dcavalca / rpms / util-linux

Forked from rpms/util-linux 2 years ago
Clone

Blame SOURCES/0066-su-clean-up-groups-initialization.patch

05ad79
From b2a41801904c4b281a717dde7f5e146cbd4500b3 Mon Sep 17 00:00:00 2001
05ad79
From: Karel Zak <kzak@redhat.com>
05ad79
Date: Mon, 15 Feb 2016 13:55:37 +0100
05ad79
Subject: [PATCH 66/84] su: clean up groups initialization
05ad79
05ad79
This patch does not change any su/runuser behaviour, code changes:
05ad79
05ad79
* don't use huge groups[NGROUPS_MAX]; the array has 256k, but we need
05ad79
  it only occasionally when -G/-g specified.
05ad79
05ad79
* the current code uses groups[0] for -g and the rest for -G, this patch adds
05ad79
  'gid' to remember -g argument to avoid memmove()
05ad79
05ad79
* add function add_supp_group() to simplify su_main()
05ad79
05ad79
* add note about -G and -g relation to the man pages (undocumented now)
05ad79
05ad79
Upstream: http://github.com/karelzak/util-linux/commit/c619d3d167115990e9228b27851e0cc2faa8f936
05ad79
Addresses: http://bugzilla.redhat.com/show_bug.cgi?id=1304426
05ad79
Signed-off-by: Karel Zak <kzak@redhat.com>
05ad79
---
05ad79
 login-utils/runuser.1   |  5 ++--
05ad79
 login-utils/su-common.c | 68 +++++++++++++++++++++++++++----------------------
05ad79
 login-utils/su.1        |  5 ++--
05ad79
 3 files changed, 44 insertions(+), 34 deletions(-)
05ad79
05ad79
diff --git a/login-utils/runuser.1 b/login-utils/runuser.1
05ad79
index 7201ff0..d82dbb0 100644
05ad79
--- a/login-utils/runuser.1
05ad79
+++ b/login-utils/runuser.1
05ad79
@@ -75,8 +75,9 @@ shell.
05ad79
 \fB\-g\fR, \fB\-\-group\fR=\fIgroup\fR\fR
05ad79
 specify the primary group, this option is allowed for root user only
05ad79
 .TP
05ad79
-\fB\-G\fR, \fB\-\-supp-group\fR=\fIgroup\fR\fR
05ad79
-specify a supplemental group, this option is allowed for root user only
05ad79
+.BR \-G , " \-\-supp\-group" = \fIgroup
05ad79
+Specify a supplemental group.  This option is available to the root user only.  The first specified
05ad79
+supplementary group is also used as a primary group if the option \fB\-\-group\fR is unspecified.
05ad79
 .TP
05ad79
 \fB\-\fR, \fB\-l\fR, \fB\-\-login\fR
05ad79
 Starts the shell as login shell with an environment similar to a real
05ad79
diff --git a/login-utils/su-common.c b/login-utils/su-common.c
05ad79
index dd87804..d53d690 100644
05ad79
--- a/login-utils/su-common.c
05ad79
+++ b/login-utils/su-common.c
05ad79
@@ -535,7 +535,7 @@ modify_environment (const struct passwd *pw, const char *shell)
05ad79
 /* Become the user and group(s) specified by PW.  */
05ad79
 
05ad79
 static void
05ad79
-init_groups (const struct passwd *pw, gid_t *groups, int num_groups)
05ad79
+init_groups (const struct passwd *pw, gid_t *groups, size_t num_groups)
05ad79
 {
05ad79
   int retval;
05ad79
 
05ad79
@@ -707,6 +707,28 @@ evaluate_uid(void)
05ad79
   return (uid_t) 0 == ruid && ruid == euid ? 0 : 1;
05ad79
 }
05ad79
 
05ad79
+static gid_t
05ad79
+add_supp_group(const char *name, gid_t **groups, size_t *ngroups)
05ad79
+{
05ad79
+  struct group *gr;
05ad79
+
05ad79
+  if (*ngroups >= NGROUPS_MAX)
05ad79
+    errx(EXIT_FAILURE,
05ad79
+	P_("specifying more than %d supplemental group is not possible",
05ad79
+	   "specifying more than %d supplemental groups is not possible",
05ad79
+	     NGROUPS_MAX - 1), NGROUPS_MAX - 1);
05ad79
+
05ad79
+  gr = getgrnam(name);
05ad79
+  if (!gr)
05ad79
+    errx(EXIT_FAILURE, _("group %s does not exist"), name);
05ad79
+
05ad79
+  *groups = xrealloc(*groups, sizeof(gid_t) * (*ngroups + 1));
05ad79
+  (*groups)[*ngroups] = gr->gr_gid;
05ad79
+  (*ngroups)++;
05ad79
+
05ad79
+  return gr->gr_gid;
05ad79
+}
05ad79
+
05ad79
 int
05ad79
 su_main (int argc, char **argv, int mode)
05ad79
 {
05ad79
@@ -717,10 +739,12 @@ su_main (int argc, char **argv, int mode)
05ad79
   char *shell = NULL;
05ad79
   struct passwd *pw;
05ad79
   struct passwd pw_copy;
05ad79
-  struct group *gr;
05ad79
-  gid_t groups[NGROUPS_MAX];
05ad79
-  int num_supp_groups = 0;
05ad79
-  int use_gid = 0;
05ad79
+
05ad79
+  gid_t *groups = NULL;
05ad79
+  size_t ngroups = 0;
05ad79
+  bool use_supp = false;
05ad79
+  bool use_gid = false;
05ad79
+  gid_t gid = 0;
05ad79
 
