- (djm) [groupaccess.c uidswap.c] Bug #787: Size group arrays at runtime

using sysconf() if available Based on patches from holger AT van-lengerich.de and openssh_bugzilla AT hockin.org
author: Damien Miller <djm@mindrot.org> 2004-02-24 13:05:11 +1100
committer: Damien Miller <djm@mindrot.org> 2004-02-24 13:05:11 +1100
commit: a811d9a9a167ffb018f18be84dc810826e73c8f2 (patch)
tree: 3595346bd26b9252a270f8982b140b973502b499
parent: 8a4e4f8779ca39e97a8580263c94dc91cfb745ca (diff)
3 files changed, 40 insertions, 7 deletions
diff --git a/ChangeLog b/ChangeLog
index 617c5ec53..1614e9e86 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -16,6 +16,9 @@
 - (dtucker) [configure.ac gss-serv-krb5.c ssh-gss.h] Define GSSAPI when found
   with krb5-config, hunt down gssapi.h and friends.  Based partially on patch
   from deengert at anl.gov.  ok djm@
+ - (djm) [groupaccess.c uidswap.c] Bug #787: Size group arrays at runtime 
+   using sysconf() if available Based on patches from 
+   holger AT van-lengerich.de and openssh_bugzilla AT hockin.org
 20040223
 - (dtucker) [session.c] Bug #789: Only make setcred call for !privsep in the
@@ -1919,4 +1922,4 @@
 - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo.
   Report from murple@murple.net, diagnosis from dtucker@zip.com.au
-$Id: ChangeLog,v 1.3249 2004/02/23 23:58:10 dtucker Exp $
+$Id: ChangeLog,v 1.3250 2004/02/24 02:05:11 djm Exp $
diff --git a/groupaccess.c b/groupaccess.c
index fbf794fc8..f50879f83 100644
--- a/groupaccess.c
+++ b/groupaccess.c
@@ -31,7 +31,7 @@ RCSID("$OpenBSD: groupaccess.c,v 1.6 2003/04/08 20:21:28 itojun Exp $");
 #include "log.h"
 static int ngroups;
-static char *groups_byname[NGROUPS_MAX + 1];    /* +1 for base/primary group */
+static char **groups_byname;
 /*
 * Initialize group access list for user with primary (base) and
@@ -40,19 +40,27 @@ static char *groups_byname[NGROUPS_MAX + 1];	/* +1 for base/primary group */
 int
 ga_init(const char *user, gid_t base)
 {
-        gid_t groups_bygid[NGROUPS_MAX + 1];
+        gid_t *groups_bygid;
        int i, j;
        struct group *gr;
        if (ngroups > 0)
                ga_free();
-        ngroups = sizeof(groups_bygid) / sizeof(gid_t);
+        ngroups = NGROUPS_MAX;
+#if defined(HAVE_SYSCONF) && defined(_SC_NGROUPS_MAX)
+        ngroups = MAX(NGROUPS_MAX, sysconf(_SC_NGROUPS_MAX));
+#endif
+        groups_bygid = xmalloc(ngroups * sizeof(*groups_bygid));
+        groups_byname = xmalloc(ngroups * sizeof(*groups_byname));
        if (getgrouplist(user, base, groups_bygid, &ngroups) == -1)
                logit("getgrouplist: groups list too small");
        for (i = 0, j = 0; i < ngroups; i++)
                if ((gr = getgrgid(groups_bygid[i])) != NULL)
                        groups_byname[j++] = xstrdup(gr->gr_name);
+        xfree(groups_bygid);
        return (ngroups = j);
 }
@@ -84,5 +92,6 @@ ga_free(void)
                for (i = 0; i < ngroups; i++)
                        xfree(groups_byname[i]);
                ngroups = 0;
+                xfree(groups_byname);
        }
 }
diff --git a/uidswap.c b/uidswap.c
index 4cabaa444..e652161af 100644
--- a/uidswap.c
+++ b/uidswap.c
@@ -16,6 +16,7 @@ RCSID("$OpenBSD: uidswap.c,v 1.24 2003/05/29 16:58:45 deraadt Exp $");
 #include "log.h"
 #include "uidswap.h"
+#include "xmalloc.h"
 /*
 * Note: all these functions must work in all of the following cases:
@@ -38,7 +39,7 @@ static gid_t	saved_egid = 0;
 /* Saved effective uid. */
 static int      privileged = 0;
