diff -up shadow-4.6/configure.ac.libsubid_nsswitch_support shadow-4.6/configure.ac

--- shadow-4.6/configure.ac.libsubid_nsswitch_support	2021-10-19 13:16:21.989493315 +0200

+++ shadow-4.6/configure.ac	2021-10-19 13:19:07.743131310 +0200

@@ -1,6 +1,6 @@

 dnl Process this file with autoconf to produce a configure script.

 AC_PREREQ([2.69])

-m4_define([libsubid_abi_major], 1)

+m4_define([libsubid_abi_major], 2)

 m4_define([libsubid_abi_minor], 0)

 m4_define([libsubid_abi_micro], 0)

 m4_define([libsubid_abi], [libsubid_abi_major.libsubid_abi_minor.libsubid_abi_micro])

diff -up shadow-4.6/lib/Makefile.am.libsubid_nsswitch_support shadow-4.6/lib/Makefile.am

--- shadow-4.6/lib/Makefile.am.libsubid_nsswitch_support	2021-10-19 13:16:21.973493060 +0200

+++ shadow-4.6/lib/Makefile.am	2021-10-19 13:16:21.989493315 +0200

@@ -28,6 +28,7 @@ libshadow_la_SOURCES = \

 	groupio.h \

 	gshadow.c \

 	lockpw.c \

+	nss.c \

 	nscd.c \

 	nscd.h \

 	sssd.c \

diff -up shadow-4.6/libmisc/idmapping.h.libsubid_nsswitch_support shadow-4.6/libmisc/idmapping.h

--- shadow-4.6/libmisc/idmapping.h.libsubid_nsswitch_support	2021-10-19 13:16:21.989493315 +0200

+++ shadow-4.6/libmisc/idmapping.h	2021-10-19 13:19:50.629813857 +0200

@@ -40,5 +40,7 @@ extern struct map_range *get_map_ranges(

 extern void write_mapping(int proc_dir_fd, int ranges,

 	struct map_range *mappings, const char *map_file);

+extern void nss_init(char *nsswitch_path);

+

 #endif /* _ID_MAPPING_H_ */

diff -up shadow-4.6/libmisc/Makefile.am.libsubid_nsswitch_support shadow-4.6/libmisc/Makefile.am

--- shadow-4.6/libmisc/Makefile.am.libsubid_nsswitch_support	2021-10-19 13:16:21.988493299 +0200

+++ shadow-4.6/libmisc/Makefile.am	2021-10-19 13:17:03.356151673 +0200

@@ -3,9 +3,9 @@ EXTRA_DIST = .indent.pro xgetXXbyYY.c

 AM_CPPFLAGS = -I$(top_srcdir)/lib

-noinst_LIBRARIES = libmisc.a

+noinst_LTLIBRARIES = libmisc.la

-libmisc_a_SOURCES = \

+libmisc_la_SOURCES = \

 	addgrps.c \

 	age.c \

 	audit_help.c \

diff -up shadow-4.6/lib/nss.c.libsubid_nsswitch_support shadow-4.6/lib/nss.c

--- shadow-4.6/lib/nss.c.libsubid_nsswitch_support	2021-10-19 13:16:21.989493315 +0200

+++ shadow-4.6/lib/nss.c	2021-10-19 13:16:21.989493315 +0200

@@ -0,0 +1,157 @@

+#include <stdio.h>

+#include <stdlib.h>

+#include <dlfcn.h>

+#include <stdbool.h>

+#include <string.h>

+#include <strings.h>

+#include <ctype.h>

+#include <stdatomic.h>

+#include "prototypes.h"

+#include "../libsubid/subid.h"

+

+#define NSSWITCH "/etc/nsswitch.conf"

+

+// NSS plugin handling for subids

+// If nsswitch has a line like

+//    subid: sssd

+// then sssd will be consulted for subids.  Unlike normal NSS dbs,

+// only one db is supported at a time.  That's open to debate, but

+// the subids are a pretty limited resource, and local files seem

+// bound to step on any other allocations leading to insecure

+// conditions.

