sudo/sme9/sudo-1.8.6p3-legacy-group-processing.patch

diff -up sudo-1.8.6p3/plugins/sudoers/defaults.c.legacy-group-processing sudo-1.8.6p3/plugins/sudoers/defaults.c
--- sudo-1.8.6p3/plugins/sudoers/defaults.c.legacy-group-processing     2012-09-18 15:56:29.000000000 +0200
+++ sudo-1.8.6p3/plugins/sudoers/defaults.c     2015-07-15 09:40:30.600853736 +0200
@@ -362,6 +362,7 @@ init_defaults(void)
     }
 
     /* First initialize the flags. */
+    def_legacy_group_processing = true;
 #ifdef LONG_OTP_PROMPT
     def_long_otp_prompt = true;
 #endif
diff -up sudo-1.8.6p3/plugins/sudoers/def_data.c.legacy-group-processing sudo-1.8.6p3/plugins/sudoers/def_data.c
--- sudo-1.8.6p3/plugins/sudoers/def_data.c.legacy-group-processing     2015-07-15 09:40:30.561854082 +0200
+++ sudo-1.8.6p3/plugins/sudoers/def_data.c     2015-07-15 09:40:30.600853736 +0200
@@ -355,6 +355,10 @@ struct sudo_defs_types sudo_defs_table[]
         N_("Don't fork and wait for the command to finish, just exec it"),
         NULL,
     }, {
+       "legacy_group_processing", T_FLAG,
+       N_("Don't pre-resolve all group names"),
+       NULL,
+    }, {
        NULL, 0, NULL
     }
 };
diff -up sudo-1.8.6p3/plugins/sudoers/def_data.h.legacy-group-processing sudo-1.8.6p3/plugins/sudoers/def_data.h
--- sudo-1.8.6p3/plugins/sudoers/def_data.h.legacy-group-processing     2015-07-15 09:40:30.561854082 +0200
+++ sudo-1.8.6p3/plugins/sudoers/def_data.h     2015-07-15 09:40:30.600853736 +0200
@@ -164,6 +164,8 @@
 #define I_LIMITPRIVS            81
 #define def_cmnd_no_wait        (sudo_defs_table[82].sd_un.flag)
 #define I_CMND_NO_WAIT          82
+#define def_legacy_group_processing (sudo_defs_table[83].sd_un.flag)
+#define I_LEGACY_GROUP_PROCESSING 83
 
 enum def_tuple {
        never,
diff -up sudo-1.8.6p3/plugins/sudoers/ldap.c.legacy-group-processing sudo-1.8.6p3/plugins/sudoers/ldap.c
--- sudo-1.8.6p3/plugins/sudoers/ldap.c.legacy-group-processing 2015-07-15 09:40:30.596853772 +0200
+++ sudo-1.8.6p3/plugins/sudoers/ldap.c 2015-07-15 09:40:30.601853727 +0200
@@ -1150,6 +1150,15 @@ sudo_ldap_build_pass1(struct passwd *pw)
     }
     sz += 13 + MAX_UID_T_LEN;
     if ((grlist = sudo_get_grlist(pw)) != NULL) {
+       if (!grlist->groups_resolved) {
+           int rc = sudo_resolve_gids(grlist->gids, grlist->ngids,
+                                      grlist->groups, grlist->groups_buffer);
+           if (rc < 0) {
+               return NULL;
+           }
+           grlist->ngroups = rc;
+           grlist->groups_resolved = true;
+       }
        for (i = 0; i < grlist->ngroups; i++) {
            if (grp != NULL && strcasecmp(grlist->groups[i], grp->gr_name) == 0)
                continue;
diff -up sudo-1.8.6p3/plugins/sudoers/pwutil.c.legacy-group-processing sudo-1.8.6p3/plugins/sudoers/pwutil.c
--- sudo-1.8.6p3/plugins/sudoers/pwutil.c.legacy-group-processing       2015-07-15 09:40:30.589853834 +0200
+++ sudo-1.8.6p3/plugins/sudoers/pwutil.c       2015-07-15 09:48:15.734723742 +0200
@@ -542,10 +542,9 @@ static struct cache_item *
 make_grlist_item(const char *user, GETGROUPS_T *gids, int ngids)
 {
     char *cp;
-    size_t i, nsize, ngroups, total, len;
+    size_t i, nsize, total;
     struct cache_item_grlist *grlitem;
     struct group_list *grlist;
-    struct group *grp;
     debug_decl(make_grlist_item, SUDO_DEBUG_NSS)
 
