|
 |
72fdaf |
diff -up sudo-1.8.6p7/plugins/sudoers/defaults.c.legacy-group-processing sudo-1.8.6p7/plugins/sudoers/defaults.c
|
|
|
72fdaf |
--- sudo-1.8.6p7/plugins/sudoers/defaults.c.legacy-group-processing 2013-02-25 20:42:44.000000000 +0100
|
|
|
72fdaf |
+++ sudo-1.8.6p7/plugins/sudoers/defaults.c 2015-08-28 10:52:13.658671686 +0200
|
|
|
72fdaf |
@@ -362,6 +362,7 @@ init_defaults(void)
|
|
|
72fdaf |
}
|
|
|
72fdaf |
|
|
|
72fdaf |
/* First initialize the flags. */
|
|
|
72fdaf |
+ def_legacy_group_processing = true;
|
|
|
72fdaf |
#ifdef LONG_OTP_PROMPT
|
|
|
72fdaf |
def_long_otp_prompt = true;
|
|
|
72fdaf |
#endif
|
|
|
72fdaf |
diff -up sudo-1.8.6p7/plugins/sudoers/def_data.c.legacy-group-processing sudo-1.8.6p7/plugins/sudoers/def_data.c
|
|
|
72fdaf |
--- sudo-1.8.6p7/plugins/sudoers/def_data.c.legacy-group-processing 2015-08-28 10:52:13.604671687 +0200
|
|
|
72fdaf |
+++ sudo-1.8.6p7/plugins/sudoers/def_data.c 2015-08-28 10:52:13.658671686 +0200
|
|
|
72fdaf |
@@ -355,6 +355,10 @@ struct sudo_defs_types sudo_defs_table[]
|
|
|
72fdaf |
N_("Don't fork and wait for the command to finish, just exec it"),
|
|
|
72fdaf |
NULL,
|
|
|
72fdaf |
}, {
|
|
|
72fdaf |
+ "legacy_group_processing", T_FLAG,
|
|
|
72fdaf |
+ N_("Don't pre-resolve all group names"),
|
|
|
72fdaf |
+ NULL,
|
|
|
72fdaf |
+ }, {
|
|
|
72fdaf |
NULL, 0, NULL
|
|
|
72fdaf |
}
|
|
|
72fdaf |
};
|
|
|
72fdaf |
diff -up sudo-1.8.6p7/plugins/sudoers/def_data.h.legacy-group-processing sudo-1.8.6p7/plugins/sudoers/def_data.h
|
|
|
72fdaf |
--- sudo-1.8.6p7/plugins/sudoers/def_data.h.legacy-group-processing 2015-08-28 10:52:13.604671687 +0200
|
|
|
72fdaf |
+++ sudo-1.8.6p7/plugins/sudoers/def_data.h 2015-08-28 10:52:13.658671686 +0200
|
|
|
72fdaf |
@@ -164,6 +164,8 @@
|
|
|
72fdaf |
#define I_LIMITPRIVS 81
|
|
|
72fdaf |
#define def_cmnd_no_wait (sudo_defs_table[82].sd_un.flag)
|
|
|
72fdaf |
#define I_CMND_NO_WAIT 82
|
|
|
72fdaf |
+#define def_legacy_group_processing (sudo_defs_table[83].sd_un.flag)
|
|
|
72fdaf |
+#define I_LEGACY_GROUP_PROCESSING 83
|
|
|
72fdaf |
|
|
|
72fdaf |
enum def_tuple {
|
|
|
72fdaf |
never,
|
|
|
72fdaf |
diff -up sudo-1.8.6p7/plugins/sudoers/ldap.c.legacy-group-processing sudo-1.8.6p7/plugins/sudoers/ldap.c
|
|
|
72fdaf |
--- sudo-1.8.6p7/plugins/sudoers/ldap.c.legacy-group-processing 2015-08-28 10:52:13.656671686 +0200
