Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-12-SP5:GA
sudo.18794
sudo-1.8.10p3-groups_resolve.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File sudo-1.8.10p3-groups_resolve.patch of Package sudo.18794
Index: sudo-1.8.10p3/plugins/sudoers/def_data.c =================================================================== --- sudo-1.8.10p3.orig/plugins/sudoers/def_data.c +++ sudo-1.8.10p3/plugins/sudoers/def_data.c @@ -383,6 +383,10 @@ struct sudo_defs_types sudo_defs_table[] N_("Enable sudoers netgroup support"), NULL, }, { + "legacy_group_processing", T_FLAG, + N_("Don't pre-resolve all group names"), + NULL, + }, { NULL, 0, NULL } }; Index: sudo-1.8.10p3/plugins/sudoers/defaults.c =================================================================== --- sudo-1.8.10p3.orig/plugins/sudoers/defaults.c +++ sudo-1.8.10p3/plugins/sudoers/defaults.c @@ -364,6 +364,7 @@ init_defaults(void) } /* First initialize the flags. */ + def_legacy_group_processing = true; #ifdef LONG_OTP_PROMPT def_long_otp_prompt = true; #endif Index: sudo-1.8.10p3/plugins/sudoers/ldap.c =================================================================== --- sudo-1.8.10p3.orig/plugins/sudoers/ldap.c +++ sudo-1.8.10p3/plugins/sudoers/ldap.c @@ -1247,6 +1247,15 @@ sudo_ldap_build_pass1(struct passwd *pw) } sz += 13 + MAX_UID_T_LEN; if ((grlist = sudo_get_grlist(pw)) != NULL) { + if (!grlist->groups_resolved) { + int rc = sudo_resolve_gids(grlist->gids, grlist->ngids, + grlist->groups, grlist->groups_buffer); + if (rc < 0) { + return NULL; + } + grlist->ngroups = rc; + grlist->groups_resolved = true; + } for (i = 0; i < grlist->ngroups; i++) { if (grp != NULL && strcasecmp(grlist->groups[i], grp->gr_name) == 0) continue; Index: sudo-1.8.10p3/plugins/sudoers/pwutil.c =================================================================== --- sudo-1.8.10p3.orig/plugins/sudoers/pwutil.c +++ sudo-1.8.10p3/plugins/sudoers/pwutil.c @@ -631,12 +631,27 @@ user_in_group(const struct passwd *pw, c /* * If it could be a sudo-style group ID check gids first. */ + bool do_gid_lookup = false; + gid_t gid; + if (group[0] == '#') { - gid_t gid = (gid_t) atoid(group + 1, NULL, NULL, &errstr); + gid = (gid_t) atoid(group + 1, NULL, NULL, &errstr); if (errstr != NULL) { sudo_debug_printf(SUDO_DEBUG_DEBUG|SUDO_DEBUG_DIAG, "gid %s %s", group, errstr); } else { + do_gid_lookup = true; + } + } else if (def_legacy_group_processing) { + struct group *grent = sudo_getgrnam(group); + if (grent == NULL) { + goto done; + } + gid = grent->gr_gid; + do_gid_lookup = true; + } + + if (do_gid_lookup) { if (gid == pw->pw_gid) { matched = true; goto done; @@ -647,7 +662,19 @@ user_in_group(const struct passwd *pw, c goto done; } } + } + + if (def_legacy_group_processing) { + goto done; + } + if (!grlist->groups_resolved) { + int rc = sudo_resolve_gids(grlist->gids, grlist->ngids, + grlist->groups, grlist->groups_buffer); + if (rc < 0) { + goto done; } + grlist->ngroups = rc; + grlist->groups_resolved = true; } /* Index: sudo-1.8.10p3/plugins/sudoers/pwutil_impl.c =================================================================== --- sudo-1.8.10p3.orig/plugins/sudoers/pwutil_impl.c +++ sudo-1.8.10p3/plugins/sudoers/pwutil_impl.c @@ -220,6 +220,16 @@ sudo_make_gritem(gid_t gid, const char * debug_return_ptr(&gritem->cache); } +static int +get_groupname_len(void) +{ +#if defined(HAVE_SYSCONF) && defined(_SC_LOGIN_NAME_MAX) + return MAX((int)sysconf(_SC_LOGIN_NAME_MAX), 32); +#else + return MAX(LOGIN_NAME_MAX, 32); +#endif +} + /* * Dynamically allocate space for a struct item plus the key and data * elements. Fills in datum from user_gids or from getgrouplist(3). @@ -229,11 +239,10 @@ sudo_make_grlist_item(const struct passw char * const *unused2) { char *cp; - size_t nsize, ngroups, total, len; + size_t nsize, total; struct