND);
}


static int
pwdb_parse_entry_v4(char *buffer, size_t bufsize, struct passwd *pwd,
    int *errnop)
{
	char		*p, *eom;
	uint32_t	 n;

	/* THIS CODE MUST MATCH THAT IN pwd_mkdb. */
	p = buffer;
	eom = &buffer[bufsize];
#define STRING(field)	do {			\
		(field) = p;			\
		while (p < eom && *p != '\0')	\
			p++;			\
		if (p >= eom)			\
			return (NS_NOTFOUND);	\
		p++;				\
	} while (0)
#define SCALAR(field)	do {				\
		if (p + sizeof(n) > eom)		\
			return (NS_NOTFOUND);		\
		memcpy(&n, p, sizeof(n));		\
		(field) = ntohl(n);			\
		p += sizeof(n);				\
	} while (0)
	STRING(pwd->pw_name);
	STRING(pwd->pw_passwd);
	SCALAR(pwd->pw_uid);
	SCALAR(pwd->pw_gid);
	SCALAR(pwd->pw_change);
	STRING(pwd->pw_class);
	STRING(pwd->pw_gecos);
	STRING(pwd->pw_dir);
	STRING(pwd->pw_shell);
	SCALAR(pwd->pw_expire);
	SCALAR(pwd->pw_fields);
#undef STRING
#undef SCALAR
	return (NS_SUCCESS);
}


#ifdef HESIOD
/*
 * dns backend
 */
static void
dns_endstate(void *p)
{
	free(p);
}


static int
dns_setpwent(void *retval, void *mdata, va_list ap)
{
	struct dns_state	*st;
	int			 rv;

	rv = dns_getstate(&st);
	if (rv != 0)
		return (NS_UNAVAIL);
	st->counter = 0;
	return (NS_UNAVAIL);
}


static int
dns_passwd(void *retval, void *mdata, va_list ap)
{
	char			 buf[HESIOD_NAME_MAX];
	struct dns_state	*st;
	struct passwd		*pwd;
	const char		*name, *label;
	void			*ctx;
	char			*buffer, **hes;
	size_t			 bufsize, linesize;
	uid_t			 uid;
	enum nss_lookup_type	 how;
	int			 rv, *errnop;

	ctx = NULL;
	hes = NULL;
	name = NULL;
	uid = (uid_t)-1;
	how = (enum nss_lookup_type)mdata;
	switch (how) {
	case nss_lt_name:
		name = va_arg(ap, const char *);
		break;
	case nss_lt_id:
		uid = va_arg(ap, uid_t);
		break;
	case nss_lt_all:
		break;
	}
	pwd     = va_arg(ap, struct passwd *);
	buffer  = va_arg(ap, char *);
	bufsize = va_arg(ap, size_t);
	errnop  = va_arg(ap, int *);
	*errnop = dns_getstate(&st);
	if (*errnop != 0)
		return (NS_UNAVAIL);
	if (hesiod_init(&ctx) != 0) {
		*errnop = errno;
		rv = NS_UNAVAIL;
		goto fin;
	}
	do {
		rv = NS_NOTFOUND;
		switch (how) {
		case nss_lt_name:
			label = name;
			break;
		case nss_lt_id:
			if (snprintf(buf, sizeof(buf), "%lu",
			    (unsigned long)uid) >= sizeof(buf))
				goto fin;
			label = buf;
			break;
		case nss_lt_all:
			if (st->counter < 0)
				goto fin;
			if (snprintf(buf, sizeof(buf), "passwd-%ld",
			    st->counter++) >= sizeof(buf))
				goto fin;
			label = buf;
			break;
		}
		hes = hesiod_resolve(ctx, label,
		    how == nss_lt_id ? "uid" : "passwd");
		if (hes == NULL) {
			if (how == nss_lt_all)
				st->counter = -1;
			if (errno != ENOENT)
				*errnop = errno;
			goto fin;
		}
		rv = __pw_match_entry(hes[0], strlen(hes[0]), how, name, uid);
		if (rv != NS_SUCCESS) {
			hesiod_free_list(ctx, hes);
			hes = NULL;
			continue;
		}
		linesize = strlcpy(buffer, hes[0], bufsize);
		if (linesize >= bufsize) {
			*errnop = ERANGE;
			rv = NS_RETURN;
			continue;
		}
		hesiod_free_list(ctx, hes);
		hes = NULL;
		rv = __pw_parse_entry(buffer, bufsize, pwd, 0, errnop);
	} while (how == nss_lt_all && !(rv & NS_TERMINATE));
fin:
	if (hes != NULL)
		hesiod_free_list(ctx, hes);
	if (ctx != NULL)
		hesiod_end(ctx);
	if (rv == NS_SUCCESS) {
		pwd->pw_fields &= ~_PWF_SOURCE;
		pwd->pw_fields |= _PWF_HESIOD;
		if (retval != NULL)
			*(struct passwd **)retval = pwd;
	}
	return (rv);
}
#endif /* HESIOD */