+static atomic_flag nss_init_started;

+static atomic_bool nss_init_completed;

+

+static struct subid_nss_ops *subid_nss;

+

+bool nss_is_initialized() {

+	return atomic_load(&nss_init_completed);

+}

+

+void nss_exit() {

+	if (nss_is_initialized() && subid_nss) {

+		dlclose(subid_nss->handle);

+		free(subid_nss);

+		subid_nss = NULL;

+	}

+}

+

+// nsswitch_path is an argument only to support testing.

+void nss_init(char *nsswitch_path) {

+	FILE *nssfp = NULL;

+	char *line = NULL, *p, *token, *saveptr;

+	size_t len = 0;

+

+	if (atomic_flag_test_and_set(&nss_init_started)) {

+		// Another thread has started nss_init, wait for it to complete

+		while (!atomic_load(&nss_init_completed))

+			usleep(100);

+		return;

+	}

+

+	if (!nsswitch_path)

+		nsswitch_path = NSSWITCH;

+

+	// read nsswitch.conf to check for a line like:

+	//   subid:	files

+	nssfp = fopen(nsswitch_path, "r");

+	if (!nssfp) {

+		fprintf(stderr, "Failed opening %s: %m", nsswitch_path);

+		atomic_store(&nss_init_completed, true);

+		return;

+	}

+	while ((getline(&line, &len, nssfp)) != -1) {

+		if (line[0] == '\0' || line[0] == '#')

+			continue;

+		if (strlen(line) < 8)

+			continue;

+		if (strncasecmp(line, "subid:", 6) != 0)

+			continue;

+		p = &line[6];

+		while ((*p) && isspace(*p))

+			p++;

+		if (!*p)

+			continue;

+		for (token = strtok_r(p, " \n\t", &saveptr);

+		     token;

+		     token = strtok_r(NULL, " \n\t", &saveptr)) {

+			char libname[65];

+			void *h;

+			if (strcmp(token, "files") == 0) {

+				subid_nss = NULL;

+				goto done;

+			}

+			if (strlen(token) > 50) {

+				fprintf(stderr, "Subid NSS module name too long (longer than 50 characters): %s\n", token);

+				fprintf(stderr, "Using files\n");

+				subid_nss = NULL;

+				goto done;

+			}

+			snprintf(libname, 64,  "libsubid_%s.so", token);

+			h = dlopen(libname, RTLD_LAZY);

+			if (!h) {

+				fprintf(stderr, "Error opening %s: %s\n", libname, dlerror());

+				fprintf(stderr, "Using files\n");

+				subid_nss = NULL;

+				goto done;

+			}

+			subid_nss = malloc(sizeof(*subid_nss));

+			if (!subid_nss) {

+				dlclose(h);

+				goto done;

+			}

+			subid_nss->has_range = dlsym(h, "shadow_subid_has_range");

+			if (!subid_nss->has_range) {

+				fprintf(stderr, "%s did not provide @has_range@\n", libname);

+				dlclose(h);

+				free(subid_nss);

+				subid_nss = NULL;

+				goto done;

+			}

+			subid_nss->list_owner_ranges = dlsym(h, "shadow_subid_list_owner_ranges");

+			if (!subid_nss->list_owner_ranges) {

+				fprintf(stderr, "%s did not provide @list_owner_ranges@\n", libname);

+				dlclose(h);

+				free(subid_nss);

+				subid_nss = NULL;

+				goto done;

+			}

+			subid_nss->has_any_range = dlsym(h, "shadow_subid_has_any_range");

+			if (!subid_nss->has_any_range) {

+				fprintf(stderr, "%s did not provide @has_any_range@\n", libname);

+				dlclose(h);

+				free(subid_nss);

+				subid_nss = NULL;

+				goto done;

+			}

+			subid_nss->find_subid_owners = dlsym(h, "shadow_subid_find_subid_owners");

