sudo/sme9/sudo-1.8.6p3-legacy-group-processing.patch

diff -up sudo-1.8.6p3/plugins/sudoers/defaults.c.legacy-group-processing sudo-1.8.6p3/plugins/sudoers/defaults.c
--- sudo-1.8.6p3/plugins/sudoers/defaults.c.legacy-group-processing     2012-09-18 15:56:29.000000000 +0200
+++ sudo-1.8.6p3/plugins/sudoers/defaults.c     2015-07-15 09:40:30.600853736 +0200
@@ -362,6 +362,7 @@ init_defaults(void)
     }
 
     /* First initialize the flags. */
+    def_legacy_group_processing = true;
 #ifdef LONG_OTP_PROMPT
     def_long_otp_prompt = true;
 #endif
diff -up sudo-1.8.6p3/plugins/sudoers/def_data.c.legacy-group-processing sudo-1.8.6p3/plugins/sudoers/def_data.c
--- sudo-1.8.6p3/plugins/sudoers/def_data.c.legacy-group-processing     2015-07-15 09:40:30.561854082 +0200
+++ sudo-1.8.6p3/plugins/sudoers/def_data.c     2015-07-15 09:40:30.600853736 +0200
@@ -355,6 +355,10 @@ struct sudo_defs_types sudo_defs_table[]
         N_("Don't fork and wait for the command to finish, just exec it"),
         NULL,
     }, {
+       "legacy_group_processing", T_FLAG,
+       N_("Don't pre-resolve all group names"),
+       NULL,
+    }, {
        NULL, 0, NULL
     }
 };
diff -up sudo-1.8.6p3/plugins/sudoers/def_data.h.legacy-group-processing sudo-1.8.6p3/plugins/sudoers/def_data.h
--- sudo-1.8.6p3/plugins/sudoers/def_data.h.legacy-group-processing     2015-07-15 09:40:30.561854082 +0200
+++ sudo-1.8.6p3/plugins/sudoers/def_data.h     2015-07-15 09:40:30.600853736 +0200
@@ -164,6 +164,8 @@
 #define I_LIMITPRIVS            81
 #define def_cmnd_no_wait        (sudo_defs_table[82].sd_un.flag)
 #define I_CMND_NO_WAIT          82
+#define def_legacy_group_processing (sudo_defs_table[83].sd_un.flag)
+#define I_LEGACY_GROUP_PROCESSING 83
 
 enum def_tuple {
        never,
diff -up sudo-1.8.6p3/plugins/sudoers/ldap.c.legacy-group-processing sudo-1.8.6p3/plugins/sudoers/ldap.c
--- sudo-1.8.6p3/plugins/sudoers/ldap.c.legacy-group-processing 2015-07-15 09:40:30.596853772 +0200
+++ sudo-1.8.6p3/plugins/sudoers/ldap.c 2015-07-15 09:40:30.601853727 +0200
@@ -1150,6 +1150,15 @@ sudo_ldap_build_pass1(struct passwd *pw)
     }
     sz += 13 + MAX_UID_T_LEN;
     if ((grlist = sudo_get_grlist(pw)) != NULL) {
+       if (!grlist->groups_resolved) {
+           int rc = sudo_resolve_gids(grlist->gids, grlist->ngids,
+                                      grlist->groups, grlist->groups_buffer);
+           if (rc < 0) {
+               return NULL;
+           }
+           grlist->ngroups = rc;
+           grlist->groups_resolved = true;
+       }
        for (i = 0; i < grlist->ngroups; i++) {
            if (grp != NULL && strcasecmp(grlist->groups[i], grp->gr_name) == 0)
                continue;
diff -up sudo-1.8.6p3/plugins/sudoers/pwutil.c.legacy-group-processing sudo-1.8.6p3/plugins/sudoers/pwutil.c
--- sudo-1.8.6p3/plugins/sudoers/pwutil.c.legacy-group-processing       2015-07-15 09:40:30.589853834 +0200
+++ sudo-1.8.6p3/plugins/sudoers/pwutil.c       2015-07-15 09:48:15.734723742 +0200
@@ -542,10 +542,9 @@ static struct cache_item *
 make_grlist_item(const char *user, GETGROUPS_T *gids, int ngids)
 {
     char *cp;
-    size_t i, nsize, ngroups, total, len;
+    size_t i, nsize, total;
     struct cache_item_grlist *grlitem;
     struct group_list *grlist;
-    struct group *grp;
     debug_decl(make_grlist_item, SUDO_DEBUG_NSS)
 