cache_item_grlist *grlitem; struct group_list *grlist; GETGROUPS_T *gids; - struct group *grp; int i, ngids, groupname_len; debug_decl(sudo_make_grlist_item, SUDO_DEBUG_NSS) @@ -271,11 +280,7 @@ sudo_make_grlist_item(const struct passw aix_setauthdb((char *) pw->pw_name); #endif -#if defined(HAVE_SYSCONF) && defined(_SC_LOGIN_NAME_MAX) - groupname_len = MAX((int)sysconf(_SC_LOGIN_NAME_MAX), 32); -#else - groupname_len = MAX(LOGIN_NAME_MAX, 32); -#endif + groupname_len = get_groupname_len(); /* Allocate in one big chunk for easy freeing. */ nsize = strlen(pw->pw_name) + 1; @@ -284,7 +289,6 @@ sudo_make_grlist_item(const struct passw total += sizeof(gid_t *) * ngids; total += groupname_len * ngids; -again: grlitem = ecalloc(1, total); /* @@ -312,27 +316,26 @@ again: for (i = 0; i < ngids; i++) grlist->gids[i] = gids[i]; grlist->ngids = ngids; + grlist->groups_buffer = cp; /* - * Resolve and store group names by ID. + * Resolve and store group names by ID if legacy_group_processing is off. */ - ngroups = 0; - for (i = 0; i < ngids; i++) { - if ((grp = sudo_getgrgid(gids[i])) != NULL) { - len = strlen(grp->gr_name) + 1; - if (cp - (char *)grlitem + len > total) { - total += len + groupname_len; - efree(grlitem); - sudo_gr_delref(grp); - goto again; - } - memcpy(cp, grp->gr_name, len); - grlist->groups[ngroups++] = cp; - cp += len; - sudo_gr_delref(grp); - } + if (def_legacy_group_processing) { + for (i = 0; i < ngids; i++) { + grlist->groups[i] = NULL; + } + grlist->ngroups = 0; + grlist->groups_resolved = false; + } else { + int rc = sudo_resolve_gids(gids, ngids, grlist->groups, grlist->groups_buffer); + if (rc < 0) { + efree(grlitem); + return NULL; + } + grlist->ngroups = rc; + grlist->groups_resolved = true; } - grlist->ngroups = ngroups; efree(gids); #ifdef HAVE_SETAUTHDB @@ -341,3 +344,33 @@ again: debug_return_ptr(&grlitem->cache); } + +int sudo_resolve_gids(GETGROUPS_T *gids, int ngids, char **groups, char *group_buffer) +{ + struct group *grp; + int space_left = ngids * get_groupname_len(); + int ngroups = 0; + int i; + char *cp = group_buffer; + debug_decl(sudo_resolve_gids, SUDO_DEBUG_NSS) + + for (i = 0; i < ngids; i++) { + if ((grp = sudo_getgrgid(gids[i])) != NULL) { + int len = strlen(grp->gr_name) + 1; + + if (space_left < len) { + sudo_gr_delref(grp); + debug_return_int(-1); + } + + memcpy(cp, grp->gr_name, len); + groups[ngroups++] = cp; + cp += len; + space_left -= len; + sudo_gr_delref(grp); + } + } + + debug_return_int(ngroups); +} + Index: sudo-1.8.10p3/plugins/sudoers/sudoers.h =================================================================== --- sudo-1.8.10p3.orig/plugins/sudoers/sudoers.h +++ sudo-1.8.10p3/plugins/sudoers/sudoers.h @@ -53,6 +53,8 @@ struct group_list { GETGROUPS_T *gids; int ngroups; int ngids; + int groups_resolved; + char *groups_buffer; }; /* @@ -303,6 +305,7 @@ __dso_public struct group *sudo_getgrnam __dso_public void sudo_gr_addref(struct group *); __dso_public void sudo_gr_delref(struct group *); bool user_in_group(const struct passwd *, const char *); +int sudo_resolve_gids(GETGROUPS_T *gids, int ngids, char **groups, char *group_buffer); struct group *sudo_fakegrnam(const char *); struct group_list *sudo_get_grlist(const struct passwd *pw); struct passwd *sudo_fakepwnam(const char *, gid_t); Index: sudo-1.8.10p3/plugins/sudoers/def_data.h =================================================================== --- sudo-1.8.10p3.orig/plugins/sudoers/def_data.h +++ sudo-1.8.10p3/plugins/sudoers/def_data.h @@ -178,6 +178,8 @@ #define I_MAXSEQ 88 #define def_use_netgroups (sudo_defs_table[89].sd_un.flag) #define I_USE_NETGROUPS 89 +#define def_legacy_group_processing (sudo_defs_table[90].sd_un.flag) +#define I_LEGACY_GROUP_PROCESSING 90 enum def_tuple { never,
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor