isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add sudo_getgrouplist2() to dynamically allocate the group vector.

Browse Source 
This allows us to avoid repeatedly calling getgrouplist() with
a statically sized vector on macOS, Solaris, HP-UX, and AIX.
This commit is contained in:
Todd C. Miller
2018-06-15 14:05:13 -06:00
parent 1385613797
commit 0ae9662833
7 changed files with 240 additions and 46 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
configure vendored
View File

@@ -19149,12 +19149,6 @@ fi
;; ;;
esac esac
case " $LIBOBJS " in
*" getgrouplist.$ac_objext "* ) ;;
*) LIBOBJS="$LIBOBJS getgrouplist.$ac_objext"
;;
esac
for _sym in sudo_getgrouplist; do for _sym in sudo_getgrouplist; do
COMPAT_EXP="${COMPAT_EXP}${_sym} COMPAT_EXP="${COMPAT_EXP}${_sym}

1
configure.ac
View File

@@ -2538,7 +2538,6 @@ AC_CHECK_FUNCS([getgrouplist], [], [
]) ])
;; ;;
esac esac
AC_LIBOBJ(getgrouplist)
SUDO_APPEND_COMPAT_EXP(sudo_getgrouplist) SUDO_APPEND_COMPAT_EXP(sudo_getgrouplist)
]) ])
AC_CHECK_FUNCS([getline], [], [ AC_CHECK_FUNCS([getline], [], [

5
include/sudo_compat.h
View File

@@ -392,13 +392,10 @@ __dso_public char *sudo_getcwd(char *, size_t size);
# define getcwd(_a, _b) sudo_getcwd((_a), (_b)) # define getcwd(_a, _b) sudo_getcwd((_a), (_b))
#endif /* PREFER_PORTABLE_GETCWD */ #endif /* PREFER_PORTABLE_GETCWD */
#ifndef HAVE_GETGROUPLIST #ifndef HAVE_GETGROUPLIST
__dso_public int sudo_getgrouplist(const char *name, gid_t basegid, gid_t *groups, int *ngroupsp); __dso_public int sudo_getgrouplist(const char *name, GETGROUPS_T basegid, GETGROUPS_T *groups, int *ngroupsp);
# undef getgrouplist # undef getgrouplist
# define getgrouplist(_a, _b, _c, _d) sudo_getgrouplist((_a), (_b), (_c), (_d)) # define getgrouplist(_a, _b, _c, _d) sudo_getgrouplist((_a), (_b), (_c), (_d))
#endif /* GETGROUPLIST */ #endif /* GETGROUPLIST */
#if defined(HAVE_GETGROUPLIST_2) && !HAVE_DECL_GETGROUPLIST_2
int getgrouplist_2(const char *name, gid_t basegid, gid_t **groups);
#endif /* HAVE_GETGROUPLIST_2 && !HAVE_DECL_GETGROUPLIST_2 */
#ifndef HAVE_GETLINE #ifndef HAVE_GETLINE
__dso_public ssize_t sudo_getline(char **bufp, size_t *bufsizep, FILE *fp); __dso_public ssize_t sudo_getline(char **bufp, size_t *bufsizep, FILE *fp);
# undef getline # undef getline

4
include/sudo_util.h
View File

@@ -179,6 +179,10 @@ __dso_public int sudo_gettime_real_v1(struct timespec *ts);
__dso_public int sudo_parse_gids_v1(const char *gidstr, const gid_t *basegid, GETGROUPS_T **gidsp); __dso_public int sudo_parse_gids_v1(const char *gidstr, const gid_t *basegid, GETGROUPS_T **gidsp);
#define sudo_parse_gids(_a, _b, _c) sudo_parse_gids_v1((_a), (_b), (_c)) #define sudo_parse_gids(_a, _b, _c) sudo_parse_gids_v1((_a), (_b), (_c))
/* getgrouplist.c */
__dso_public int sudo_getgrouplist2_v1(const char *name, gid_t basegid, GETGROUPS_T **groupsp, int *ngroupsp);
#define sudo_getgrouplist2(_a, _b, _c, _d) sudo_getgrouplist2_v1((_a), (_b), (_c), (_d))
/* key_val.c */ /* key_val.c */
__dso_public char *sudo_new_key_val_v1(const char *key, const char *value); __dso_public char *sudo_new_key_val_v1(const char *key, const char *value);
#define sudo_new_key_val(_a, _b) sudo_new_key_val_v1((_a), (_b)) #define sudo_new_key_val(_a, _b) sudo_new_key_val_v1((_a), (_b))

