- (dtucker) [configure.ac openbsd-compat/port-aix.{c,h}] Bug #1081: Implement

   getgrouplist via getgrset on AIX, rather than iterating over getgrent.
   This allows, eg, Match and AllowGroups directives to work with NIS and
   LDAP groups.

4 files changed, 77 insertions, 7 deletions

diff --git a/ChangeLog b/ChangeLog
index 660c1b873..09e7adacc 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -7,6 +7,10 @@
    SSLeay_add_all_algorithms as a macro already.
  - (dtucker) [key.c defines.h openbsd-compat/openssl-compat.h] Move old OpenSSL
    compat glue into openssl-compat.h.
+ - (dtucker) [configure.ac openbsd-compat/port-aix.{c,h}] Bug #1081: Implement
+   getgrouplist via getgrset on AIX, rather than iterating over getgrent.
+   This allows, eg, Match and AllowGroups directives to work with NIS and
+   LDAP groups.
 
 20080225
  - (dtucker) [openbsd-compat/fake-rfc2553.h] rename ssh_gai_strerror hack
@@ -3637,4 +3641,4 @@
    OpenServer 6 and add osr5bigcrypt support so when someone migrates
    passwords between UnixWare and OpenServer they will still work. OK dtucker@
 
-$Id: ChangeLog,v 1.4844 2008/02/28 08:22:04 dtucker Exp $
+$Id: ChangeLog,v 1.4845 2008/02/28 12:16:04 dtucker Exp $
diff --git a/configure.ac b/configure.ac
index eaa1f845a..f84054321 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1,4 +1,4 @@
-# $Id: configure.ac,v 1.391 2008/02/28 04:01:13 dtucker Exp $
+# $Id: configure.ac,v 1.392 2008/02/28 12:16:04 dtucker Exp $
 #
 # Copyright (c) 1999-2004 Damien Miller
 #
@@ -15,7 +15,7 @@
 # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 
 AC_INIT(OpenSSH, Portable, openssh-unix-dev@mindrot.org)
-AC_REVISION($Revision: 1.391 $)
+AC_REVISION($Revision: 1.392 $)
 AC_CONFIG_SRCDIR([ssh.c])
 
 AC_CONFIG_HEADER(config.h)
@@ -357,7 +357,7 @@ int main(void) { exit(0); }
                 [],
                 [#include <usersec.h>]
         )
-        AC_CHECK_FUNCS(setauthdb)
+        AC_CHECK_FUNCS(getgrset setauthdb)
         AC_CHECK_DECL(F_CLOSEM,
             AC_DEFINE(HAVE_FCNTL_CLOSEM, 1, [Use F_CLOSEM fcntl for closefrom]),
             [],
diff --git a/openbsd-compat/port-aix.c b/openbsd-compat/port-aix.c
index 94faec670..b19d2296e 100644
--- a/openbsd-compat/port-aix.c
+++ b/openbsd-compat/port-aix.c
@@ -1,7 +1,7 @@
 /*
  *
  * Copyright (c) 2001 Gert Doering.  All rights reserved.
- * Copyright (c) 2003,2004,2005 Darren Tucker.  All rights reserved.
+ * Copyright (c) 2003,2004,2005,2006 Darren Tucker.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -394,4 +394,58 @@ sshaix_getnameinfo(const struct sockaddr *sa, size_t salen, char *host,
 }
 # endif /* AIX_GETNAMEINFO_HACK */
 
+# if defined(USE_GETGRSET)
+#  include <stdlib.h>
+int
+getgrouplist(const char *user, gid_t pgid, gid_t *groups, int *grpcnt)
+{
+        char *cp, *grplist, *grp;
+        gid_t gid;
+        int ret = 0, ngroups = 0, maxgroups;
+        long l;
+
+        maxgroups = *grpcnt;
+
+        if ((cp = grplist = getgrset(user)) == NULL)
+                return -1;
+
+        /* handle zero-length case */
+        if (maxgroups <= 0) {
+                *grpcnt = 0;
+                return -1;
+        }
+
+        /* copy primary group */
+        groups[ngroups++] = pgid;
+
+        /* copy each entry from getgrset into group list */
+        while ((grp = strsep(&grplist, ",")) != NULL) {
+                l = strtol(grp, NULL, 10);
+                if (ngroups >= maxgroups || l == LONG_MIN || l == LONG_MAX) {
+                        ret = -1;
+                        goto out;
+                }
+                gid = (gid_t)l;
+                if (gid == pgid)
+                        continue;       /* we have already added primary gid */
+                groups[ngroups++] = gid;
+        }
+out:
+        free(cp);
+        *grpcnt = ngroups;
+        return ret;
+}
+
+int
+ssh_initgroups(const char *user, gid_t group)
+{
+        gid_t grps[NGROUPS_MAX];
+        int grpcnt = NGROUPS_MAX;
+
+        if (getgrouplist(user, group, grps, &grpcnt) == -1)
+                return -1;
+        return setgroups(grpcnt, grps);
+}
+# endif /* USE_GETGRSET */
+
 #endif /* _AIX */
diff --git a/openbsd-compat/port-aix.h b/openbsd-compat/port-aix.h
index 5a04bedad..14024d417 100644
--- a/openbsd-compat/port-aix.h
+++ b/openbsd-compat/port-aix.h
@@ -1,9 +1,9 @@
-/* $Id: port-aix.h,v 1.27 2006/09/18 13:54:33 dtucker Exp $ */
+/* $Id: port-aix.h,v 1.28 2008/02/28 12:16:04 dtucker Exp $ */
 
 /*
  *
  * Copyright (c) 2001 Gert Doering.  All rights reserved.
- * Copyright (c) 2004, 2005 Darren Tucker.  All rights reserved.
+ * Copyright (c) 2004,2005,2006 Darren Tucker.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -103,4 +103,16 @@ int sshaix_getnameinfo(const struct sockaddr *, size_t, char *, size_t,
 # define getnameinfo(a,b,c,d,e,f,g) (sshaix_getnameinfo(a,b,c,d,e,f,g))
 #endif
 
+/*
+ * We use getgrset in preference to multiple getgrent calls for efficiency
+ * plus it supports NIS and LDAP groups.
+ */
+#if !defined(HAVE_GETGROUPLIST) && defined(HAVE_GETGRSET)
+# define HAVE_GETGROUPLIST
+# define USE_GETGRSET
+int getgrouplist(const char *, gid_t, gid_t *, int *);
+int ssh_initgroups(const char *, gid_t);
+# define initgroups(a, b) ssh_initgroups((a), (b))
+#endif
+
 #endif /* _AIX */