|
|
|
72fdaf |
+++ sudo-1.8.6p7/plugins/sudoers/ldap.c 2015-08-28 10:52:13.659671686 +0200
|
|
|
72fdaf |
@@ -1220,6 +1220,15 @@ sudo_ldap_build_pass1(struct passwd *pw)
|
|
|
72fdaf |
}
|
|
|
72fdaf |
sz += 13 + MAX_UID_T_LEN;
|
|
|
72fdaf |
if ((grlist = sudo_get_grlist(pw)) != NULL) {
|
|
|
72fdaf |
+ if (!grlist->groups_resolved) {
|
|
|
72fdaf |
+ int rc = sudo_resolve_gids(grlist->gids, grlist->ngids,
|
|
|
72fdaf |
+ grlist->groups, grlist->groups_buffer);
|
|
|
72fdaf |
+ if (rc < 0) {
|
|
|
72fdaf |
+ return NULL;
|
|
|
72fdaf |
+ }
|
|
|
72fdaf |
+ grlist->ngroups = rc;
|
|
|
72fdaf |
+ grlist->groups_resolved = true;
|
|
|
72fdaf |
+ }
|
|
|
72fdaf |
for (i = 0; i < grlist->ngroups; i++) {
|
|
|
72fdaf |
if (grp != NULL && strcasecmp(grlist->groups[i], grp->gr_name) == 0)
|
|
|
72fdaf |
continue;
|
|
|
72fdaf |
diff -up sudo-1.8.6p7/plugins/sudoers/pwutil.c.legacy-group-processing sudo-1.8.6p7/plugins/sudoers/pwutil.c
|
|
|
72fdaf |
--- sudo-1.8.6p7/plugins/sudoers/pwutil.c.legacy-group-processing 2015-08-28 10:52:13.633671686 +0200
|
|
|
72fdaf |
+++ sudo-1.8.6p7/plugins/sudoers/pwutil.c 2015-08-28 10:52:13.659671686 +0200
|
|
|
72fdaf |
@@ -542,10 +542,9 @@ static struct cache_item *
|
|
|
72fdaf |
make_grlist_item(const char *user, GETGROUPS_T *gids, int ngids)
|
|
|
72fdaf |
{
|
|
|
72fdaf |
char *cp;
|
|
|
72fdaf |
- size_t i, nsize, ngroups, total, len;
|
|
|
72fdaf |
+ size_t i, nsize, total;
|
|
|
72fdaf |
struct cache_item_grlist *grlitem;
|
|
|
72fdaf |
struct group_list *grlist;
|
|
|
72fdaf |
- struct group *grp;
|
|
|
72fdaf |
debug_decl(make_grlist_item, SUDO_DEBUG_NSS)
|
|
|
72fdaf |
|
|
|
72fdaf |
#ifdef HAVE_SETAUTHDB
|
|
|
72fdaf |
@@ -559,7 +558,6 @@ make_grlist_item(const char *user, GETGR
|
|
|
72fdaf |
total += sizeof(gid_t *) * ngids;
|
|
|
72fdaf |
total += GROUPNAME_LEN * ngids;
|
|
|
72fdaf |
|
|
|
72fdaf |
-again:
|
|
|
72fdaf |
grlitem = ecalloc(1, total);
|
|
|
72fdaf |
|
|
|
72fdaf |
/*
|
|
|
72fdaf |
@@ -587,27 +585,26 @@ again:
|
|
|
72fdaf |
for (i = 0; i < ngids; i++)
|
|
|
72fdaf |
grlist->gids[i] = gids[i];
|
|
|
72fdaf |
grlist->ngids = ngids;
|
|
|
72fdaf |
+ grlist->groups_buffer = cp;
|
|
|
72fdaf |
|
|
|
72fdaf |
/*
|
|
|
72fdaf |
- * Resolve and store group names by ID.
|
|
|
72fdaf |
+ * Resolve and store group names by ID if legacy_group_processing is off.
