File sudo-1.8.10p3-groups_resolve.patch of Package sudo.18794

Overview Repositories Revisions Requests Users Attributes Meta

File sudo-1.8.10p3-groups_resolve.patch of Package sudo.18794

Index: sudo-1.8.10p3/plugins/sudoers/def_data.c
===================================================================
--- sudo-1.8.10p3.orig/plugins/sudoers/def_data.c
+++ sudo-1.8.10p3/plugins/sudoers/def_data.c
@@ -383,6 +383,10 @@ struct sudo_defs_types sudo_defs_table[]
 	N_("Enable sudoers netgroup support"),
 	NULL,
     }, {
+	"legacy_group_processing", T_FLAG,
+	N_("Don't pre-resolve all group names"),
+	NULL,
+    }, {
 	NULL, 0, NULL
     }
 };
Index: sudo-1.8.10p3/plugins/sudoers/defaults.c
===================================================================
--- sudo-1.8.10p3.orig/plugins/sudoers/defaults.c
+++ sudo-1.8.10p3/plugins/sudoers/defaults.c
@@ -364,6 +364,7 @@ init_defaults(void)
     }
 
     /* First initialize the flags. */
+    def_legacy_group_processing = true;
 #ifdef LONG_OTP_PROMPT
     def_long_otp_prompt = true;
 #endif
Index: sudo-1.8.10p3/plugins/sudoers/ldap.c
===================================================================
--- sudo-1.8.10p3.orig/plugins/sudoers/ldap.c
+++ sudo-1.8.10p3/plugins/sudoers/ldap.c
@@ -1247,6 +1247,15 @@ sudo_ldap_build_pass1(struct passwd *pw)
     }
     sz += 13 + MAX_UID_T_LEN;
     if ((grlist = sudo_get_grlist(pw)) != NULL) {
+	if (!grlist->groups_resolved) {
+	    int rc = sudo_resolve_gids(grlist->gids, grlist->ngids,
+				       grlist->groups, grlist->groups_buffer);
+	    if (rc < 0) {
+		return NULL;
+	    }
+	    grlist->ngroups = rc;
+	    grlist->groups_resolved = true;
+	}
 	for (i = 0; i < grlist->ngroups; i++) {
 	    if (grp != NULL && strcasecmp(grlist->groups[i], grp->gr_name) == 0)
 		continue;
Index: sudo-1.8.10p3/plugins/sudoers/pwutil.c
===================================================================
--- sudo-1.8.10p3.orig/plugins/sudoers/pwutil.c
+++ sudo-1.8.10p3/plugins/sudoers/pwutil.c
@@ -631,12 +631,27 @@ user_in_group(const struct passwd *pw, c
 	/*
 	 * If it could be a sudo-style group ID check gids first.
 	 */
+	bool do_gid_lookup = false;
+	gid_t gid;
+
 	if (group[0] == '#') {
-	    gid_t gid = (gid_t) atoid(group + 1, NULL, NULL, &errstr);
+	    gid = (gid_t) atoid(group + 1, NULL, NULL, &errstr);
 	    if (errstr != NULL) {
 		sudo_debug_printf(SUDO_DEBUG_DEBUG|SUDO_DEBUG_DIAG,
 		    "gid %s %s", group, errstr);
 	    } else {
+	    do_gid_lookup = true;
+		}
+	} else if (def_legacy_group_processing) {
+	    struct group *grent = sudo_getgrnam(group);
+	    if (grent == NULL) {
+		goto done;
+	    }
+	    gid = grent->gr_gid;
+	    do_gid_lookup = true;
+	}
+
+	if (do_gid_lookup) {
 		if (gid == pw->pw_gid) {
 		    matched = true;
 		    goto done;
@@ -647,7 +662,19 @@ user_in_group(const struct passwd *pw, c
 			goto done;
 		    }
 		}
+	}
+
+	if (def_legacy_group_processing) {
+	    goto done;
+	}
+	if (!grlist->groups_resolved) {
+	    int rc = sudo_resolve_gids(grlist->gids, grlist->ngids,
+				       grlist->groups, grlist->groups_buffer);
+	    if (rc < 0) {
+		goto done;
 	    }
+	    grlist->ngroups = rc;
+	    grlist->groups_resolved = true;
 	}
 
 	/*
Index: sudo-1.8.10p3/plugins/sudoers/pwutil_impl.c
===================================================================
--- sudo-1.8.10p3.orig/plugins/sudoers/pwutil_impl.c
+++ sudo-1.8.10p3/plugins/sudoers/pwutil_impl.c
@@ -220,6 +220,16 @@ sudo_make_gritem(gid_t gid, const char *
     debug_return_ptr(&gritem->cache);
 }
 
+static int
+get_groupname_len(void)
+{
+#if defined(HAVE_SYSCONF) && defined(_SC_LOGIN_NAME_MAX)
+    return MAX((int)sysconf(_SC_LOGIN_NAME_MAX), 32);
+#else
+    return MAX(LOGIN_NAME_MAX, 32);
+#endif
+}
+
 /*
  * Dynamically allocate space for a struct item plus the key and data
  * elements.  Fills in datum from user_gids or from getgrouplist(3).
@@ -229,11 +239,10 @@ sudo_make_grlist_item(const struct passw
     char * const *unused2)
 {
     char *cp;
-    size_t nsize, ngroups, total, len;
+    size_t nsize, total;
     struct cache_item_grlist *grlitem;
     struct group_list *grlist;
     GETGROUPS_T *gids;
-    struct group *grp;
     int i, ngids, groupname_len;
     debug_decl(sudo_make_grlist_item, SUDO_DEBUG_NSS)
 