 static int      temporarily_use_uid_effective = 0;
-static gid_t    saved_egroups[NGROUPS_MAX], user_groups[NGROUPS_MAX];
+static gid_t    *saved_egroups = NULL, *user_groups = NULL;
 static int      saved_egroupslen = -1, user_groupslen = -1;
 /*
@@ -68,18 +69,38 @@ temporarily_use_uid(struct passwd *pw)
        privileged = 1;
        temporarily_use_uid_effective = 1;
-        saved_egroupslen = getgroups(NGROUPS_MAX, saved_egroups);
+        saved_egroupslen = getgroups(0, NULL);
        if (saved_egroupslen < 0)
                fatal("getgroups: %.100s", strerror(errno));
+        if (saved_egroupslen > 0) {
+                saved_egroups = xrealloc(saved_egroups,
+                    saved_egroupslen * sizeof(gid_t));
+                if (getgroups(saved_egroupslen, saved_egroups) < 0)
+                        fatal("getgroups: %.100s", strerror(errno));
+        } else { /* saved_egroupslen == 0 */
+                if (saved_egroups)
+                        xfree(saved_egroups);
+        }
        /* set and save the user's groups */
        if (user_groupslen == -1) {
                if (initgroups(pw->pw_name, pw->pw_gid) < 0)
                        fatal("initgroups: %s: %.100s", pw->pw_name,
                            strerror(errno));
-                user_groupslen = getgroups(NGROUPS_MAX, user_groups);
+                user_groupslen = getgroups(0, NULL);
                if (user_groupslen < 0)
                        fatal("getgroups: %.100s", strerror(errno));
+                if (user_groupslen > 0) {
+                        user_groups = xrealloc(user_groups,
+                            user_groupslen * sizeof(gid_t));
+                        if (getgroups(user_groupslen, user_groups) < 0)
+                                fatal("getgroups: %.100s", strerror(errno));
+                } else { /* user_groupslen == 0 */
+                        if (user_groups)
+                                xfree(user_groups);
+                }
        }
        /* Set the effective uid to the given (unprivileged) uid. */
        if (setgroups(user_groupslen, user_groups) < 0)
author	Damien Miller <djm@mindrot.org>	2004-02-24 13:05:11 +1100
committer	Damien Miller <djm@mindrot.org>	2004-02-24 13:05:11 +1100
commit	a811d9a9a167ffb018f18be84dc810826e73c8f2 (patch)
tree	3595346bd26b9252a270f8982b140b973502b499
parent	8a4e4f8779ca39e97a8580263c94dc91cfb745ca (diff)

diff --git a/ChangeLog b/ChangeLog index 617c5ec53..1614e9e86 100644 --- a/ChangeLog +++ b/ChangeLog
@@ -16,6 +16,9 @@
16	- (dtucker) [configure.ac gss-serv-krb5.c ssh-gss.h] Define GSSAPI when found	16	- (dtucker) [configure.ac gss-serv-krb5.c ssh-gss.h] Define GSSAPI when found
17	with krb5-config, hunt down gssapi.h and friends. Based partially on patch	17	with krb5-config, hunt down gssapi.h and friends. Based partially on patch
18	from deengert at anl.gov. ok djm@	18	from deengert at anl.gov. ok djm@
		19	- (djm) [groupaccess.c uidswap.c] Bug #787: Size group arrays at runtime
		20	using sysconf() if available Based on patches from
		21	holger AT van-lengerich.de and openssh_bugzilla AT hockin.org
19		22
20	20040223	23	20040223
21	- (dtucker) [session.c] Bug #789: Only make setcred call for !privsep in the	24	- (dtucker) [session.c] Bug #789: Only make setcred call for !privsep in the
@@ -1919,4 +1922,4 @@
1919	- Fix sshd BindAddress and -b options for systems using fake-getaddrinfo.	1922	- Fix sshd BindAddress and -b options for systems using fake-getaddrinfo.