|
|
|
72fdaf |
*/
|
|
|
72fdaf |
- ngroups = 0;
|
|
|
72fdaf |
- for (i = 0; i < ngids; i++) {
|
|
|
72fdaf |
- if ((grp = sudo_getgrgid(gids[i])) != NULL) {
|
|
|
72fdaf |
- len = strlen(grp->gr_name) + 1;
|
|
|
72fdaf |
- if (cp - (char *)grlitem + len > total) {
|
|
|
72fdaf |
- total += len + GROUPNAME_LEN;
|
|
|
72fdaf |
- efree(grlitem);
|
|
|
72fdaf |
- sudo_gr_delref(grp);
|
|
|
72fdaf |
- goto again;
|
|
|
72fdaf |
- }
|
|
|
72fdaf |
- memcpy(cp, grp->gr_name, len);
|
|
|
72fdaf |
- grlist->groups[ngroups++] = cp;
|
|
|
72fdaf |
- cp += len;
|
|
|
72fdaf |
- sudo_gr_delref(grp);
|
|
|
72fdaf |
- }
|
|
|
72fdaf |
+ if (def_legacy_group_processing) {
|
|
|
72fdaf |
+ for (i = 0; i < ngids; i++) {
|
|
|
72fdaf |
+ grlist->groups[i] = NULL;
|
|
|
72fdaf |
+ }
|
|
|
72fdaf |
+ grlist->ngroups = 0;
|
|
|
72fdaf |
+ grlist->groups_resolved = false;
|
|
|
72fdaf |
+ } else {
|
|
|
72fdaf |
+ int rc = sudo_resolve_gids(gids, ngids, grlist->groups, grlist->groups_buffer);
|
|
|
72fdaf |
+ if (rc < 0) {
|
|
|
72fdaf |
+ efree(grlitem);
|
|
|
72fdaf |
+ return NULL;
|
|
|
72fdaf |
+ }
|
|
|
72fdaf |
+ grlist->ngroups = rc;
|
|
|
72fdaf |
+ grlist->groups_resolved = true;
|
|
|
72fdaf |
}
|
|
|
72fdaf |
- grlist->ngroups = ngroups;
|
|
|
72fdaf |
|
|
|
72fdaf |
#ifdef HAVE_SETAUTHDB
|
|
|
72fdaf |
aix_restoreauthdb();
|
|
|
72fdaf |
@@ -616,6 +613,35 @@ again:
|
|
|
72fdaf |
debug_return_ptr(&grlitem->cache);
|
|
|
72fdaf |
}
|
|
|
72fdaf |
|
|
|
72fdaf |
+int sudo_resolve_gids(GETGROUPS_T *gids, int ngids, char **groups, char *group_buffer)
|
|
|
72fdaf |
+{
|
|
|
72fdaf |
+ struct group *grp;
|
|
|
72fdaf |
+ int space_left = ngids * GROUPNAME_LEN;
|
|
|
72fdaf |
+ int ngroups = 0;
|
|
|
72fdaf |
+ int i;
|
|
|
72fdaf |
+ char *cp = group_buffer;
|
|
|
72fdaf |
+ debug_decl(sudo_resolve_gids, SUDO_DEBUG_NSS)
|
|
|
72fdaf |
+
|
|
|
72fdaf |
+ for (i = 0; i < ngids; i++) {
|
|
|
72fdaf |
+ if ((grp = sudo_getgrgid(gids[i])) != NULL) {
|
|
|
72fdaf |
+ int len = strlen(grp->gr_name) + 1;
|
|
|
72fdaf |
+
|
|
|
72fdaf |
+ if (space_left < len) {
|
|
|
72fdaf |
+ sudo_gr_delref(grp);
|
|
|
72fdaf |
+ debug_return_int(-1);
|
|
|
72fdaf |
+ }
|
|
|
72fdaf |
+
|
|
|
72fdaf |
+ memcpy(cp, grp->gr_name, len);
|
|
|
72fdaf |
+ groups[ngroups++] = cp;
|
|
|
72fdaf |
+ cp += len;
|
|
|
72fdaf |
+ space_left -= len;
|
|
|
72fdaf |
+ sudo_gr_delref(grp);
|
|
|
72fdaf |
+ }
|
|
|
72fdaf |
+ }
|
|
|
72fdaf |
+
|
|
|
72fdaf |
+ debug_return_int(ngroups);
|
|
|
72fdaf |
+}
|
|
|
72fdaf |
+
|
|
|
72fdaf |
void
|
|
|
72fdaf |
sudo_gr_addref(struct group *gr)
|
|
|
72fdaf |
{
|
|
|
72fdaf |
@@ -917,8 +943,22 @@ user_in_group(const struct passwd *pw, c
|
|
|
72fdaf |
/*
|
|
|
72fdaf |
* If it could be a sudo-style group ID check gids first.