+			if (!subid_nss->find_subid_owners) {

+				fprintf(stderr, "%s did not provide @find_subid_owners@\n", libname);

+				dlclose(h);

+				free(subid_nss);

+				subid_nss = NULL;

+				goto done;

+			}

+			subid_nss->handle = h;

+			goto done;

+		}

+		fprintf(stderr, "No usable subid NSS module found, using files\n");

+		// subid_nss has to be null here, but to ease reviews:

+		free(subid_nss);

+		subid_nss = NULL;

+		goto done;

+	}

+

+done:

+	atomic_store(&nss_init_completed, true);

+	free(line);

+	if (nssfp) {

+		atexit(nss_exit);

+		fclose(nssfp);

+	}

+}

+

+struct subid_nss_ops *get_subid_nss_handle() {

+	nss_init(NULL);

+	return subid_nss;

+}

diff -up shadow-4.6/lib/prototypes.h.libsubid_nsswitch_support shadow-4.6/lib/prototypes.h

--- shadow-4.6/lib/prototypes.h.libsubid_nsswitch_support	2021-10-19 13:16:21.961492869 +0200

+++ shadow-4.6/lib/prototypes.h	2021-10-19 13:16:21.989493315 +0200

@@ -263,6 +263,75 @@ extern void motd (void);

 /* myname.c */

 extern /*@null@*//*@only@*/struct passwd *get_my_pwent (void);

+/* nss.c */

+#include <libsubid/subid.h>

+extern void nss_init(char *nsswitch_path);

+extern bool nss_is_initialized();

+

+struct subid_nss_ops {

+	/*

+	 * nss_has_any_range: does a user own any subid range

+	 *

+	 * @owner: username

+	 * @idtype: subuid or subgid

+	 * @result: true if a subid allocation was found for @owner

+	 *

+	 * returns success if the module was able to determine an answer (true or false),

+	 * else an error status.

+	 */

+	enum subid_status (*has_any_range)(const char *owner, enum subid_type idtype, bool *result);

+

+	/*

+	 * nss_has_range: does a user own a given subid range

+	 *

+	 * @owner: username

+	 * @start: first subid in queried range

+	 * @count: number of subids in queried range

+	 * @idtype: subuid or subgid

+	 * @result: true if @owner has been allocated the subid range.

+	 *

+	 * returns success if the module was able to determine an answer (true or false),

+	 * else an error status.

+	 */

+	enum subid_status (*has_range)(const char *owner, unsigned long start, unsigned long count, enum subid_type idtype, bool *result);

+

+	/*

+	 * nss_list_owner_ranges: list the subid ranges delegated to a user.

+	 *

+	 * @owner - string representing username being queried

+	 * @id_type - subuid or subgid

+	 * @ranges - pointer to an array of struct subordinate_range pointers, or

+	 *           NULL.  The returned array of struct subordinate_range and its

+	 *           members must be freed by the caller.

+	 * @count - pointer to an integer into which the number of returned ranges

+	 *          is written.

+

+	 * returns success if the module was able to determine an answer,

+	 * else an error status.

+	 */

+	enum subid_status (*list_owner_ranges)(const char *owner, enum subid_type id_type, struct subordinate_range ***ranges, int *count);

+

+	/*

+	 * nss_find_subid_owners: find uids who own a given subuid or subgid.

+	 *

+	 * @id - the delegated id (subuid or subgid) being queried

+	 * @id_type - subuid or subgid

+	 * @uids - pointer to an array of uids which will be allocated by

+	 *         nss_find_subid_owners()

+	 * @count - number of uids found

+	 *

+	 * returns success if the module was able to determine an answer,

+	 * else an error status.