 #ifdef HAVE_SETAUTHDB
@@ -559,7 +558,6 @@ make_grlist_item(const char *user, GETGR
     total += sizeof(gid_t *) * ngids;
     total += GROUPNAME_LEN * ngids;
 
-again:
     grlitem = ecalloc(1, total);
 
     /*
@@ -587,27 +585,26 @@ again:
     for (i = 0; i < ngids; i++)
        grlist->gids[i] = gids[i];
     grlist->ngids = ngids;
+    grlist->groups_buffer = cp;
 
     /*
-     * Resolve and store group names by ID.
+     * Resolve and store group names by ID if legacy_group_processing is off.
      */
-    ngroups = 0;
-    for (i = 0; i < ngids; i++) {
-       if ((grp = sudo_getgrgid(gids[i])) != NULL) {
-           len = strlen(grp->gr_name) + 1;
-           if (cp - (char *)grlitem + len > total) {
-               total += len + GROUPNAME_LEN;
-               efree(grlitem);
-               sudo_gr_delref(grp);
-               goto again;
-           }
-           memcpy(cp, grp->gr_name, len);
-           grlist->groups[ngroups++] = cp;
-           cp += len;
-           sudo_gr_delref(grp);
-       }
+    if (def_legacy_group_processing) {
+      for (i = 0; i < ngids; i++) {
+       grlist->groups[i] = NULL;
+      }
+      grlist->ngroups = 0;
+      grlist->groups_resolved = false;
+    } else {
+      int rc = sudo_resolve_gids(gids, ngids, grlist->groups, grlist->groups_buffer);
+      if (rc < 0) {
+       efree(grlitem);
+       return NULL;
+      }
+      grlist->ngroups = rc;
+      grlist->groups_resolved = true;
     }
-    grlist->ngroups = ngroups;
 
 #ifdef HAVE_SETAUTHDB
     aix_restoreauthdb();
@@ -616,6 +613,35 @@ again:
     debug_return_ptr(&grlitem->cache);
 }
 
+int sudo_resolve_gids(GETGROUPS_T *gids, int ngids, char **groups, char *group_buffer)
+{
+  struct group *grp;
+  int space_left = ngids * GROUPNAME_LEN;
+  int ngroups = 0;
+  int i;
+  char *cp = group_buffer;
+  debug_decl(sudo_resolve_gids, SUDO_DEBUG_NSS)
+
+  for (i = 0; i < ngids; i++) {
+    if ((grp = sudo_getgrgid(gids[i])) != NULL) {
+      int len = strlen(grp->gr_name) + 1;
+
+      if (space_left < len) {
+       sudo_gr_delref(grp);
+       debug_return_int(-1);
+      }
+         
+      memcpy(cp, grp->gr_name, len);
+      groups[ngroups++] = cp;
+      cp += len;
+      space_left -= len;
+      sudo_gr_delref(grp);
+    }
+  }
+
+  debug_return_int(ngroups);
+}
+
 void
 sudo_gr_addref(struct group *gr)
 {
@@ -917,8 +943,22 @@ user_in_group(const struct passwd *pw, c
        /*
         * If it could be a sudo-style group ID check gids first.
         */
+       bool do_gid_lookup = false;
+       gid_t gid;
+      
        if (group[0] == '#') {
-           gid_t gid = atoi(group + 1);
+           gid = atoi(group + 1);
+           do_gid_lookup = true;
+       } else if (def_legacy_group_processing) {
+           struct group *grent = sudo_getgrnam(group);
+           if (grent == NULL) {
+               goto done;
+           }
+           gid = grent->gr_gid;
+           do_gid_lookup = true;
+       }
+       
+       if (do_gid_lookup) {
            if (gid == pw->pw_gid) {
                matched = true;
                goto done;
@@ -931,6 +971,19 @@ user_in_group(const struct passwd *pw, c
            }
        }
 