 #ifdef HAVE_SETAUTHDB
@@ -559,7 +558,6 @@ make_grlist_item(const char *user, GETGR
     total += sizeof(gid_t *) * ngids;
     total += GROUPNAME_LEN * ngids;
 
-again:
     grlitem = ecalloc(1, total);
 
     /*
@@ -587,27 +585,26 @@ again:
     for (i = 0; i < ngids; i++)
        grlist->gids[i] = gids[i];
     grlist->ngids = ngids;
+    grlist->groups_buffer = cp;
 
     /*
-     * Resolve and store group names by ID.
+     * Resolve and store group names by ID if legacy_group_processing is off.
      */
-    ngroups = 0;
-    for (i = 0; i < ngids; i++) {
-       if ((grp = sudo_getgrgid(gids[i])) != NULL) {
-           len = strlen(grp->gr_name) + 1;
-           if (cp - (char *)grlitem + len > total) {
-               total += len + GROUPNAME_LEN;
-               efree(grlitem);
-               sudo_gr_delref(grp);
-               goto again;
-           }
-           memcpy(cp, grp->gr_name, len);
-           grlist->groups[ngroups++] = cp;
-           cp += len;
-           sudo_gr_delref(grp);
-       }
+    if (def_legacy_group_processing) {
+      for (i = 0; i < ngids; i++) {
+       grlist->groups[i] = NULL;
+      }
+      grlist->ngroups = 0;
+      grlist->groups_resolved = false;
+    } else {
+      int rc = sudo_resolve_gids(gids, ngids, grlist->groups, grlist->groups_buffer);
+      if (rc < 0) {
+       efree(grlitem);
+       return NULL;
+      }
+      grlist->ngroups = rc;
+      grlist->groups_resolved = true;
     }
-    grlist->ngroups = ngroups;
 
 #ifdef HAVE_SETAUTHDB
     aix_restoreauthdb();
@@ -616,6 +613,35 @@ again:
     debug_return_ptr(&grlitem->cache);
 }
 
+int sudo_resolve_gids(GETGROUPS_T *gids, int ngids, char **groups, char *group_buffer)
+{
+  struct group *grp;
+  int space_left = ngids * GROUPNAME_LEN;
+  int ngroups = 0;
+  int i;
+  char *cp = group_buffer;
+  debug_decl(sudo_resolve_gids, SUDO_DEBUG_NSS)
+
+  for (i = 0; i < ngids; i++) {
+    if ((grp = sudo_getgrgid(gids[i])) != NULL) {
+      int len = strlen(grp->gr_name) + 1;
+
+      if (space_left < len) {
+       sudo_gr_delref(grp);
+       debug_return_int(-1);
+      }
+         
+      memcpy(cp, grp->gr_name, len);
+      groups[ngroups++] = cp;
+      cp += len;
+      space_left -= len;
+      sudo_gr_delref(grp);
+    }
+  }
+
+  debug_return_int(ngroups);
+}
+
 void
 sudo_gr_addref(struct group *gr)
 {
@@ -917,8 +943,22 @@ user_in_group(const struct passwd *pw, c
        /*
         * If it could be a sudo-style group ID check gids first.
         */
+       bool do_gid_lookup = false;
+       gid_t gid;
+      
        if (group[0] == '#') {
-           gid_t gid = atoi(group + 1);
+           gid = atoi(group + 1);
+           do_gid_lookup = true;
+       } else if (def_legacy_group_processing) {
+           struct group *grent = sudo_getgrnam(group);
+           if (grent == NULL) {
+               goto done;
+           }
+           gid = grent->gr_gid;
+           do_gid_lookup = true;
+       }
+       
+       if (do_gid_lookup) {
            if (gid == pw->pw_gid) {
                matched = true;
                goto done;
@@ -931,6 +971,19 @@ user_in_group(const struct passwd *pw, c
            }
        }
 