+	 */

+	enum subid_status (*find_subid_owners)(unsigned long id, enum subid_type id_type, uid_t **uids, int *count);

+

+	/* The dlsym handle to close */

+	void *handle;

+};

+

+extern struct subid_nss_ops *get_subid_nss_handle();

+

+

 /* pam_pass_non_interactive.c */

 #ifdef USE_PAM

 extern int do_pam_passwd_non_interactive (const char *pam_service,

diff -up shadow-4.6/libsubid/api.c.libsubid_nsswitch_support shadow-4.6/libsubid/api.c

--- shadow-4.6/libsubid/api.c.libsubid_nsswitch_support	2021-10-19 13:16:21.986493267 +0200

+++ shadow-4.6/libsubid/api.c	2021-10-19 13:16:21.991493347 +0200

@@ -36,134 +36,50 @@

 #include <stdbool.h>

 #include "subordinateio.h"

 #include "idmapping.h"

-#include "api.h"

+#include "subid.h"

-static struct subordinate_range **get_subid_ranges(const char *owner, enum subid_type id_type)

+static

+int get_subid_ranges(const char *owner, enum subid_type id_type, struct subordinate_range ***ranges)

 {

-	struct subordinate_range **ranges = NULL;

-

-	switch (id_type) {

-	case ID_TYPE_UID:

-		if (!sub_uid_open(O_RDONLY)) {

-			return NULL;

-		}

-		break;

-	case ID_TYPE_GID:

-		if (!sub_gid_open(O_RDONLY)) {

-			return NULL;

-		}

-		break;

-	default:

-		return NULL;

-	}

-

-	ranges = list_owner_ranges(owner, id_type);

-

-	if (id_type == ID_TYPE_UID)

-		sub_uid_close();

-	else

-		sub_gid_close();

-

-	return ranges;

+	return list_owner_ranges(owner, id_type, ranges);

 }

-struct subordinate_range **get_subuid_ranges(const char *owner)

+int get_subuid_ranges(const char *owner, struct subordinate_range ***ranges)

 {

-	return get_subid_ranges(owner, ID_TYPE_UID);

+	return get_subid_ranges(owner, ID_TYPE_UID, ranges);

 }

-struct subordinate_range **get_subgid_ranges(const char *owner)

+int get_subgid_ranges(const char *owner, struct subordinate_range ***ranges)

 {

-	return get_subid_ranges(owner, ID_TYPE_GID);

+	return get_subid_ranges(owner, ID_TYPE_GID, ranges);

 }

-void subid_free_ranges(struct subordinate_range **ranges)

+void subid_free_ranges(struct subordinate_range **ranges, int count)

 {

-	return free_subordinate_ranges(ranges);

+	return free_subordinate_ranges(ranges, count);

 }

-int get_subid_owner(unsigned long id, uid_t **owner, enum subid_type id_type)

+static

+int get_subid_owner(unsigned long id, enum subid_type id_type, uid_t **owner)

 {

-	int ret = -1;

-

-	switch (id_type) {

-	case ID_TYPE_UID:

-		if (!sub_uid_open(O_RDONLY)) {

-			return -1;

-		}

-		break;

-	case ID_TYPE_GID:

-		if (!sub_gid_open(O_RDONLY)) {

-			return -1;

-		}

-		break;

-	default:

-		return -1;

-	}

-

-	ret = find_subid_owners(id, owner, id_type);

-

-	if (id_type == ID_TYPE_UID)

-		sub_uid_close();

-	else

-		sub_gid_close();

-

-	return ret;

+	return find_subid_owners(id, id_type, owner);

 }

 int get_subuid_owners(uid_t uid, uid_t **owner)

 {

-	return get_subid_owner((unsigned long)uid, owner, ID_TYPE_UID);

+	return get_subid_owner((unsigned long)uid, ID_TYPE_UID, owner);

 }

 int get_subgid_owners(gid_t gid, uid_t **owner)

 {

-	return get_subid_owner((unsigned long)gid, owner, ID_TYPE_GID);

+	return get_subid_owner((unsigned long)gid, ID_TYPE_GID, owner);

 }

+static

 bool grant_subid_range(struct subordinate_range *range, bool reuse,

 		       enum subid_type id_type)

