summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--ChangeLog5
-rw-r--r--groupaccess.c27
-rw-r--r--groupaccess.h3
-rw-r--r--servconf.c29
4 files changed, 38 insertions, 26 deletions
diff --git a/ChangeLog b/ChangeLog
index dad3f2a32..56ee5d46e 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -12,6 +12,9 @@
12 - otto@cvs.openbsd.org 2008/07/03 21:46:58 12 - otto@cvs.openbsd.org 2008/07/03 21:46:58
13 [auth2-pubkey.c] 13 [auth2-pubkey.c]
14 avoid nasty double free; ok dtucker@ djm@ 14 avoid nasty double free; ok dtucker@ djm@
15 - djm@cvs.openbsd.org 2008/07/04 03:44:59
16 [servconf.c groupaccess.h groupaccess.c]
17 support negation of groups in "Match group" block (bz#1315); ok dtucker@
15 18
1620080702 1920080702
17 - (dtucker) OpenBSD CVS Sync 20 - (dtucker) OpenBSD CVS Sync
@@ -4547,4 +4550,4 @@
4547 OpenServer 6 and add osr5bigcrypt support so when someone migrates 4550 OpenServer 6 and add osr5bigcrypt support so when someone migrates
4548 passwords between UnixWare and OpenServer they will still work. OK dtucker@ 4551 passwords between UnixWare and OpenServer they will still work. OK dtucker@
4549 4552
4550$Id: ChangeLog,v 1.5051 2008/07/04 02:54:25 dtucker Exp $ 4553$Id: ChangeLog,v 1.5052 2008/07/04 03:51:12 dtucker Exp $
diff --git a/groupaccess.c b/groupaccess.c
index e73f62b22..2381aeb15 100644
--- a/groupaccess.c
+++ b/groupaccess.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: groupaccess.c,v 1.12 2006/08/03 03:34:42 deraadt Exp $ */ 1/* $OpenBSD: groupaccess.c,v 1.13 2008/07/04 03:44:59 djm Exp $ */
2/* 2/*
3 * Copyright (c) 2001 Kevin Steves. All rights reserved. 3 * Copyright (c) 2001 Kevin Steves. All rights reserved.
4 * 4 *
@@ -31,6 +31,7 @@
31#include <grp.h> 31#include <grp.h>
32#include <unistd.h> 32#include <unistd.h>
33#include <stdarg.h> 33#include <stdarg.h>
34#include <string.h>
34 35
35#include "xmalloc.h" 36#include "xmalloc.h"
36#include "groupaccess.h" 37#include "groupaccess.h"
@@ -88,6 +89,30 @@ ga_match(char * const *groups, int n)
88} 89}
89 90
90/* 91/*
92 * Return 1 if one of user's groups matches group_pattern list.
93 * Return 0 on negated or no match.
94 */
95int
96ga_match_pattern_list(const char *group_pattern)
97{
98 int i, found = 0;
99 size_t len = strlen(group_pattern);
100
101 for (i = 0; i < ngroups; i++) {
102 switch (match_pattern_list(groups_byname[i],
103 group_pattern, len, 0)) {
104 case -1:
105 return 0; /* Negated match wins */
106 case 0:
107 continue;
108 case 1:
109 found = 1;
110 }
111 }
112 return found;
113}
114
115/*
91 * Free memory allocated for group access list. 116 * Free memory allocated for group access list.
92 */ 117 */
93void 118void
diff --git a/groupaccess.h b/groupaccess.h
index 04b449894..000578e76 100644
--- a/groupaccess.h
+++ b/groupaccess.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: groupaccess.h,v 1.7 2006/08/03 03:34:42 deraadt Exp $ */ 1/* $OpenBSD: groupaccess.h,v 1.8 2008/07/04 03:44:59 djm Exp $ */
2 2
3/* 3/*
4 * Copyright (c) 2001 Kevin Steves. All rights reserved. 4 * Copyright (c) 2001 Kevin Steves. All rights reserved.
@@ -29,6 +29,7 @@
29 29
30int ga_init(const char *, gid_t); 30int ga_init(const char *, gid_t);
31int ga_match(char * const *, int); 31int ga_match(char * const *, int);
32int ga_match_pattern_list(const char *);
32void ga_free(void); 33void ga_free(void);
33 34
34#endif 35#endif
diff --git a/servconf.c b/servconf.c
index 9d9c9508e..66e22979f 100644
--- a/servconf.c
+++ b/servconf.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: servconf.c,v 1.185 2008/07/02 02:24:18 djm Exp $ */ 1/* $OpenBSD: servconf.c,v 1.186 2008/07/04 03:44:59 djm Exp $ */
2/* 2/*
3 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 3 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
4 * All rights reserved 4 * All rights reserved
@@ -525,24 +525,8 @@ static int
525match_cfg_line_group(const char *grps, int line, const char *user) 525match_cfg_line_group(const char *grps, int line, const char *user)
526{ 526{
527 int result = 0; 527 int result = 0;
528 u_int ngrps = 0;
529 char *arg, *p, *cp, *grplist[MAX_MATCH_GROUPS];
530 struct passwd *pw; 528 struct passwd *pw;
531 529
532 /*
533 * Even if we do not have a user yet, we still need to check for
534 * valid syntax.
535 */
536 arg = cp = xstrdup(grps);
537 while ((p = strsep(&cp, ",")) != NULL && *p != '\0') {
538 if (ngrps >= MAX_MATCH_GROUPS) {
539 error("line %d: too many groups in Match Group", line);
540 result = -1;
541 goto out;
542 }
543 grplist[ngrps++] = p;
544 }
545
546 if (user == NULL) 530 if (user == NULL)
547 goto out; 531 goto out;
548 532
@@ -552,17 +536,16 @@ match_cfg_line_group(const char *grps, int line, const char *user)
552 } else if (ga_init(pw->pw_name, pw->pw_gid) == 0) { 536 } else if (ga_init(pw->pw_name, pw->pw_gid) == 0) {
553 debug("Can't Match group because user %.100s not in any group " 537 debug("Can't Match group because user %.100s not in any group "
554 "at line %d", user, line); 538 "at line %d", user, line);
555 } else if (ga_match(grplist, ngrps) != 1) { 539 } else if (ga_match_pattern_list(grps) != 1) {
556 debug("user %.100s does not match group %.100s at line %d", 540 debug("user %.100s does not match group list %.100s at line %d",
557 user, arg, line); 541 user, grps, line);
558 } else { 542 } else {
559 debug("user %.100s matched group %.100s at line %d", user, 543 debug("user %.100s matched group list %.100s at line %d", user,
560 arg, line); 544 grps, line);
561 result = 1; 545 result = 1;
562 } 546 }
563out: 547out:
564 ga_free(); 548 ga_free();
565 xfree(arg);
566 return result; 549 return result;
567} 550}
568 551