You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
 
 
 
 

224 lines
7.2 KiB

diff -up sudo-1.8.6p7/plugins/sudoers/defaults.c.legacy-group-processing sudo-1.8.6p7/plugins/sudoers/defaults.c
--- sudo-1.8.6p7/plugins/sudoers/defaults.c.legacy-group-processing 2013-02-25 20:42:44.000000000 +0100
+++ sudo-1.8.6p7/plugins/sudoers/defaults.c 2015-08-28 10:52:13.658671686 +0200
@@ -362,6 +362,7 @@ init_defaults(void)
}
/* First initialize the flags. */
+ def_legacy_group_processing = true;
#ifdef LONG_OTP_PROMPT
def_long_otp_prompt = true;
#endif
diff -up sudo-1.8.6p7/plugins/sudoers/def_data.c.legacy-group-processing sudo-1.8.6p7/plugins/sudoers/def_data.c
--- sudo-1.8.6p7/plugins/sudoers/def_data.c.legacy-group-processing 2015-08-28 10:52:13.604671687 +0200
+++ sudo-1.8.6p7/plugins/sudoers/def_data.c 2015-08-28 10:52:13.658671686 +0200
@@ -355,6 +355,10 @@ struct sudo_defs_types sudo_defs_table[]
N_("Don't fork and wait for the command to finish, just exec it"),
NULL,
}, {
+ "legacy_group_processing", T_FLAG,
+ N_("Don't pre-resolve all group names"),
+ NULL,
+ }, {
NULL, 0, NULL
}
};
diff -up sudo-1.8.6p7/plugins/sudoers/def_data.h.legacy-group-processing sudo-1.8.6p7/plugins/sudoers/def_data.h
--- sudo-1.8.6p7/plugins/sudoers/def_data.h.legacy-group-processing 2015-08-28 10:52:13.604671687 +0200
+++ sudo-1.8.6p7/plugins/sudoers/def_data.h 2015-08-28 10:52:13.658671686 +0200
@@ -164,6 +164,8 @@
#define I_LIMITPRIVS 81
#define def_cmnd_no_wait (sudo_defs_table[82].sd_un.flag)
#define I_CMND_NO_WAIT 82
+#define def_legacy_group_processing (sudo_defs_table[83].sd_un.flag)
+#define I_LEGACY_GROUP_PROCESSING 83
enum def_tuple {
never,
diff -up sudo-1.8.6p7/plugins/sudoers/ldap.c.legacy-group-processing sudo-1.8.6p7/plugins/sudoers/ldap.c
--- sudo-1.8.6p7/plugins/sudoers/ldap.c.legacy-group-processing 2015-08-28 10:52:13.656671686 +0200
+++ sudo-1.8.6p7/plugins/sudoers/ldap.c 2015-08-28 10:52:13.659671686 +0200
@@ -1220,6 +1220,15 @@ sudo_ldap_build_pass1(struct passwd *pw)
}
sz += 13 + MAX_UID_T_LEN;
if ((grlist = sudo_get_grlist(pw)) != NULL) {
+ if (!grlist->groups_resolved) {
+ int rc = sudo_resolve_gids(grlist->gids, grlist->ngids,
+ grlist->groups, grlist->groups_buffer);
+ if (rc < 0) {
+ return NULL;
+ }
+ grlist->ngroups = rc;
+ grlist->groups_resolved = true;
+ }
for (i = 0; i < grlist->ngroups; i++) {
if (grp != NULL && strcasecmp(grlist->groups[i], grp->gr_name) == 0)
continue;
diff -up sudo-1.8.6p7/plugins/sudoers/pwutil.c.legacy-group-processing sudo-1.8.6p7/plugins/sudoers/pwutil.c
--- sudo-1.8.6p7/plugins/sudoers/pwutil.c.legacy-group-processing 2015-08-28 10:52:13.633671686 +0200
+++ sudo-1.8.6p7/plugins/sudoers/pwutil.c 2015-08-28 10:52:13.659671686 +0200
@@ -542,10 +542,9 @@ static struct cache_item *
make_grlist_item(const char *user, GETGROUPS_T *gids, int ngids)
{
char *cp;
- size_t i, nsize, ngroups, total, len;
+ size_t i, nsize, total;
struct cache_item_grlist *grlitem;
struct group_list *grlist;
- struct group *grp;
debug_decl(make_grlist_item, SUDO_DEBUG_NSS)
#ifdef HAVE_SETAUTHDB
@@ -559,7 +558,6 @@ make_grlist_item(const char *user, GETGR
total += sizeof(gid_t *) * ngids;
total += GROUPNAME_LEN * ngids;
-again:
grlitem = ecalloc(1, total);
/*
@@ -587,27 +585,26 @@ again:
for (i = 0; i < ngids; i++)
grlist->gids[i] = gids[i];
grlist->ngids = ngids;
+ grlist->groups_buffer = cp;
/*
- * Resolve and store group names by ID.