|
|
|
72fdaf |
*/
|
|
|
72fdaf |
+ bool do_gid_lookup = false;
|
|
|
72fdaf |
+ gid_t gid;
|
|
|
72fdaf |
+
|
|
|
72fdaf |
if (group[0] == '#') {
|
|
|
72fdaf |
- gid_t gid = atoi(group + 1);
|
|
|
72fdaf |
+ gid = atoi(group + 1);
|
|
|
72fdaf |
+ do_gid_lookup = true;
|
|
|
72fdaf |
+ } else if (def_legacy_group_processing) {
|
|
|
72fdaf |
+ struct group *grent = sudo_getgrnam(group);
|
|
|
72fdaf |
+ if (grent == NULL) {
|
|
|
72fdaf |
+ goto done;
|
|
|
72fdaf |
+ }
|
|
|
72fdaf |
+ gid = grent->gr_gid;
|
|
|
72fdaf |
+ do_gid_lookup = true;
|
|
|
72fdaf |
+ }
|
|
|
72fdaf |
+
|
|
|
72fdaf |
+ if (do_gid_lookup) {
|
|
|
72fdaf |
if (gid == pw->pw_gid) {
|
|
|
72fdaf |
matched = true;
|
|
|
72fdaf |
goto done;
|
|
|
72fdaf |
@@ -931,6 +971,19 @@ user_in_group(const struct passwd *pw, c
|
|
|
72fdaf |
}
|
|
|
72fdaf |
}
|
|
|
72fdaf |
|
|
|
72fdaf |
+ if (def_legacy_group_processing) {
|
|
|
72fdaf |
+ goto done;
|
|
|
72fdaf |
+ }
|
|
|
72fdaf |
+ if (!grlist->groups_resolved) {
|
|
|
72fdaf |
+ int rc = sudo_resolve_gids(grlist->gids, grlist->ngids,
|
|
|
72fdaf |
+ grlist->groups, grlist->groups_buffer);
|
|
|
72fdaf |
+ if (rc < 0) {
|
|
|
72fdaf |
+ goto done;
|
|
|
72fdaf |
+ }
|
|
|
72fdaf |
+ grlist->ngroups = rc;
|
|
|
72fdaf |
+ grlist->groups_resolved = true;
|
|
|
72fdaf |
+ }
|
|
|
72fdaf |
+
|
|
|
72fdaf |
/*
|
|
|
72fdaf |
* Next check the supplementary group vector.
|
|
|
72fdaf |
* It usually includes the password db group too.
|
|
|
72fdaf |
diff -up sudo-1.8.6p7/plugins/sudoers/sudoers.h.legacy-group-processing sudo-1.8.6p7/plugins/sudoers/sudoers.h
|
|
|
72fdaf |
--- sudo-1.8.6p7/plugins/sudoers/sudoers.h.legacy-group-processing 2015-08-28 10:52:13.634671686 +0200
|
|
|
72fdaf |
+++ sudo-1.8.6p7/plugins/sudoers/sudoers.h 2015-08-28 10:52:13.659671686 +0200
|
|
|
72fdaf |
@@ -52,6 +52,8 @@ struct group_list {
|
|
|
72fdaf |
GETGROUPS_T *gids;
|
|
|
72fdaf |
int ngroups;
|
|
|
72fdaf |
int ngids;
|
|
|
72fdaf |
+ int groups_resolved;
|
|
|
72fdaf |
+ char *groups_buffer;
|
|
|
72fdaf |
};
|
|
|
72fdaf |
|
|
|
72fdaf |
/*
|
|
|
72fdaf |
@@ -289,6 +291,8 @@ __dso_public struct group *sudo_getgrnam
|
|
|
72fdaf |
__dso_public void sudo_gr_addref(struct group *);
|
|
|
72fdaf |
__dso_public void sudo_gr_delref(struct group *);
|
|
|
72fdaf |
bool user_in_group(const struct passwd *, const char *);
|
|
|
72fdaf |
+int sudo_resolve_gids(GETGROUPS_T *gids, int ngids, char **groups, char *group_buffer);
|
|
|
72fdaf |
+
|
|
|
72fdaf |
struct group *sudo_fakegrnam(const char *);
|
|
|
72fdaf |
struct group_list *sudo_get_grlist(const struct passwd *pw);
|
|
|
72fdaf |
struct passwd *sudo_fakepwnam(const char *, gid_t);
|