 {

-	bool ret;

-

-	switch (id_type) {

-	case ID_TYPE_UID:

-		if (!sub_uid_lock()) {

-			printf("Failed loging subuids (errno %d)\n", errno);

-			return false;

-		}

-		if (!sub_uid_open(O_CREAT | O_RDWR)) {

-			printf("Failed opening subuids (errno %d)\n", errno);

-			sub_uid_unlock();

-			return false;

-		}

-		break;

-	case ID_TYPE_GID:

-		if (!sub_gid_lock()) {

-			printf("Failed loging subgids (errno %d)\n", errno);

-			return false;

-		}

-		if (!sub_gid_open(O_CREAT | O_RDWR)) {

-			printf("Failed opening subgids (errno %d)\n", errno);

-			sub_gid_unlock();

-			return false;

-		}

-		break;

-	default:

-		return false;

-	}

-

-	ret = new_subid_range(range, id_type, reuse);

-

-	if (id_type == ID_TYPE_UID) {

-		sub_uid_close();

-		sub_uid_unlock();

-	} else {

-		sub_gid_close();

-		sub_gid_unlock();

-	}

-

-	return ret;

+	return new_subid_range(range, id_type, reuse);

 }

 bool grant_subuid_range(struct subordinate_range *range, bool reuse)

@@ -176,56 +92,18 @@ bool grant_subgid_range(struct subordina

 	return grant_subid_range(range, reuse, ID_TYPE_GID);

 }

-bool free_subid_range(struct subordinate_range *range, enum subid_type id_type)

+static

+bool ungrant_subid_range(struct subordinate_range *range, enum subid_type id_type)

 {

-	bool ret;

-

-	switch (id_type) {

-	case ID_TYPE_UID:

-		if (!sub_uid_lock()) {

-			printf("Failed loging subuids (errno %d)\n", errno);

-			return false;

-		}

-		if (!sub_uid_open(O_CREAT | O_RDWR)) {

-			printf("Failed opening subuids (errno %d)\n", errno);

-			sub_uid_unlock();

-			return false;

-		}

-		break;

-	case ID_TYPE_GID:

-		if (!sub_gid_lock()) {

-			printf("Failed loging subgids (errno %d)\n", errno);

-			return false;

-		}

-		if (!sub_gid_open(O_CREAT | O_RDWR)) {

-			printf("Failed opening subgids (errno %d)\n", errno);

-			sub_gid_unlock();

-			return false;

-		}

-		break;

-	default:

-		return false;

-	}

-

-	ret = release_subid_range(range, id_type);

-

-	if (id_type == ID_TYPE_UID) {

-		sub_uid_close();

-		sub_uid_unlock();

-	} else {

-		sub_gid_close();

-		sub_gid_unlock();

-	}

-

-	return ret;

+	return release_subid_range(range, id_type);

 }

-bool free_subuid_range(struct subordinate_range *range)

+bool ungrant_subuid_range(struct subordinate_range *range)

 {

-	return free_subid_range(range, ID_TYPE_UID);

+	return ungrant_subid_range(range, ID_TYPE_UID);

 }

-bool free_subgid_range(struct subordinate_range *range)

+bool ungrant_subgid_range(struct subordinate_range *range)

 {

-	return free_subid_range(range, ID_TYPE_GID);

+	return ungrant_subid_range(range, ID_TYPE_GID);

 }

diff -up shadow-4.6/libsubid/api.h.libsubid_nsswitch_support shadow-4.6/libsubid/api.h

diff -up shadow-4.6/libsubid/Makefile.am.libsubid_nsswitch_support shadow-4.6/libsubid/Makefile.am

--- shadow-4.6/libsubid/Makefile.am.libsubid_nsswitch_support	2021-10-19 13:16:21.986493267 +0200