+       if (def_legacy_group_processing) {
+           goto done;
+       }
+       if (!grlist->groups_resolved) {
+           int rc = sudo_resolve_gids(grlist->gids, grlist->ngids,
+                                      grlist->groups, grlist->groups_buffer);
+           if (rc < 0) {
+               goto done;
+           }
+           grlist->ngroups = rc;
+           grlist->groups_resolved = true;
+       }
+
        /*
         * Next check the supplementary group vector.
         * It usually includes the password db group too.
diff -up sudo-1.8.6p3/plugins/sudoers/sudoers.h.legacy-group-processing sudo-1.8.6p3/plugins/sudoers/sudoers.h
--- sudo-1.8.6p3/plugins/sudoers/sudoers.h.legacy-group-processing      2015-07-15 09:40:30.589853834 +0200
+++ sudo-1.8.6p3/plugins/sudoers/sudoers.h      2015-07-15 09:40:30.601853727 +0200
@@ -52,6 +52,8 @@ struct group_list {
     GETGROUPS_T *gids;
     int ngroups;
     int ngids;
+    int groups_resolved;
+    char *groups_buffer;
 };
 
 /*
@@ -290,6 +292,8 @@ __dso_public struct group *sudo_getgrnam
 __dso_public void sudo_gr_addref(struct group *);
 __dso_public void sudo_gr_delref(struct group *);
 bool user_in_group(const struct passwd *, const char *);
+int sudo_resolve_gids(GETGROUPS_T *gids, int ngids, char **groups, char *group_buffer);
+
 struct group *sudo_fakegrnam(const char *);
 struct group_list *sudo_get_grlist(const struct passwd *pw);
 struct passwd *sudo_fakepwnam(const char *, gid_t);
1	jpp	1.1	diff -up sudo-1.8.6p3/plugins/sudoers/defaults.c.legacy-group-processing sudo-1.8.6p3/plugins/sudoers/defaults.c
2			--- sudo-1.8.6p3/plugins/sudoers/defaults.c.legacy-group-processing 2012-09-18 15:56:29.000000000 +0200
3			+++ sudo-1.8.6p3/plugins/sudoers/defaults.c 2015-07-15 09:40:30.600853736 +0200
4			@@ -362,6 +362,7 @@ init_defaults(void)
5			}
6
7			/* First initialize the flags. */
8			+ def_legacy_group_processing = true;
9			#ifdef LONG_OTP_PROMPT
10			def_long_otp_prompt = true;
11			#endif
12			diff -up sudo-1.8.6p3/plugins/sudoers/def_data.c.legacy-group-processing sudo-1.8.6p3/plugins/sudoers/def_data.c
13			--- sudo-1.8.6p3/plugins/sudoers/def_data.c.legacy-group-processing 2015-07-15 09:40:30.561854082 +0200
14			+++ sudo-1.8.6p3/plugins/sudoers/def_data.c 2015-07-15 09:40:30.600853736 +0200
15			@@ -355,6 +355,10 @@ struct sudo_defs_types sudo_defs_table[]
16			N_("Don't fork and wait for the command to finish, just exec it"),
17			NULL,
18			}, {
19			+ "legacy_group_processing", T_FLAG,
20			+ N_("Don't pre-resolve all group names"),
21			+ NULL,
22			+ }, {
23			NULL, 0, NULL
24			}
25			};
26			diff -up sudo-1.8.6p3/plugins/sudoers/def_data.h.legacy-group-processing sudo-1.8.6p3/plugins/sudoers/def_data.h
27			--- sudo-1.8.6p3/plugins/sudoers/def_data.h.legacy-group-processing 2015-07-15 09:40:30.561854082 +0200
28			+++ sudo-1.8.6p3/plugins/sudoers/def_data.h 2015-07-15 09:40:30.600853736 +0200
29			@@ -164,6 +164,8 @@
30			#define I_LIMITPRIVS 81
31			#define def_cmnd_no_wait (sudo_defs_table[82].sd_un.flag)
32			#define I_CMND_NO_WAIT 82
33			+#define def_legacy_group_processing (sudo_defs_table[83].sd_un.flag)