#ifdef YP
/*
 * nis backend
 */
static void
nis_endstate(void *p)
{
	free(((struct nis_state *)p)->key);
	free(p);
}

/*
 * Test for the presence of special FreeBSD-specific master.passwd.by*
 * maps. We do this using yp_order(). If it fails, then either the server
 * doesn't have the map, or the YPPROC_ORDER procedure isn't supported by
 * the server (Sun NIS+ servers in YP compat mode behave this way). If
 * the master.passwd.by* maps don't exist, then let the lookup routine try
 * the regular passwd.by* maps instead. If the lookup routine fails, it
 * can return an error as needed.
 */
static int
nis_map(char *domain, enum nss_lookup_type how, char *buffer, size_t bufsize,
    int *master)
{
	int	rv, order;

	*master = 0;
	if (geteuid() == 0) {
		if (snprintf(buffer, bufsize, "master.passwd.by%s",
		    (how == nss_lt_id) ? "uid" : "name") >= bufsize)
			return (NS_UNAVAIL);
		rv = yp_order(domain, buffer, &order);
		if (rv == 0) {
			*master = 1;
			return (NS_SUCCESS);
		}
	}

	if (snprintf(buffer, bufsize, "passwd.by%s",
	    (how == nss_lt_id) ? "uid" : "name") >= bufsize)
		return (NS_UNAVAIL);

	return (NS_SUCCESS);
}


static int
nis_adjunct(char *domain, const char *name, char *buffer, size_t bufsize)
{
	int	 rv;
	char	*result, *p, *q, *eor;
	int	 resultlen;

	result = NULL;
	rv = yp_match(domain, "passwd.adjunct.byname", name, strlen(name),
	    &result, &resultlen);
	if (rv != 0)
		rv = 1;
	else {
		eor = &result[resultlen];
		p = memchr(result, ':', eor - result);
		if (p != NULL && ++p < eor &&
		    (q = memchr(p, ':', eor - p)) != NULL) {
			if (q - p >= bufsize)
				rv = -1;
			else {
				memcpy(buffer, p, q - p);
				buffer[q - p] ='\0';
			}
		} else
			rv = 1;
	}
	free(result);
	return (rv);
}


static int
nis_setpwent(void *retval, void *mdata, va_list ap)
{
	struct nis_state	*st;
	int			 rv;

	rv = nis_getstate(&st);
	if (rv != 0)
		return (NS_UNAVAIL);
	st->done = 0;
	free(st->key);
	st->key = NULL;
	return (NS_UNAVAIL);
}


static int
nis_passwd(void *retval, void *mdata, va_list ap)
{
	char		 map[YPMAXMAP];
	struct nis_state *st;
	struct passwd	*pwd;
	const char	*name;
	char		*buffer, *key, *result;
	size_t		 bufsize;
	uid_t		 uid;
	enum nss_lookup_type how;
	int		*errnop, keylen, resultlen, rv, master;