05ad79
   static const struct option longopts[] = {
05ad79
     {"command", required_argument, NULL, 'c'},
05ad79
@@ -765,23 +789,13 @@ su_main (int argc, char **argv, int mode)
05ad79
 	  break;
05ad79
 
05ad79
 	case 'g':
05ad79
-	  gr = getgrnam(optarg);
05ad79
-	  if (!gr)
05ad79
-	    errx(EXIT_FAILURE, _("group %s does not exist"), optarg);
05ad79
-	  use_gid = 1;
05ad79
-	  groups[0] = gr->gr_gid;
05ad79
+	  use_gid = true;
05ad79
+	  gid = add_supp_group(optarg, &groups, &ngroups);
05ad79
 	  break;
05ad79
 
05ad79
 	case 'G':
05ad79
-	  num_supp_groups++;
05ad79
-	  if (num_supp_groups >= NGROUPS_MAX)
05ad79
-	     errx(EXIT_FAILURE,
05ad79
-		  _("can't specify more than %d supplemental groups"),
05ad79
-		  NGROUPS_MAX - 1);
05ad79
-	  gr = getgrnam(optarg);
05ad79
-	  if (!gr)
05ad79
-	    errx(EXIT_FAILURE, _("group %s does not exist"), optarg);
05ad79
-	  groups[num_supp_groups] = gr->gr_gid;
05ad79
+	  use_supp = true;
05ad79
+	  add_supp_group(optarg, &groups, &ngroups);
05ad79
 	  break;
05ad79
 
05ad79
 	case 'l':
05ad79
@@ -852,7 +866,7 @@ su_main (int argc, char **argv, int mode)
05ad79
     break;
05ad79
   }
05ad79
 
05ad79
-  if ((num_supp_groups || use_gid) && restricted)
05ad79
+  if ((use_supp || use_gid) && restricted)
05ad79
     errx(EXIT_FAILURE, _("only root can specify alternative groups"));
05ad79
 
05ad79
   logindefs_load_defaults = load_config;
05ad79
@@ -878,16 +892,10 @@ su_main (int argc, char **argv, int mode)
05ad79
 			  : DEFAULT_SHELL);
05ad79
   endpwent ();
05ad79
 
05ad79
-  if (num_supp_groups && !use_gid)
05ad79
-  {
05ad79
-    pw->pw_gid = groups[1];
05ad79
-    memmove (groups, groups + 1, sizeof(gid_t) * num_supp_groups);
05ad79
-  }
05ad79
-  else if (use_gid)
05ad79
-  {
05ad79
+  if (use_supp && !use_gid)
05ad79
     pw->pw_gid = groups[0];
05ad79
-    num_supp_groups++;
05ad79
-  }
05ad79
+  else if (use_gid)
05ad79
+    pw->pw_gid = gid;
05ad79
 
05ad79
   authenticate (pw);
05ad79
 
05ad79
@@ -912,7 +920,7 @@ su_main (int argc, char **argv, int mode)
05ad79
     shell = xstrdup (shell ? shell : pw->pw_shell);
05ad79
   }
05ad79
 
05ad79
-  init_groups (pw, groups, num_supp_groups);
05ad79
+  init_groups (pw, groups, ngroups);
05ad79
 
05ad79
   if (!simulate_login || command)
05ad79
     suppress_pam_info = 1;		/* don't print PAM info messages */
05ad79
diff --git a/login-utils/su.1 b/login-utils/su.1
05ad79
index eab1a6f..1f69868 100644
05ad79
--- a/login-utils/su.1
05ad79
+++ b/login-utils/su.1
05ad79
@@ -62,8 +62,9 @@ shell.
05ad79
 \fB\-g\fR, \fB\-\-group\fR=\fIgroup\fR\fR
05ad79
 specify the primary group, this option is allowed for root user only
05ad79
 .TP
05ad79
-\fB\-G\fR, \fB\-\-supp-group\fR=\fIgroup\fR\fR
05ad79
-specify a supplemental group, this option is allowed for root user only
05ad79
+.BR \-G , " \-\-supp\-group" = \fIgroup
05ad79
+Specify a supplemental group.  This option is available to the root user only.  The first specified
05ad79
+supplementary group is also used as a primary group if the option \fB\-\-group\fR is unspecified.
05ad79
 .TP
05ad79
 \fB\-\fR, \fB\-l\fR, \fB\-\-login\fR
05ad79
 Starts the shell as login shell with an environment similar to a real
05ad79
-- 
05ad79
2.7.4
05ad79