+ * Resolve and store group names by ID if legacy_group_processing is off.
*/
- ngroups = 0;
- for (i = 0; i < ngids; i++) {
- if ((grp = sudo_getgrgid(gids[i])) != NULL) {
- len = strlen(grp->gr_name) + 1;
- if (cp - (char *)grlitem + len > total) {
- total += len + GROUPNAME_LEN;
- efree(grlitem);
- sudo_gr_delref(grp);
- goto again;
- }
- memcpy(cp, grp->gr_name, len);
- grlist->groups[ngroups++] = cp;
- cp += len;
- sudo_gr_delref(grp);
- }
+ if (def_legacy_group_processing) {
+ for (i = 0; i < ngids; i++) {
+ grlist->groups[i] = NULL;
+ }
+ grlist->ngroups = 0;
+ grlist->groups_resolved = false;
+ } else {
+ int rc = sudo_resolve_gids(gids, ngids, grlist->groups, grlist->groups_buffer);
+ if (rc < 0) {
+ efree(grlitem);
+ return NULL;
+ }
+ grlist->ngroups = rc;
+ grlist->groups_resolved = true;
}
- grlist->ngroups = ngroups;
#ifdef HAVE_SETAUTHDB
aix_restoreauthdb();
@@ -616,6 +613,35 @@ again:
debug_return_ptr(&grlitem->cache);
}
+int sudo_resolve_gids(GETGROUPS_T *gids, int ngids, char **groups, char *group_buffer)
+{
+ struct group *grp;
+ int space_left = ngids * GROUPNAME_LEN;
+ int ngroups = 0;
+ int i;
+ char *cp = group_buffer;
+ debug_decl(sudo_resolve_gids, SUDO_DEBUG_NSS)
+
+ for (i = 0; i < ngids; i++) {
+ if ((grp = sudo_getgrgid(gids[i])) != NULL) {
+ int len = strlen(grp->gr_name) + 1;
+
+ if (space_left < len) {
+ sudo_gr_delref(grp);
+ debug_return_int(-1);
+ }
+
+ memcpy(cp, grp->gr_name, len);
+ groups[ngroups++] = cp;
+ cp += len;
+ space_left -= len;
+ sudo_gr_delref(grp);
+ }
+ }
+
+ debug_return_int(ngroups);
+}
+
void
sudo_gr_addref(struct group *gr)
{
@@ -917,8 +943,22 @@ user_in_group(const struct passwd *pw, c
/*
* If it could be a sudo-style group ID check gids first.
*/
+ bool do_gid_lookup = false;
+ gid_t gid;
+
if (group[0] == '#') {
- gid_t gid = atoi(group + 1);
+ gid = atoi(group + 1);
+ do_gid_lookup = true;
+ } else if (def_legacy_group_processing) {
+ struct group *grent = sudo_getgrnam(group);
+ if (grent == NULL) {
+ goto done;
+ }
+ gid = grent->gr_gid;
+ do_gid_lookup = true;
+ }
+
+ if (do_gid_lookup) {
if (gid == pw->pw_gid) {
matched = true;
goto done;
@@ -931,6 +971,19 @@ user_in_group(const struct passwd *pw, c
}
}
+ if (def_legacy_group_processing) {
+ goto done;
+ }
+ if (!grlist->groups_resolved) {
+ int rc = sudo_resolve_gids(grlist->gids, grlist->ngids,
+ grlist->groups, grlist->groups_buffer);
+ if (rc < 0) {
+ goto done;
+ }
+ grlist->ngroups = rc;
+ grlist->groups_resolved = true;
+ }
+
/*
* Next check the supplementary group vector.
* It usually includes the password db group too.
diff -up sudo-1.8.6p7/plugins/sudoers/sudoers.h.legacy-group-processing sudo-1.8.6p7/plugins/sudoers/sudoers.h
--- sudo-1.8.6p7/plugins/sudoers/sudoers.h.legacy-group-processing 2015-08-28 10:52:13.634671686 +0200
+++ sudo-1.8.6p7/plugins/sudoers/sudoers.h 2015-08-28 10:52:13.659671686 +0200
@@ -52,6 +52,8 @@ struct group_list {
GETGROUPS_T *gids;
int ngroups;
int ngids;
+ int groups_resolved;
+ char *groups_buffer;
};
/*
@@ -289,6 +291,8 @@ __dso_public struct group *sudo_getgrnam
__dso_public void sudo_gr_addref(struct group *);
__dso_public void sudo_gr_delref(struct group *);
bool user_in_group(const struct passwd *, const char *);
+int sudo_resolve_gids(GETGROUPS_T *gids, int ngids, char **groups, char *group_buffer);
+
struct group *sudo_fakegrnam(const char *);
struct group_list *sudo_get_grlist(const struct passwd *pw);
struct passwd *sudo_fakepwnam(const char *, gid_t);