	name = NULL;
	uid = (uid_t)-1;
	how = (enum nss_lookup_type)mdata;
	switch (how) {
	case nss_lt_name:
		name = va_arg(ap, const char *);
		break;
	case nss_lt_id:
		uid = va_arg(ap, uid_t);
		break;
	case nss_lt_all:
		break;
	}
	pwd     = va_arg(ap, struct passwd *);
	buffer  = va_arg(ap, char *);
	bufsize = va_arg(ap, size_t);
	errnop  = va_arg(ap, int *);
	*errnop = nis_getstate(&st);
	if (*errnop != 0)
		return (NS_UNAVAIL);
	if (st->domain[0] == '\0') {
		if (getdomainname(st->domain, sizeof(st->domain)) != 0) {
			*errnop = errno;
			return (NS_UNAVAIL);
		}
	}
	rv = nis_map(st->domain, how, map, sizeof(map), &master);
	if (rv != NS_SUCCESS)
		return (rv);
	result = NULL;
	do {
		rv = NS_NOTFOUND;
		switch (how) {
		case nss_lt_name:
			if (strlcpy(buffer, name, bufsize) >= bufsize)
				goto erange;
			break;
		case nss_lt_id:
			if (snprintf(buffer, bufsize, "%lu",
			    (unsigned long)uid) >= bufsize)
				goto erange;
			break;
		case nss_lt_all:
			if (st->done)
				goto fin;
			break;
		}
		result = NULL;
		if (how == nss_lt_all) {
			if (st->key == NULL)
				rv = yp_first(st->domain, map, &st->key,
				    &st->keylen, &result, &resultlen);
			else {
				key = st->key;
				keylen = st->keylen;
				st->key = NULL;
				rv = yp_next(st->domain, map, key, keylen,
				    &st->key, &st->keylen, &result,
				    &resultlen);
				free(key);
			}
			if (rv != 0) {
				free(result);
				free(st->key);
				st->key = NULL;
				if (rv == YPERR_NOMORE)
					st->done = 1;
				else
					rv = NS_UNAVAIL;
				goto fin;
			}
		} else {
			rv = yp_match(st->domain, map, buffer, strlen(buffer),
			    &result, &resultlen);
			if (rv == YPERR_KEY) {
				rv = NS_NOTFOUND;
				continue;
			} else if (rv != 0) {
				free(result);
				rv = NS_UNAVAIL;
				continue;
			}
		}
		if (resultlen >= bufsize)
			goto erange;
		memcpy(buffer, result, resultlen);
		buffer[resultlen] = '\0';
		free(result);
		rv = __pw_match_entry(buffer, resultlen, how, name, uid);
		if (rv == NS_SUCCESS)
			rv = __pw_parse_entry(buffer, resultlen, pwd, master,
			    errnop);
	} while (how == nss_lt_all && !(rv & NS_TERMINATE));
fin:
	if (rv == NS_SUCCESS) {
		if (strstr(pwd->pw_passwd, "##") != NULL) {
			rv = nis_adjunct(st->domain, pwd->pw_name,
			    &buffer[resultlen+1], bufsize-resultlen-1);
			if (rv < 0)
				goto erange;
			else if (rv == 0)
				pwd->pw_passwd = &buffer[resultlen+1];
		}
		pwd->pw_fields &= ~_PWF_SOURCE;
		pwd->pw_fields |= _PWF_NIS;
		if (retval != NULL)
			*(struct passwd **)retval = pwd;
		rv = NS_SUCCESS;
	}
	return (rv);
erange:
	*errnop = ERANGE;
	return (NS_RETURN);
}
#endif /* YP */


/*
 * compat backend
 */
static void
compat_clear_template(struct passwd *template)
{

	free(template->pw_passwd);
	free(template->pw_gecos);
	free(template->pw_dir);
	free(template->pw_shell);
	memset(template, 0, sizeof(*template));
}


static int
compat_set_template(struct passwd *src, struct passwd *template)
{

	compat_clear_template(template);
#ifdef PW_OVERRIDE_PASSWD
	if ((src->pw_fields & _PWF_PASSWD) &&
	    (template->pw_passwd = strdup(src->pw_passwd)) == NULL)
		goto enomem;
#endif
	if (src->pw_fields & _PWF_UID)
		template->pw_uid = src->pw_uid;
	if (src->pw_fields & _PWF_GID)
		template->pw_gid = src->pw_gid;
	if ((src->pw_fields & _PWF_GECOS) &&
	    (template->pw_gecos = strdup(src->pw_gecos)) == NULL)
		goto enomem;
	if ((src->pw_fields & _PWF_DIR) &&
	    (template->pw_dir = strdup(src->pw_dir)) == NULL)
		goto enomem;
	if ((src->pw_fields & _PWF_SHELL) &&
	    (template->pw_shell = strdup(src->pw_shell)) == NULL)
		goto enomem;
	template->pw_fields = src->pw_fields;
	return (0);
enomem:
	syslog(LOG_ERR, "getpwent memory allocation failure");
	return (-1);
}


static int
compat_use_template(struct passwd *pwd, struct passwd *template, char *buffer,
    size_t bufsize)
{
	struct passwd hold;
	char	*copy, *p, *q, *eob;
	size_t	 n;