+++ shadow-4.6/libsubid/Makefile.am	2021-10-19 13:16:21.989493315 +0200

@@ -12,12 +12,14 @@ MISCLIBS = \

 	$(LIBSKEY) \

 	$(LIBMD) \

 	$(LIBCRYPT) \

+	$(LIBACL) \

+	$(LIBATTR) \

 	$(LIBTCB)

 libsubid_la_LIBADD = \

 	$(top_srcdir)/lib/libshadow.la \

-	$(MISCLIBS) \

-	$(top_srcdir)/libmisc/libmisc.a

+	$(top_srcdir)/libmisc/libmisc.la \

+	$(MISCLIBS) -ldl

 AM_CPPFLAGS = \

 	-I${top_srcdir}/lib \

diff -up shadow-4.6/libsubid/subid.h.libsubid_nsswitch_support shadow-4.6/libsubid/subid.h

--- shadow-4.6/libsubid/subid.h.libsubid_nsswitch_support	2021-10-19 13:16:21.986493267 +0200

+++ shadow-4.6/libsubid/subid.h	2021-10-19 13:16:21.991493347 +0200

@@ -1,4 +1,5 @@

 #include <sys/types.h>

+#include <stdbool.h>

 #ifndef SUBID_RANGE_DEFINED

 #define SUBID_RANGE_DEFINED 1

@@ -13,5 +14,117 @@ enum subid_type {

 	ID_TYPE_GID = 2

 };

+enum subid_status {

+	SUBID_STATUS_SUCCESS = 0,

+	SUBID_STATUS_UNKNOWN_USER = 1,

+	SUBID_STATUS_ERROR_CONN = 2,

+	SUBID_STATUS_ERROR = 3,

+};

+

+/*

+ * get_subuid_ranges: return a list of UID ranges for a user

+ *

+ * @owner: username being queried

+ * @ranges: a pointer to a subordinate range ** in which the result will be

+ *          returned.

+ *

+ * returns: number of ranges found, ir < 0 on error.

+ */

+int get_subuid_ranges(const char *owner, struct subordinate_range ***ranges);

+

+/*

+ * get_subgid_ranges: return a list of GID ranges for a user

+ *

+ * @owner: username being queried

+ * @ranges: a pointer to a subordinate range ** in which the result will be

+ *          returned.

+ *

+ * returns: number of ranges found, ir < 0 on error.

+ */

+int get_subgid_ranges(const char *owner, struct subordinate_range ***ranges);

+

+/*

+ * subid_free_ranges: free an array of subordinate_ranges returned by either

+ *                    get_subuid_ranges() or get_subgid_ranges().

+ *

+ * @ranges: the ranges to free

+ * @count: the number of ranges in @ranges

+ */

+void subid_free_ranges(struct subordinate_range **ranges, int count);

+

+/*

+ * get_subuid_owners: return a list of uids to which the given uid has been

+ *                    delegated.

+ *

+ * @uid: The subuid being queried

+ * @owners: a pointer to an array of uids into which the results are placed.

+ *          The returned array must be freed by the caller.

+ *

+ * Returns the number of uids returned, or < 0 on error.

+ */

+int get_subuid_owners(uid_t uid, uid_t **owner);

+

+/*

+ * get_subgid_owners: return a list of uids to which the given gid has been

+ *                    delegated.

+ *

+ * @uid: The subgid being queried

+ * @owners: a pointer to an array of uids into which the results are placed.

+ *          The returned array must be freed by the caller.

+ *

+ * Returns the number of uids returned, or < 0 on error.

+ */

+int get_subgid_owners(gid_t gid, uid_t **owner);

+

+/*

+ * grant_subuid_range: assign a subuid range to a user

+ *

+ * @range: pointer to a struct subordinate_range detailing the UID range

+ *         to allocate.  ->owner must be the username, and ->count must be

+ *         filled in.  ->start is ignored, and will contain the start

+ *         of the newly allocated range, upon success.

+ *

+ * Returns true if the delegation succeeded, false otherwise.  If true,

+ * then the range from (range->start, range->start + range->count) will

+ * be delegated to range->owner.