+       if (def_legacy_group_processing) {
+           goto done;
+       }
+       if (!grlist->groups_resolved) {
+           int rc = sudo_resolve_gids(grlist->gids, grlist->ngids,
+                                      grlist->groups, grlist->groups_buffer);
+           if (rc < 0) {
+               goto done;
+           }
+           grlist->ngroups = rc;
+           grlist->groups_resolved = true;
+       }
+
        /*
         * Next check the supplementary group vector.
         * It usually includes the password db group too.
diff -up sudo-1.8.6p3/plugins/sudoers/sudoers.h.legacy-group-processing sudo-1.8.6p3/plugins/sudoers/sudoers.h
--- sudo-1.8.6p3/plugins/sudoers/sudoers.h.legacy-group-processing      2015-07-15 09:40:30.589853834 +0200
+++ sudo-1.8.6p3/plugins/sudoers/sudoers.h      2015-07-15 09:40:30.601853727 +0200
@@ -52,6 +52,8 @@ struct group_list {
     GETGROUPS_T *gids;
     int ngroups;
     int ngids;
+    int groups_resolved;
+    char *groups_buffer;
 };
 
 /*
@@ -290,6 +292,8 @@ __dso_public struct group *sudo_getgrnam
 __dso_public void sudo_gr_addref(struct group *);
 __dso_public void sudo_gr_delref(struct group *);
 bool user_in_group(const struct passwd *, const char *);
+int sudo_resolve_gids(GETGROUPS_T *gids, int ngids, char **groups, char *group_buffer);
+
 struct group *sudo_fakegrnam(const char *);
 struct group_list *sudo_get_grlist(const struct passwd *pw);
 struct passwd *sudo_fakepwnam(const char *, gid_t);
1	diff -up sudo-1.8.6p3/plugins/sudoers/defaults.c.legacy-group-processing sudo-1.8.6p3/plugins/sudoers/defaults.c
2	--- sudo-1.8.6p3/plugins/sudoers/defaults.c.legacy-group-processing 2012-09-18 15:56:29.000000000 +0200
3	+++ sudo-1.8.6p3/plugins/sudoers/defaults.c 2015-07-15 09:40:30.600853736 +0200
4	@@ -362,6 +362,7 @@ init_defaults(void)
5	}
6
7	/* First initialize the flags. */
8	+ def_legacy_group_processing = true;
9	#ifdef LONG_OTP_PROMPT
10	def_long_otp_prompt = true;
11	#endif
12	diff -up sudo-1.8.6p3/plugins/sudoers/def_data.c.legacy-group-processing sudo-1.8.6p3/plugins/sudoers/def_data.c
13	--- sudo-1.8.6p3/plugins/sudoers/def_data.c.legacy-group-processing 2015-07-15 09:40:30.561854082 +0200
14	+++ sudo-1.8.6p3/plugins/sudoers/def_data.c 2015-07-15 09:40:30.600853736 +0200
15	@@ -355,6 +355,10 @@ struct sudo_defs_types sudo_defs_table[]
16	N_("Don't fork and wait for the command to finish, just exec it"),
17	NULL,
18	}, {
19	+ "legacy_group_processing", T_FLAG,
20	+ N_("Don't pre-resolve all group names"),
21	+ NULL,
22	+ }, {
23	NULL, 0, NULL
24	}
25	};
26	diff -up sudo-1.8.6p3/plugins/sudoers/def_data.h.legacy-group-processing sudo-1.8.6p3/plugins/sudoers/def_data.h
27	--- sudo-1.8.6p3/plugins/sudoers/def_data.h.legacy-group-processing 2015-07-15 09:40:30.561854082 +0200
28	+++ sudo-1.8.6p3/plugins/sudoers/def_data.h 2015-07-15 09:40:30.600853736 +0200
29	@@ -164,6 +164,8 @@
30	#define I_LIMITPRIVS 81
31	#define def_cmnd_no_wait (sudo_defs_table[82].sd_un.flag)
32	#define I_CMND_NO_WAIT 82