1920	Report from murple@murple.net, diagnosis from dtucker@zip.com.au	1923	Report from murple@murple.net, diagnosis from dtucker@zip.com.au
1921		1924
1922	$Id: ChangeLog,v 1.3249 2004/02/23 23:58:10 dtucker Exp $	1925	$Id: ChangeLog,v 1.3250 2004/02/24 02:05:11 djm Exp $


diff --git a/groupaccess.c b/groupaccess.c index fbf794fc8..f50879f83 100644 --- a/groupaccess.c +++ b/groupaccess.c
@@ -31,7 +31,7 @@ RCSID("$OpenBSD: groupaccess.c,v 1.6 2003/04/08 20:21:28 itojun Exp $");
31	#include "log.h"	31	#include "log.h"
32		32
33	static int ngroups;	33	static int ngroups;
34	static char groups_byname[NGROUPS_MAX + 1]; / +1 for base/primary group */	34	static char **groups_byname;
35		35
36	/*	36	/*
37	* Initialize group access list for user with primary (base) and	37	* Initialize group access list for user with primary (base) and
@@ -40,19 +40,27 @@ static char groups_byname[NGROUPS_MAX + 1]; / +1 for base/primary group */
40	int	40	int
41	ga_init(const char *user, gid_t base)	41	ga_init(const char *user, gid_t base)
42	{	42	{
43	gid_t groups_bygid[NGROUPS_MAX + 1];	43	gid_t *groups_bygid;
44	int i, j;	44	int i, j;
45	struct group *gr;	45	struct group *gr;
46		46
47	if (ngroups > 0)	47	if (ngroups > 0)
48	ga_free();	48	ga_free();
49		49
50	ngroups = sizeof(groups_bygid) / sizeof(gid_t);	50	ngroups = NGROUPS_MAX;
		51	#if defined(HAVE_SYSCONF) && defined(_SC_NGROUPS_MAX)
		52	ngroups = MAX(NGROUPS_MAX, sysconf(_SC_NGROUPS_MAX));
		53	#endif
		54
		55	groups_bygid = xmalloc(ngroups * sizeof(*groups_bygid));
		56	groups_byname = xmalloc(ngroups * sizeof(*groups_byname));
		57
51	if (getgrouplist(user, base, groups_bygid, &ngroups) == -1)	58	if (getgrouplist(user, base, groups_bygid, &ngroups) == -1)
52	logit("getgrouplist: groups list too small");	59	logit("getgrouplist: groups list too small");
53	for (i = 0, j = 0; i < ngroups; i++)	60	for (i = 0, j = 0; i < ngroups; i++)
54	if ((gr = getgrgid(groups_bygid[i])) != NULL)	61	if ((gr = getgrgid(groups_bygid[i])) != NULL)
55	groups_byname[j++] = xstrdup(gr->gr_name);	62	groups_byname[j++] = xstrdup(gr->gr_name);
		63	xfree(groups_bygid);
56	return (ngroups = j);	64	return (ngroups = j);
57	}	65	}
58		66
@@ -84,5 +92,6 @@ ga_free(void)
84	for (i = 0; i < ngroups; i++)	92	for (i = 0; i < ngroups; i++)
85	xfree(groups_byname[i]);	93	xfree(groups_byname[i]);
86	ngroups = 0;	94	ngroups = 0;
		95	xfree(groups_byname);
87	}	96	}
88	}	97	}


diff --git a/uidswap.c b/uidswap.c index 4cabaa444..e652161af 100644 --- a/uidswap.c +++ b/uidswap.c
@@ -16,6 +16,7 @@ RCSID("$OpenBSD: uidswap.c,v 1.24 2003/05/29 16:58:45 deraadt Exp $");
16		16
17	#include "log.h"	17	#include "log.h"
18	#include "uidswap.h"	18	#include "uidswap.h"