8
lib/util/Makefile.in
View File

@@ -109,10 +109,10 @@ DEVEL = @DEVEL@
SHELL = @SHELL@ SHELL = @SHELL@
LTOBJS = @DIGEST@ event.lo fatal.lo key_val.lo gethostname.lo gettime.lo \ LTOBJS = @DIGEST@ event.lo fatal.lo key_val.lo gethostname.lo gettime.lo \
gidlist.lo lbuf.lo locking.lo parseln.lo progname.lo secure_path.lo \ getgrouplist.lo gidlist.lo lbuf.lo locking.lo parseln.lo progname.lo \
setgroups.lo strsplit.lo strtobool.lo strtoid.lo strtomode.lo \ secure_path.lo setgroups.lo strsplit.lo strtobool.lo strtoid.lo \
sudo_conf.lo sudo_debug.lo sudo_dso.lo term.lo ttyname_dev.lo \ strtomode.lo sudo_conf.lo sudo_debug.lo sudo_dso.lo term.lo \
ttysize.lo @COMMON_OBJS@ @LTLIBOBJS@ ttyname_dev.lo ttysize.lo @COMMON_OBJS@ @LTLIBOBJS@
ATOFOO_TEST_OBJS = atofoo_test.lo ATOFOO_TEST_OBJS = atofoo_test.lo