	/* We cannot know the layout of the password fields in `buffer',
	 * so we have to copy everything.
	 */
	if (template->pw_fields == 0) /* nothing to fill-in */
		return (0);
	n = 0;
	n += pwd->pw_name != NULL ? strlen(pwd->pw_name) + 1 : 0;
	n += pwd->pw_passwd != NULL ? strlen(pwd->pw_passwd) + 1 : 0;
	n += pwd->pw_class != NULL ? strlen(pwd->pw_class) + 1 : 0;
	n += pwd->pw_gecos != NULL ? strlen(pwd->pw_gecos) + 1 : 0;
	n += pwd->pw_dir != NULL ? strlen(pwd->pw_dir) + 1 : 0;
	n += pwd->pw_shell != NULL ? strlen(pwd->pw_shell) + 1 : 0;
	copy = malloc(n);
	if (copy == NULL) {
		syslog(LOG_ERR, "getpwent memory allocation failure");
		return (ENOMEM);
	}
	p = copy;
	eob = &copy[n];
#define COPY(field) do {				\
	if (pwd->field == NULL)				\
		hold.field = NULL;			\
	else {						\
		hold.field = p;				\
		p += strlcpy(p, pwd->field, eob-p) + 1;	\
	}						\
} while (0)
	COPY(pw_name);
	COPY(pw_passwd);
	COPY(pw_class);
	COPY(pw_gecos);
	COPY(pw_dir);
	COPY(pw_shell);
#undef COPY
	p = buffer;
	eob = &buffer[bufsize];
#define COPY(field, flag) do {						 \
	q = (template->pw_fields & flag) ? template->field : hold.field; \
	if (q == NULL)							 \
		pwd->field = NULL;					 \
	else {								 \
		pwd->field = p;						 \
		if ((n = strlcpy(p, q, eob-p)) >= eob-p) {		 \
			free(copy);					 \
			return (ERANGE);				 \
		}							 \
		p += n + 1;						 \
	}								 \
} while (0)
	COPY(pw_name, 0);
#ifdef PW_OVERRIDE_PASSWD
	COPY(pw_passwd, _PWF_PASSWD);
#else
	COPY(pw_passwd, 0);
#endif
	COPY(pw_class, 0);
	COPY(pw_gecos, _PWF_GECOS);
	COPY(pw_dir, _PWF_DIR);
	COPY(pw_shell, _PWF_SHELL);
#undef COPY
#define COPY(field, flag) do {			\
	if (template->pw_fields & flag)		\
		pwd->field = template->field;	\
} while (0)
	COPY(pw_uid, _PWF_UID);
	COPY(pw_gid, _PWF_GID);
#undef COPY
	free(copy);
	return (0);
}


static int
compat_exclude(const char *name, DB **db)
{
	DBT	key, data;

	if (*db == NULL &&
	    (*db = dbopen(NULL, O_RDWR, 600, DB_HASH, 0)) == NULL)
		return (errno);
	key.size = strlen(name);
	key.data = (char *)name;
	data.size = 0;
	data.data = NULL;

	if ((*db)->put(*db, &key, &data, 0) == -1)
		return (errno);
	return (0);
}


static int
compat_is_excluded(const char *name, DB *db)
{
	DBT	key, data;

	if (db == NULL)
		return (0);
	key.size = strlen(name);
	key.data = (char *)name;
	return (db->get(db, &key, &data, 0) == 0);
}