33	+#define def_legacy_group_processing (sudo_defs_table[83].sd_un.flag)
34	+#define I_LEGACY_GROUP_PROCESSING 83
35
36	enum def_tuple {
37	never,
38	diff -up sudo-1.8.6p3/plugins/sudoers/ldap.c.legacy-group-processing sudo-1.8.6p3/plugins/sudoers/ldap.c
39	--- sudo-1.8.6p3/plugins/sudoers/ldap.c.legacy-group-processing 2015-07-15 09:40:30.596853772 +0200
40	+++ sudo-1.8.6p3/plugins/sudoers/ldap.c 2015-07-15 09:40:30.601853727 +0200
41	@@ -1150,6 +1150,15 @@ sudo_ldap_build_pass1(struct passwd *pw)
42	}
43	sz += 13 + MAX_UID_T_LEN;
44	if ((grlist = sudo_get_grlist(pw)) != NULL) {
45	+ if (!grlist->groups_resolved) {
46	+ int rc = sudo_resolve_gids(grlist->gids, grlist->ngids,
47	+ grlist->groups, grlist->groups_buffer);
48	+ if (rc < 0) {
49	+ return NULL;
50	+ }
51	+ grlist->ngroups = rc;
52	+ grlist->groups_resolved = true;
53	+ }
54	for (i = 0; i < grlist->ngroups; i++) {
55	if (grp != NULL && strcasecmp(grlist->groups[i], grp->gr_name) == 0)
56	continue;
57	diff -up sudo-1.8.6p3/plugins/sudoers/pwutil.c.legacy-group-processing sudo-1.8.6p3/plugins/sudoers/pwutil.c
58	--- sudo-1.8.6p3/plugins/sudoers/pwutil.c.legacy-group-processing 2015-07-15 09:40:30.589853834 +0200
59	+++ sudo-1.8.6p3/plugins/sudoers/pwutil.c 2015-07-15 09:48:15.734723742 +0200
60	@@ -542,10 +542,9 @@ static struct cache_item *
61	make_grlist_item(const char user, GETGROUPS_T gids, int ngids)
62	{
63	char *cp;
64	- size_t i, nsize, ngroups, total, len;
65	+ size_t i, nsize, total;
66	struct cache_item_grlist *grlitem;
67	struct group_list *grlist;
68	- struct group *grp;
69	debug_decl(make_grlist_item, SUDO_DEBUG_NSS)
70
71	#ifdef HAVE_SETAUTHDB
72	@@ -559,7 +558,6 @@ make_grlist_item(const char *user, GETGR
73	total += sizeof(gid_t ) ngids;
74	total += GROUPNAME_LEN * ngids;
75
76	-again:
77	grlitem = ecalloc(1, total);
78
79	/*
80	@@ -587,27 +585,26 @@ again:
81	for (i = 0; i < ngids; i++)
82	grlist->gids[i] = gids[i];
83	grlist->ngids = ngids;
84	+ grlist->groups_buffer = cp;
85
86	/*
87	- * Resolve and store group names by ID.
88	+ * Resolve and store group names by ID if legacy_group_processing is off.
89	*/
90	- ngroups = 0;
91	- for (i = 0; i < ngids; i++) {
92	- if ((grp = sudo_getgrgid(gids[i])) != NULL) {
93	- len = strlen(grp->gr_name) + 1;
94	- if (cp - (char *)grlitem + len > total) {
95	- total += len + GROUPNAME_LEN;
96	- efree(grlitem);
97	- sudo_gr_delref(grp);
98	- goto again;
99	- }
100	- memcpy(cp, grp->gr_name, len);
101	- grlist->groups[ngroups++] = cp;
102	- cp += len;
103	- sudo_gr_delref(grp);
104	- }
105	+ if (def_legacy_group_processing) {
106	+ for (i = 0; i < ngids; i++) {
107	+ grlist->groups[i] = NULL;
108	+ }
109	+ grlist->ngroups = 0;
110	+ grlist->groups_resolved = false;
111	+ } else {
112	+ int rc = sudo_resolve_gids(gids, ngids, grlist->groups, grlist->groups_buffer);
113	+ if (rc < 0) {
114	+ efree(grlitem);
115	+ return NULL;
116	+ }
117	+ grlist->ngroups = rc;
118	+ grlist->groups_resolved = true;
119	}
120	- grlist->ngroups = ngroups;
121
122	#ifdef HAVE_SETAUTHDB