34			+#define I_LEGACY_GROUP_PROCESSING 83
35
36			enum def_tuple {
37			never,
38			diff -up sudo-1.8.6p3/plugins/sudoers/ldap.c.legacy-group-processing sudo-1.8.6p3/plugins/sudoers/ldap.c
39			--- sudo-1.8.6p3/plugins/sudoers/ldap.c.legacy-group-processing 2015-07-15 09:40:30.596853772 +0200
40			+++ sudo-1.8.6p3/plugins/sudoers/ldap.c 2015-07-15 09:40:30.601853727 +0200
41			@@ -1150,6 +1150,15 @@ sudo_ldap_build_pass1(struct passwd *pw)
42			}
43			sz += 13 + MAX_UID_T_LEN;
44			if ((grlist = sudo_get_grlist(pw)) != NULL) {
45			+ if (!grlist->groups_resolved) {
46			+ int rc = sudo_resolve_gids(grlist->gids, grlist->ngids,
47			+ grlist->groups, grlist->groups_buffer);
48			+ if (rc < 0) {
49			+ return NULL;
50			+ }
51			+ grlist->ngroups = rc;
52			+ grlist->groups_resolved = true;
53			+ }
54			for (i = 0; i < grlist->ngroups; i++) {
55			if (grp != NULL && strcasecmp(grlist->groups[i], grp->gr_name) == 0)
56			continue;
57			diff -up sudo-1.8.6p3/plugins/sudoers/pwutil.c.legacy-group-processing sudo-1.8.6p3/plugins/sudoers/pwutil.c
58			--- sudo-1.8.6p3/plugins/sudoers/pwutil.c.legacy-group-processing 2015-07-15 09:40:30.589853834 +0200
59			+++ sudo-1.8.6p3/plugins/sudoers/pwutil.c 2015-07-15 09:48:15.734723742 +0200
60			@@ -542,10 +542,9 @@ static struct cache_item *
61			make_grlist_item(const char user, GETGROUPS_T gids, int ngids)
62			{
63			char *cp;
64			- size_t i, nsize, ngroups, total, len;
65			+ size_t i, nsize, total;
66			struct cache_item_grlist *grlitem;
67			struct group_list *grlist;
68			- struct group *grp;
69			debug_decl(make_grlist_item, SUDO_DEBUG_NSS)
70
71			#ifdef HAVE_SETAUTHDB
72			@@ -559,7 +558,6 @@ make_grlist_item(const char *user, GETGR
73			total += sizeof(gid_t ) ngids;
74			total += GROUPNAME_LEN * ngids;
75
76			-again:
77			grlitem = ecalloc(1, total);
78
79			/*
80			@@ -587,27 +585,26 @@ again:
81			for (i = 0; i < ngids; i++)
82			grlist->gids[i] = gids[i];
83			grlist->ngids = ngids;
84			+ grlist->groups_buffer = cp;
85
86			/*
87			- * Resolve and store group names by ID.
88			+ * Resolve and store group names by ID if legacy_group_processing is off.
89			*/
90			- ngroups = 0;
91			- for (i = 0; i < ngids; i++) {
92			- if ((grp = sudo_getgrgid(gids[i])) != NULL) {
93			- len = strlen(grp->gr_name) + 1;
94			- if (cp - (char *)grlitem + len > total) {
95			- total += len + GROUPNAME_LEN;
96			- efree(grlitem);
97			- sudo_gr_delref(grp);
98			- goto again;
99			- }
100			- memcpy(cp, grp->gr_name, len);
101			- grlist->groups[ngroups++] = cp;
102			- cp += len;
103			- sudo_gr_delref(grp);
104			- }
105			+ if (def_legacy_group_processing) {
106			+ for (i = 0; i < ngids; i++) {
107			+ grlist->groups[i] = NULL;
108			+ }
109			+ grlist->ngroups = 0;
110			+ grlist->groups_resolved = false;
111			+ } else {
112			+ int rc = sudo_resolve_gids(gids, ngids, grlist->groups, grlist->groups_buffer);
113			+ if (rc < 0) {
114			+ efree(grlitem);
115			+ return NULL;
116			+ }
117			+ grlist->ngroups = rc;
118			+ grlist->groups_resolved = true;
119			}
120			- grlist->ngroups = ngroups;
121
122			#ifdef HAVE_SETAUTHDB
123			aix_restoreauthdb();