static int
compat_redispatch(struct compat_state *st, enum nss_lookup_type how,
    enum nss_lookup_type lookup_how, const char *name, const char *lookup_name,
    uid_t uid, struct passwd *pwd, char *buffer, size_t bufsize, int *errnop)
{
	static const ns_src compatsrc[] = {
#ifdef YP
		{ NSSRC_NIS, NS_SUCCESS },
#endif
		{ NULL, 0 }
	};
	ns_dtab dtab[] = {
#ifdef YP
		{ NSSRC_NIS, nis_passwd, NULL },
#endif
#ifdef HESIOD
		{ NSSRC_DNS, dns_passwd, NULL },
#endif
		{ NULL, NULL, NULL }
	};
	void		*discard;
	int		 rv, e, i;

	for (i = 0; i < sizeof(dtab)/sizeof(dtab[0]) - 1; i++)
		dtab[i].mdata = (void *)lookup_how;
more:
	pwd_init(pwd);
	switch (lookup_how) {
	case nss_lt_all:
		rv = _nsdispatch(&discard, dtab, NSDB_PASSWD_COMPAT,
		    "getpwent_r", compatsrc, pwd, buffer, bufsize,
		    errnop);
		break;
	case nss_lt_id:
		rv = _nsdispatch(&discard, dtab, NSDB_PASSWD_COMPAT,
		    "getpwuid_r", compatsrc, uid, pwd, buffer,
		    bufsize, errnop);
		break;
	case nss_lt_name:
		rv = _nsdispatch(&discard, dtab, NSDB_PASSWD_COMPAT,
		    "getpwnam_r", compatsrc, lookup_name, pwd, buffer,
		    bufsize, errnop);
		break;
	default:
		return (NS_UNAVAIL);
	}
	if (rv != NS_SUCCESS)
		return (rv);
	if (compat_is_excluded(pwd->pw_name, st->exclude)) {
		if (how == nss_lt_all)
			goto more;
		return (NS_NOTFOUND);
	}
	e = compat_use_template(pwd, &st->template, buffer, bufsize);
	if (e != 0) {
		*errnop = e;
		if (e == ERANGE)
			return (NS_RETURN);
		else
			return (NS_UNAVAIL);
	}
	switch (how) {
	case nss_lt_name:
		if (strcmp(name, pwd->pw_name) != 0)
			return (NS_NOTFOUND);
		break;
	case nss_lt_id:
		if (uid != pwd->pw_uid)
			return (NS_NOTFOUND);
		break;
	default:
		break;
	}
	return (NS_SUCCESS);
}


static void
compat_endstate(void *p)
{
	struct compat_state *st;

	if (p == NULL)
		return;
	st = (struct compat_state *)p;
	if (st->db != NULL)
		st->db->close(st->db);
	if (st->exclude != NULL)
		st->exclude->close(st->exclude);
	compat_clear_template(&st->template);
	free(p);
}


static int
compat_setpwent(void *retval, void *mdata, va_list ap)
{
	static const ns_src compatsrc[] = {
#ifdef YP
		{ NSSRC_NIS, NS_SUCCESS },
#endif
		{ NULL, 0 }
	};
	ns_dtab dtab[] = {
#ifdef YP
		{ NSSRC_NIS, nis_setpwent, NULL },
#endif
#ifdef HESIOD
		{ NSSRC_DNS, dns_setpwent, NULL },
#endif
		{ NULL, NULL, NULL }
	};
	struct compat_state	*st;
	int			 rv, stayopen;

#define set_setent(x, y) do {	 				\
	int i;							\
								\
	for (i = 0; i < (sizeof(x)/sizeof(x[0])) - 1; i++)	\
		x[i].mdata = (void *)y;				\
} while (0)

	rv = compat_getstate(&st);
	if (rv != 0)
		return (NS_UNAVAIL);
	switch ((enum constants)mdata) {
	case SETPWENT:
		stayopen = va_arg(ap, int);
		st->keynum = 0;
		if (stayopen)
			st->db = pwdbopen(&st->version);
		st->stayopen = stayopen;
		set_setent(dtab, mdata);
		(void)_nsdispatch(NULL, dtab, NSDB_PASSWD_COMPAT, "setpwent",
		    compatsrc, 0);
		break;
	case ENDPWENT:
		if (st->db != NULL) {
			(void)st->db->close(st->db);
			st->db = NULL;
		}
		set_setent(dtab, mdata);
		(void)_nsdispatch(NULL, dtab, NSDB_PASSWD_COMPAT, "endpwent",
		    compatsrc, 0);
		break;
	default:
		break;
	}
	return (NS_UNAVAIL);
#undef set_setent
}


