diff -up shadow-4.1.5.1/src/newgrp.c.ingroup shadow-4.1.5.1/src/newgrp.c
--- shadow-4.1.5.1/src/newgrp.c.ingroup 2018-04-24 16:55:24.546677529 +0200
+++ shadow-4.1.5.1/src/newgrp.c 2018-04-24 16:58:17.113445562 +0200
@@ -83,15 +83,29 @@ static void usage (void)
}
}
+static bool ingroup(const char *name, struct group *gr)
+{
+ char **look;
+ bool notfound = true;
+
+ look = gr->gr_mem;
+ while (*look && notfound)
+ notfound = strcmp (*look++, name);
+
+ return !notfound;
+}
+
/*
- * find_matching_group - search all groups of a given group id for
+ * find_matching_group - search all groups of a gr's group id for
* membership of a given username
+ * but check gr itself first
*/
-static /*@null@*/struct group *find_matching_group (const char *name, gid_t gid)
+static /*@null@*/struct group *find_matching_group (const char *name, struct group *gr)
{
- struct group *gr;
- char **look;
- bool notfound = true;
+ gid_t gid = gr->gr_gid;
+
+ if (ingroup(name, gr))
+ return gr;
setgrent ();
while ((gr = getgrent ()) != NULL) {
@@ -103,14 +117,8 @@ static /*@null@*/struct group *find_matc
* A group with matching GID was found.
* Test for membership of 'name'.
*/
- look = gr->gr_mem;
- while ((NULL != *look) && notfound) {
- notfound = (strcmp (*look, name) != 0);
- look++;
- }
- if (!notfound) {
+ if (ingroup(name, gr))
break;
- }
}
endgrent ();
return gr;
@@ -373,6 +381,7 @@ int main (int argc, char **argv)
{
bool initflag = false;
int i;
+ bool is_member = false;
bool cflag = false;
int err = 0;
gid_t gid;
@@ -611,22 +620,36 @@ int main (int argc, char **argv)
goto failure;
}
+#ifdef HAVE_SETGROUPS
+ /* when using pam_group, she will not be listed in the groups
+ * database. However getgroups() will return the group. So
+ * if she is listed there already it is ok to grant membership.
+ */
+ for (i = 0; i < ngroups; i++) {
+ if (grp->gr_gid == grouplist[i]) {
+ is_member = true;
+ break;
+ }
+ }
+#endif /* HAVE_SETGROUPS */
/*
* For splitted groups (due to limitations of NIS), check all
* groups of the same GID like the requested group for
* membership of the current user.
*/
- grp = find_matching_group (name, grp->gr_gid);
- if (NULL == grp) {
- /*
- * No matching group found. As we already know that
- * the group exists, this happens only in the case
- * of a requested group where the user is not member.
- *
- * Re-read the group entry for further processing.
- */
- grp = xgetgrnam (group);
- assert (NULL != grp);
+ if (!is_member) {
+ grp = find_matching_group (name, grp);
+ if (NULL == grp) {
+ /*
+ * No matching group found. As we already know that
+ * the group exists, this happens only in the case
+ * of a requested group where the user is not member.
+ *
+ * Re-read the group entry for further processing.
+ */
+ grp = xgetgrnam (group);
+ assert (NULL != grp);
+ }
}
#ifdef SHADOWGRP
sgrp = getsgnam (group);
@@ -639,7 +662,9 @@ int main (int argc, char **argv)
/*
* Check if the user is allowed to access this group.
*/
- check_perms (grp, pwd, group);
+ if (!is_member) {
+ check_perms (grp, pwd, group);
+ }
/*
* all successful validations pass through this point. The group id