124			@@ -616,6 +613,35 @@ again:
125			debug_return_ptr(&grlitem->cache);
126			}
127
128			+int sudo_resolve_gids(GETGROUPS_T gids, int ngids, char groups, char group_buffer)
129			+{
130			+ struct group *grp;
131			+ int space_left = ngids * GROUPNAME_LEN;
132			+ int ngroups = 0;
133			+ int i;
134			+ char *cp = group_buffer;
135			+ debug_decl(sudo_resolve_gids, SUDO_DEBUG_NSS)
136			+
137			+ for (i = 0; i < ngids; i++) {
138			+ if ((grp = sudo_getgrgid(gids[i])) != NULL) {
139			+ int len = strlen(grp->gr_name) + 1;
140			+
141			+ if (space_left < len) {
142			+ sudo_gr_delref(grp);
143			+ debug_return_int(-1);
144			+ }
145			+
146			+ memcpy(cp, grp->gr_name, len);
147			+ groups[ngroups++] = cp;
148			+ cp += len;
149			+ space_left -= len;
150			+ sudo_gr_delref(grp);
151			+ }
152			+ }
153			+
154			+ debug_return_int(ngroups);
155			+}
156			+
157			void
158			sudo_gr_addref(struct group *gr)
159			{
160			@@ -917,8 +943,22 @@ user_in_group(const struct passwd *pw, c
161			/*
162			* If it could be a sudo-style group ID check gids first.
163			*/
164			+ bool do_gid_lookup = false;
165			+ gid_t gid;
166			+
167			if (group[0] == '#') {
168			- gid_t gid = atoi(group + 1);
169			+ gid = atoi(group + 1);
170			+ do_gid_lookup = true;
171			+ } else if (def_legacy_group_processing) {
172			+ struct group *grent = sudo_getgrnam(group);
173			+ if (grent == NULL) {
174			+ goto done;
175			+ }
176			+ gid = grent->gr_gid;
177			+ do_gid_lookup = true;
178			+ }
179			+
180			+ if (do_gid_lookup) {
181			if (gid == pw->pw_gid) {
182			matched = true;
183			goto done;
184			@@ -931,6 +971,19 @@ user_in_group(const struct passwd *pw, c
185			}
186			}
187
188			+ if (def_legacy_group_processing) {
189			+ goto done;
190			+ }
191			+ if (!grlist->groups_resolved) {
192			+ int rc = sudo_resolve_gids(grlist->gids, grlist->ngids,
193			+ grlist->groups, grlist->groups_buffer);
194			+ if (rc < 0) {
195			+ goto done;
196			+ }
197			+ grlist->ngroups = rc;
198			+ grlist->groups_resolved = true;
199			+ }
200			+
201			/*
202			* Next check the supplementary group vector.
203			* It usually includes the password db group too.
204			diff -up sudo-1.8.6p3/plugins/sudoers/sudoers.h.legacy-group-processing sudo-1.8.6p3/plugins/sudoers/sudoers.h
205			--- sudo-1.8.6p3/plugins/sudoers/sudoers.h.legacy-group-processing 2015-07-15 09:40:30.589853834 +0200
206			+++ sudo-1.8.6p3/plugins/sudoers/sudoers.h 2015-07-15 09:40:30.601853727 +0200
207			@@ -52,6 +52,8 @@ struct group_list {
208			GETGROUPS_T *gids;
209			int ngroups;
210			int ngids;
211			+ int groups_resolved;
212			+ char *groups_buffer;
213			};
214
215			/*
216			@@ -290,6 +292,8 @@ __dso_public struct group *sudo_getgrnam
217			__dso_public void sudo_gr_addref(struct group *);
218			__dso_public void sudo_gr_delref(struct group *);
219			bool user_in_group(const struct passwd , const char );
220			+int sudo_resolve_gids(GETGROUPS_T gids, int ngids, char groups, char group_buffer);
221			+
222			struct group sudo_fakegrnam(const char );
223			struct group_list sudo_get_grlist(const struct passwd pw);
224			struct passwd sudo_fakepwnam(const char , gid_t);