static int
compat_passwd(void *retval, void *mdata, va_list ap)
{
	char			 keybuf[MAXLOGNAME + 1];
	DBT			 key, entry;
	struct compat_state	*st;
	enum nss_lookup_type	 how;
	const char		*name;
	struct passwd		*pwd;
	char			*buffer, *pw_name;
	char			*host, *user, *domain;
	size_t			 bufsize;
	uid_t			 uid;
	uint32_t		 store;
	int			 rv, from_compat, stayopen, *errnop;

	from_compat = 0;
	name = NULL;
	uid = (uid_t)-1;
	how = (enum nss_lookup_type)mdata;
	switch (how) {
	case nss_lt_name:
		name = va_arg(ap, const char *);
		break;
	case nss_lt_id:
		uid = va_arg(ap, uid_t);
		break;
	case nss_lt_all:
		break;
	default:
		rv = NS_NOTFOUND;
		goto fin;
	}
	pwd = va_arg(ap, struct passwd *);
	buffer = va_arg(ap, char *);
	bufsize = va_arg(ap, size_t);
	errnop = va_arg(ap, int *);
	*errnop = compat_getstate(&st);
	if (*errnop != 0)
		return (NS_UNAVAIL);
	if (how == nss_lt_all && st->keynum < 0) {
		rv = NS_NOTFOUND;
		goto fin;
	}
	if (st->db == NULL &&
	    (st->db = pwdbopen(&st->version)) == NULL) {
		*errnop = errno;
		rv = NS_UNAVAIL;
		goto fin;
	}
	if (how == nss_lt_all) {
		if (st->keynum < 0) {
			rv = NS_NOTFOUND;
			goto fin;
		}
		stayopen = 1;
	} else {
		st->keynum = 0;
		stayopen = st->stayopen;
	}
docompat:
	rv = NS_NOTFOUND;
	switch (st->compat) {
	case COMPAT_MODE_ALL:
		rv = compat_redispatch(st, how, how, name, name, uid, pwd,
		    buffer, bufsize, errnop);
		if (rv != NS_SUCCESS)
			st->compat = COMPAT_MODE_OFF;
		break;
	case COMPAT_MODE_NETGROUP:
		/* XXX getnetgrent is not thread-safe. */
		do {
			rv = getnetgrent(&host, &user, &domain);
			if (rv == 0) {
				endnetgrent();
				st->compat = COMPAT_MODE_OFF;
				rv = NS_NOTFOUND;
				continue;
			} else if (user == NULL || user[0] == '\0')
				continue;
			rv = compat_redispatch(st, how, nss_lt_name, name,
			    user, uid, pwd, buffer, bufsize, errnop);
		} while (st->compat == COMPAT_MODE_NETGROUP &&
		    !(rv & NS_TERMINATE));
		break;
	case COMPAT_MODE_NAME:
		rv = compat_redispatch(st, how, nss_lt_name, name, st->name,
		    uid, pwd, buffer, bufsize, errnop);
		free(st->name);
		st->name = NULL;
		st->compat = COMPAT_MODE_OFF;
		break;
	default:
		break;
	}
	if (rv & NS_TERMINATE) {
		from_compat = 1;
		goto fin;
	}
	key.data = keybuf;
	rv = NS_NOTFOUND;
	while (st->keynum >= 0) {
		st->keynum++;
		if (st->version < _PWD_CURRENT_VERSION) {
			memcpy(&keybuf[1], &st->keynum, sizeof(st->keynum));
			key.size = sizeof(st->keynum) + 1;
		} else {
			store = htonl(st->keynum);
			memcpy(&keybuf[1], &store, sizeof(store));
			key.size = sizeof(store) + 1;
		}
		keybuf[0] = _PW_VERSIONED(_PW_KEYBYNUM, st->version);
		rv = st->db->get(st->db, &key, &entry, 0);
		if (rv < 0 || rv > 1) { /* should never return > 1 */
			*errnop = errno;
			rv = NS_UNAVAIL;
			goto fin;
		} else if (rv == 1) {
			st->keynum = -1;
			rv = NS_NOTFOUND;
			goto fin;
		}
		pw_name = (char *)entry.data;
		switch (pw_name[0]) {
		case '+':
			switch (pw_name[1]) {
			case '\0':
				st->compat = COMPAT_MODE_ALL;
				break;
			case '@':
				setnetgrent(&pw_name[2]);
				st->compat = COMPAT_MODE_NETGROUP;
				break;
			default:
				st->name = strdup(&pw_name[1]);
				if (st->name == NULL) {
					syslog(LOG_ERR,
					 "getpwent memory allocation failure");
					*errnop = ENOMEM;
					rv = NS_UNAVAIL;
					break;
				}
				st->compat = COMPAT_MODE_NAME;
			}
			if (entry.size > bufsize) {
				*errnop = ERANGE;
				rv = NS_RETURN;
				goto fin;
			}
			memcpy(buffer, entry.data, entry.size);
			rv = pwdb_versions[st->version].parse(buffer,
			    entry.size, pwd, errnop);
			if (rv != NS_SUCCESS)
				;
			else if (compat_set_template(pwd, &st->template) < 0) {
				*errnop = ENOMEM;
				rv = NS_UNAVAIL;
				goto fin;
			}
			goto docompat;
		case '-':
			switch (pw_name[1]) {
			case '\0':
				/* XXX Maybe syslog warning */
				continue;
			case '@':
				setnetgrent(&pw_name[2]);
				while (getnetgrent(&host, &user, &domain) !=
				    0) {
					if (user != NULL && user[0] != '\0')
						compat_exclude(user,
						    &st->exclude);
				}
				endnetgrent();
				continue;
			default:
				compat_exclude(&pw_name[1], &st->exclude);
				continue;
			}
			break;
		default:
			break;
		}
		if (compat_is_excluded((char *)entry.data, st->exclude))
			continue;
		rv = pwdb_versions[st->version].match(entry.data, entry.size,
		    how, name, uid);
		if (rv == NS_RETURN)
			break;
		else if (rv != NS_SUCCESS)
			continue;
		if (entry.size > bufsize) {
			*errnop = ERANGE;
			rv = NS_RETURN;
			break;
		}
		memcpy(buffer, entry.data, entry.size);
		rv = pwdb_versions[st->version].parse(buffer, entry.size, pwd,
		    errnop);
		if (rv & NS_TERMINATE)
			break;
	}
fin:
	if (!stayopen && st->db != NULL) {
		(void)st->db->close(st->db);
		st->db = NULL;
	}
	if (rv == NS_SUCCESS) {
		if (!from_compat) {
			pwd->pw_fields &= ~_PWF_SOURCE;
			pwd->pw_fields |= _PWF_FILES;
		}
		if (retval != NULL)
			*(struct passwd **)retval = pwd;
	}
	return (rv);
}