123	aix_restoreauthdb();
124	@@ -616,6 +613,35 @@ again:
125	debug_return_ptr(&grlitem->cache);
126	}
127
128	+int sudo_resolve_gids(GETGROUPS_T gids, int ngids, char groups, char group_buffer)
129	+{
130	+ struct group *grp;
131	+ int space_left = ngids * GROUPNAME_LEN;
132	+ int ngroups = 0;
133	+ int i;
134	+ char *cp = group_buffer;
135	+ debug_decl(sudo_resolve_gids, SUDO_DEBUG_NSS)
136	+
137	+ for (i = 0; i < ngids; i++) {
138	+ if ((grp = sudo_getgrgid(gids[i])) != NULL) {
139	+ int len = strlen(grp->gr_name) + 1;
140	+
141	+ if (space_left < len) {
142	+ sudo_gr_delref(grp);
143	+ debug_return_int(-1);
144	+ }
145	+
146	+ memcpy(cp, grp->gr_name, len);
147	+ groups[ngroups++] = cp;
148	+ cp += len;
149	+ space_left -= len;
150	+ sudo_gr_delref(grp);
151	+ }
152	+ }
153	+
154	+ debug_return_int(ngroups);
155	+}
156	+
157	void
158	sudo_gr_addref(struct group *gr)
159	{
160	@@ -917,8 +943,22 @@ user_in_group(const struct passwd *pw, c
161	/*
162	* If it could be a sudo-style group ID check gids first.
163	*/
164	+ bool do_gid_lookup = false;
165	+ gid_t gid;
166	+
167	if (group[0] == '#') {
168	- gid_t gid = atoi(group + 1);
169	+ gid = atoi(group + 1);
170	+ do_gid_lookup = true;
171	+ } else if (def_legacy_group_processing) {
172	+ struct group *grent = sudo_getgrnam(group);
173	+ if (grent == NULL) {
174	+ goto done;
175	+ }
176	+ gid = grent->gr_gid;
177	+ do_gid_lookup = true;
178	+ }
179	+
180	+ if (do_gid_lookup) {
181	if (gid == pw->pw_gid) {
182	matched = true;
183	goto done;
184	@@ -931,6 +971,19 @@ user_in_group(const struct passwd *pw, c
185	}
186	}
187
188	+ if (def_legacy_group_processing) {
189	+ goto done;
190	+ }
191	+ if (!grlist->groups_resolved) {
192	+ int rc = sudo_resolve_gids(grlist->gids, grlist->ngids,
193	+ grlist->groups, grlist->groups_buffer);
194	+ if (rc < 0) {
195	+ goto done;
196	+ }
197	+ grlist->ngroups = rc;
198	+ grlist->groups_resolved = true;
199	+ }
200	+
201	/*
202	* Next check the supplementary group vector.
203	* It usually includes the password db group too.
204	diff -up sudo-1.8.6p3/plugins/sudoers/sudoers.h.legacy-group-processing sudo-1.8.6p3/plugins/sudoers/sudoers.h
205	--- sudo-1.8.6p3/plugins/sudoers/sudoers.h.legacy-group-processing 2015-07-15 09:40:30.589853834 +0200
206	+++ sudo-1.8.6p3/plugins/sudoers/sudoers.h 2015-07-15 09:40:30.601853727 +0200
207	@@ -52,6 +52,8 @@ struct group_list {
208	GETGROUPS_T *gids;
209	int ngroups;
210	int ngids;
211	+ int groups_resolved;
212	+ char *groups_buffer;
213	};
214
215	/*
216	@@ -290,6 +292,8 @@ __dso_public struct group *sudo_getgrnam
217	__dso_public void sudo_gr_addref(struct group *);
218	__dso_public void sudo_gr_delref(struct group *);
219	bool user_in_group(const struct passwd , const char );
220	+int sudo_resolve_gids(GETGROUPS_T gids, int ngids, char groups, char group_buffer);
221	+
222	struct group sudo_fakegrnam(const char );
223	struct group_list sudo_get_grlist(const struct passwd pw);
224	struct passwd sudo_fakepwnam(const char , gid_t);