		19	#include "xmalloc.h"
19		20
20	/*	21	/*
21	* Note: all these functions must work in all of the following cases:	22	* Note: all these functions must work in all of the following cases:
@@ -38,7 +39,7 @@ static gid_t saved_egid = 0;
38	/* Saved effective uid. */	39	/* Saved effective uid. */
39	static int privileged = 0;	40	static int privileged = 0;
40	static int temporarily_use_uid_effective = 0;	41	static int temporarily_use_uid_effective = 0;
41	static gid_t saved_egroups[NGROUPS_MAX], user_groups[NGROUPS_MAX];	42	static gid_t saved_egroups = NULL, user_groups = NULL;
42	static int saved_egroupslen = -1, user_groupslen = -1;	43	static int saved_egroupslen = -1, user_groupslen = -1;
43		44
44	/*	45	/*
@@ -68,18 +69,38 @@ temporarily_use_uid(struct passwd *pw)
68		69
69	privileged = 1;	70	privileged = 1;
70	temporarily_use_uid_effective = 1;	71	temporarily_use_uid_effective = 1;
71	saved_egroupslen = getgroups(NGROUPS_MAX, saved_egroups);	72
		73	saved_egroupslen = getgroups(0, NULL);
72	if (saved_egroupslen < 0)	74	if (saved_egroupslen < 0)
73	fatal("getgroups: %.100s", strerror(errno));	75	fatal("getgroups: %.100s", strerror(errno));
		76	if (saved_egroupslen > 0) {
		77	saved_egroups = xrealloc(saved_egroups,
		78	saved_egroupslen * sizeof(gid_t));
		79	if (getgroups(saved_egroupslen, saved_egroups) < 0)
		80	fatal("getgroups: %.100s", strerror(errno));
		81	} else { /* saved_egroupslen == 0 */
		82	if (saved_egroups)
		83	xfree(saved_egroups);
		84	}
74		85
75	/* set and save the user's groups */	86	/* set and save the user's groups */
76	if (user_groupslen == -1) {	87	if (user_groupslen == -1) {
77	if (initgroups(pw->pw_name, pw->pw_gid) < 0)	88	if (initgroups(pw->pw_name, pw->pw_gid) < 0)
78	fatal("initgroups: %s: %.100s", pw->pw_name,	89	fatal("initgroups: %s: %.100s", pw->pw_name,
79	strerror(errno));	90	strerror(errno));
80	user_groupslen = getgroups(NGROUPS_MAX, user_groups);	91
		92	user_groupslen = getgroups(0, NULL);
81	if (user_groupslen < 0)	93	if (user_groupslen < 0)
82	fatal("getgroups: %.100s", strerror(errno));	94	fatal("getgroups: %.100s", strerror(errno));
		95	if (user_groupslen > 0) {
		96	user_groups = xrealloc(user_groups,
		97	user_groupslen * sizeof(gid_t));
		98	if (getgroups(user_groupslen, user_groups) < 0)
		99	fatal("getgroups: %.100s", strerror(errno));
		100	} else { /* user_groupslen == 0 */
		101	if (user_groups)
		102	xfree(user_groups);
		103	}
83	}	104	}
84	/* Set the effective uid to the given (unprivileged) uid. */	105	/* Set the effective uid to the given (unprivileged) uid. */
85	if (setgroups(user_groupslen, user_groups) < 0)	106	if (setgroups(user_groupslen, user_groups) < 0)