+ */

+bool grant_subuid_range(struct subordinate_range *range, bool reuse);

+

+/*

+ * grant_subsid_range: assign a subgid range to a user

+ *

+ * @range: pointer to a struct subordinate_range detailing the GID range

+ *         to allocate.  ->owner must be the username, and ->count must be

+ *         filled in.  ->start is ignored, and will contain the start

+ *         of the newly allocated range, upon success.

+ *

+ * Returns true if the delegation succeeded, false otherwise.  If true,

+ * then the range from (range->start, range->start + range->count) will

+ * be delegated to range->owner.

+ */

+bool grant_subgid_range(struct subordinate_range *range, bool reuse);

+

+/*

+ * ungrant_subuid_range: remove a subuid allocation.

+ *

+ * @range: pointer to a struct subordinate_range detailing the UID allocation

+ *         to remove.

+ *

+ * Returns true if successful, false if it failed, for instance if the

+ * delegation did not exist.

+ */

+bool ungrant_subuid_range(struct subordinate_range *range);

+

+/*

+ * ungrant_subuid_range: remove a subgid allocation.

+ *

+ * @range: pointer to a struct subordinate_range detailing the GID allocation

+ *         to remove.

+ *

+ * Returns true if successful, false if it failed, for instance if the

+ * delegation did not exist.

+ */

+bool ungrant_subgid_range(struct subordinate_range *range);

+

 #define SUBID_NFIELDS 3

 #endif

diff -up shadow-4.6/lib/subordinateio.c.libsubid_nsswitch_support shadow-4.6/lib/subordinateio.c

--- shadow-4.6/lib/subordinateio.c.libsubid_nsswitch_support	2021-10-19 13:16:21.986493267 +0200

+++ shadow-4.6/lib/subordinateio.c	2021-10-19 13:16:21.989493315 +0200

@@ -14,6 +14,7 @@

 #include <sys/types.h>

 #include <pwd.h>

 #include <ctype.h>

+#include <fcntl.h>

 /*

  * subordinate_dup: create a duplicate range

@@ -316,17 +317,17 @@ static bool append_range(struct subordin

 {

 	struct subordinate_range *tmp;

 	if (!*ranges) {

-		*ranges = malloc(2 * sizeof(struct subordinate_range **));

+		*ranges = malloc(sizeof(struct subordinate_range *));

 		if (!*ranges)

 			return false;

 	} else {

 		struct subordinate_range **new;

-		new = realloc(*ranges, (n + 2) * (sizeof(struct subordinate_range **)));

+		new = realloc(*ranges, (n + 1) * (sizeof(struct subordinate_range *)));

 		if (!new)

 			return false;

 		*ranges = new;

 	}

-	(*ranges)[n] = (*ranges)[n+1] = NULL;

+	(*ranges)[n] = NULL;

 	tmp = subordinate_dup(new);

 	if (!tmp)

 		return false;

@@ -334,13 +335,13 @@ static bool append_range(struct subordin

 	return true;

 }

-void free_subordinate_ranges(struct subordinate_range **ranges)

+void free_subordinate_ranges(struct subordinate_range **ranges, int count)

 {

 	int i;

 	if (!ranges)

 		return;

-	for (i = 0; ranges[i]; i++)

+	for (i = 0; i < count; i++)

 		subordinate_free(ranges[i]);

 	free(ranges);

 }

@@ -607,21 +608,46 @@ int sub_uid_open (int mode)

 bool sub_uid_assigned(const char *owner)

 {

+	struct subid_nss_ops *h;

+	bool found;

+	enum subid_status status;

+	h = get_subid_nss_handle();

+	if (h) {

+		status = h->has_any_range(owner, ID_TYPE_UID, &found);

+		if (status == SUBID_STATUS_SUCCESS && found)

+			return true;

+		return false;

+	}

+

 	return range_exists (&subordinate_uid_db, owner);