/*
 * common passwd line matching and parsing
 */
int
__pw_match_entry(const char *entry, size_t entrysize, enum nss_lookup_type how,
    const char *name, uid_t uid)
{
	const char	*p, *eom;
	char		*q;
	size_t		 len;
	unsigned long	 m;

	eom = entry + entrysize;
	for (p = entry; p < eom; p++)
		if (*p == ':')
			break;
	if (*p != ':')
		return (NS_NOTFOUND);
	if (how == nss_lt_all)
		return (NS_SUCCESS);
	if (how == nss_lt_name) {
		len = strlen(name);
		if (len == (p - entry) && memcmp(name, entry, len) == 0)
			return (NS_SUCCESS);
		else
			return (NS_NOTFOUND);
	}
	for (p++; p < eom; p++)
		if (*p == ':')
			break;
	if (*p != ':')
		return (NS_NOTFOUND);
	m = strtoul(++p, &q, 10);
	if (q[0] != ':' || (uid_t)m != uid)
		return (NS_NOTFOUND);
	else
		return (NS_SUCCESS);
}


/* XXX buffer must be NUL-terminated.  errnop is not set correctly. */
int
__pw_parse_entry(char *buffer, size_t bufsize __unused, struct passwd *pwd,
    int master, int *errnop __unused)
{

	if (__pw_scan(buffer, pwd, master ? _PWSCAN_MASTER : 0) == 0)
		return (NS_NOTFOUND);
	else
		return (NS_SUCCESS);
}