@@ -271,11 +280,7 @@ sudo_make_grlist_item(const struct passw
     aix_setauthdb((char *) pw->pw_name);
 #endif
 
-#if defined(HAVE_SYSCONF) && defined(_SC_LOGIN_NAME_MAX)
-    groupname_len = MAX((int)sysconf(_SC_LOGIN_NAME_MAX), 32);
-#else
-    groupname_len = MAX(LOGIN_NAME_MAX, 32);
-#endif
+    groupname_len = get_groupname_len();
 
     /* Allocate in one big chunk for easy freeing. */
     nsize = strlen(pw->pw_name) + 1;
@@ -284,7 +289,6 @@ sudo_make_grlist_item(const struct passw
     total += sizeof(gid_t *) * ngids;
     total += groupname_len * ngids;
 
-again:
     grlitem = ecalloc(1, total);
 
     /*
@@ -312,27 +316,26 @@ again:
     for (i = 0; i < ngids; i++)
 	grlist->gids[i] = gids[i];
     grlist->ngids = ngids;
+    grlist->groups_buffer = cp;
 
     /*
-     * Resolve and store group names by ID.
+     * Resolve and store group names by ID if legacy_group_processing is off.
      */
-    ngroups = 0;
-    for (i = 0; i < ngids; i++) {
-	if ((grp = sudo_getgrgid(gids[i])) != NULL) {
-	    len = strlen(grp->gr_name) + 1;
-	    if (cp - (char *)grlitem + len > total) {
-		total += len + groupname_len;
-		efree(grlitem);
-		sudo_gr_delref(grp);
-		goto again;
-	    }
-	    memcpy(cp, grp->gr_name, len);
-	    grlist->groups[ngroups++] = cp;
-	    cp += len;
-	    sudo_gr_delref(grp);
-	}
+	if (def_legacy_group_processing) {
+      for (i = 0; i < ngids; i++) {
+	grlist->groups[i] = NULL;
+      }
+      grlist->ngroups = 0;
+      grlist->groups_resolved = false;
+    } else {
+      int rc = sudo_resolve_gids(gids, ngids, grlist->groups, grlist->groups_buffer);
+      if (rc < 0) {
+	efree(grlitem);
+	return NULL;
+      }
+      grlist->ngroups = rc;
+      grlist->groups_resolved = true;
     }
-    grlist->ngroups = ngroups;
     efree(gids);
 
 #ifdef HAVE_SETAUTHDB
@@ -341,3 +344,33 @@ again:
 
     debug_return_ptr(&grlitem->cache);
 }
+
+int sudo_resolve_gids(GETGROUPS_T *gids, int ngids, char **groups, char *group_buffer)
+{
+  struct group *grp;
+  int space_left = ngids * get_groupname_len();
+  int ngroups = 0;
+  int i;
+  char *cp = group_buffer;
+  debug_decl(sudo_resolve_gids, SUDO_DEBUG_NSS)
+
+  for (i = 0; i < ngids; i++) {
+    if ((grp = sudo_getgrgid(gids[i])) != NULL) {
+      int len = strlen(grp->gr_name) + 1;
+
+      if (space_left < len) {
+	sudo_gr_delref(grp);
+	debug_return_int(-1);
+      }
+
+      memcpy(cp, grp->gr_name, len);
+      groups[ngroups++] = cp;
+      cp += len;
+      space_left -= len;
+      sudo_gr_delref(grp);
+    }
+  }
+
+  debug_return_int(ngroups);
+}
+
Index: sudo-1.8.10p3/plugins/sudoers/sudoers.h
===================================================================
--- sudo-1.8.10p3.orig/plugins/sudoers/sudoers.h
+++ sudo-1.8.10p3/plugins/sudoers/sudoers.h
@@ -53,6 +53,8 @@ struct group_list {
     GETGROUPS_T *gids;
     int ngroups;
     int ngids;
+    int groups_resolved;
+    char *groups_buffer;
 };
 
 /*
@@ -303,6 +305,7 @@ __dso_public struct group *sudo_getgrnam
 __dso_public void sudo_gr_addref(struct group *);
 __dso_public void sudo_gr_delref(struct group *);
 bool user_in_group(const struct passwd *, const char *);
+int sudo_resolve_gids(GETGROUPS_T *gids, int ngids, char **groups, char *group_buffer);
 struct group *sudo_fakegrnam(const char *);
 struct group_list *sudo_get_grlist(const struct passwd *pw);
 struct passwd *sudo_fakepwnam(const char *, gid_t);
Index: sudo-1.8.10p3/plugins/sudoers/def_data.h
===================================================================
--- sudo-1.8.10p3.orig/plugins/sudoers/def_data.h
+++ sudo-1.8.10p3/plugins/sudoers/def_data.h
@@ -178,6 +178,8 @@
 #define I_MAXSEQ                88
 #define def_use_netgroups       (sudo_defs_table[89].sd_un.flag)
 #define I_USE_NETGROUPS         89
+#define def_legacy_group_processing (sudo_defs_table[90].sd_un.flag)
+#define I_LEGACY_GROUP_PROCESSING 90
 
 enum def_tuple {
 	never,

Places

File sudo-1.8.10p3-groups_resolve.patch of Package sudo.18794

Places