261
lib/util/getgrouplist.c
View File

@@ -1,5 +1,5 @@
/* /*
* Copyright (c) 2010, 2011, 2013-2016 * Copyright (c) 2010, 2011, 2013-2018
* Todd C. Miller <Todd.Miller@sudo.ws> * Todd C. Miller <Todd.Miller@sudo.ws>
* *
* Permission to use, copy, modify, and distribute this software for any * Permission to use, copy, modify, and distribute this software for any
@@ -17,8 +17,6 @@
#include <config.h> #include <config.h>
#ifndef HAVE_GETGROUPLIST
#include <sys/types.h> #include <sys/types.h>
#include <stdio.h> #include <stdio.h>
#include <stdlib.h> #include <stdlib.h>
@@ -29,6 +27,8 @@
# include <strings.h> # include <strings.h>
#endif /* HAVE_STRINGS_H */ #endif /* HAVE_STRINGS_H */
#include <grp.h> #include <grp.h>
#include <limits.h>
#include <unistd.h>
#ifdef HAVE_NSS_SEARCH #ifdef HAVE_NSS_SEARCH
# include <errno.h> # include <errno.h>
# include <limits.h> # include <limits.h>
@@ -43,22 +43,103 @@
#include "sudo_compat.h" #include "sudo_compat.h"
#include "sudo_util.h" #include "sudo_util.h"
#if defined(HAVE_GETGRSET) #ifndef HAVE_GETGROUPLIST
int
sudo_getgrouplist(const char *name, GETGROUPS_T basegid, GETGROUPS_T *groups,
int *ngroupsp)
{
return sudo_getgrouplist2(name, basegid, &groups, ngroupsp);
}
#endif /* HAVE_GETGROUPLIST */
#if defined(HAVE_GETGROUPLIST)
#if defined(HAVE_GETGROUPLIST_2) && !HAVE_DECL_GETGROUPLIST_2
int getgrouplist_2(const char *name, GETGROUPS_T basegid, GETGROUPS_T **groups);
#endif /* HAVE_GETGROUPLIST_2 && !HAVE_DECL_GETGROUPLIST_2 */
/* /*
* BSD-compatible getgrouplist(3) using AIX getgrset(3) * Extended getgrouplist(3) using getgrouplist(3) and getgrouplist_2(3)
*/ */
int int
sudo_getgrouplist(const char *name, gid_t basegid, gid_t *groups, int *ngroupsp) sudo_getgrouplist2_v1(const char *name, GETGROUPS_T basegid,
GETGROUPS_T **groupsp, int *ngroupsp)
{ {
GETGROUPS_T *groups = *groupsp;
int ngroups;
#ifndef HAVE_GETGROUPLIST_2
int grpsize, tries;
#endif
/* For static group vector, just use getgrouplist(3). */
if (groups != NULL)
return getgrouplist(name, basegid, groups, ngroupsp);
#ifdef HAVE_GETGROUPLIST_2
if ((ngroups = getgrouplist_2(name, basegid, groupsp)) == -1)
return -1;
*ngroupsp = ngroups;
return 0;
#else
grpsize = (int)sysconf(_SC_NGROUPS_MAX);
if (grpsize < 0)
grpsize = NGROUPS_MAX;
/*
* It is possible to belong to more groups in the group database
* than NGROUPS_MAX. We start off with NGROUPS_MAX * 4 entries
* and double this as needed.
*/
grpsize <<= 1;
for (tries = 0; tries < 10; tries++) {
free(groups);
groups = reallocarray(NULL, grpsize, 2 * sizeof(*groups));
if (groups == NULL)
return -1;
grpsize <<= 1;
ngroups = grpsize;
if (getgrouplist(name, basegid, groups, &ngroups) == 0) {
*groupsp = groups;
*ngroupsp = ngroups;
return 0;
}
}
free(groups);
return -1;
#endif /* HAVE_GETGROUPLIST_2 */
}
#elif defined(HAVE_GETGRSET)
/*
* Extended getgrouplist(3) using AIX getgrset(3)
*/
int
sudo_getgrouplist2_v1(const char *name, GETGROUPS_T basegid,
GETGROUPS_T **groupsp, int *ngroupsp)
{
GETGROUPS_T *groups = *groupsp;
char *cp, *grset = NULL; char *cp, *grset = NULL;
int ngroups = 1; int ngroups = 1;
int grpsize = *ngroupsp; int grpsize = *ngroupsp;
int ret = -1; int ret = -1;
gid_t gid; gid_t gid;
if (groups == NULL) {
/* Dynamically-sized group vector. */
grpsize = (int)sysconf(_SC_NGROUPS_MAX);
if (grpsize < 0)
grpsize = NGROUPS_MAX;
groups = reallocarray(NULL, grpsize, 4 * sizeof(*groups));
if (groups == NULL)
return -1;
grpsize <<= 2;
} else {
/* Static group vector. */
if (grpsize <= 0)
return -1;
}
/* We support BSD semantics where the first element is the base gid */ /* We support BSD semantics where the first element is the base gid */
if (grpsize <= 0)
return -1;
groups[0] = basegid; groups[0] = basegid;
#ifdef HAVE_SETAUTHDB #ifdef HAVE_SETAUTHDB
@@ -71,8 +152,23 @@ sudo_getgrouplist(const char *name, gid_t basegid, gid_t *groups, int *ngroupsp)
for (cp = strtok_r(grset, ",", &last); cp != NULL; cp = strtok_r(NULL, ",", &last)) { for (cp = strtok_r(grset, ",", &last); cp != NULL; cp = strtok_r(NULL, ",", &last)) {
gid = sudo_strtoid(cp, NULL, NULL, &errstr); gid = sudo_strtoid(cp, NULL, NULL, &errstr);
if (errstr == NULL && gid != basegid) { if (errstr == NULL && gid != basegid) {
if (ngroups == grpsize) if (ngroups == grpsize) {
goto done; GETGROUPS_T *tmp;
if (*groupsp != NULL) {
/* Static group vector. */
goto done;
}
tmp = reallocarray(groups, grpsize, 2 * sizeof(*groups));
if (tmp == NULL) {
free(groups);
groups = NULL;
ngroups = 0;
goto done;
}
groups = tmp;
grpsize <<= 1;
}
groups[ngroups++] = gid; groups[ngroups++] = gid;
} }
} }
@@ -84,6 +180,7 @@ done:
#ifdef HAVE_SETAUTHDB #ifdef HAVE_SETAUTHDB
aix_restoreauthdb(); aix_restoreauthdb();
#endif #endif
*groupsp = groups;
*ngroupsp = ngroups; *ngroupsp = ngroups;
return ret; return ret;
@@ -193,7 +290,8 @@ str2grp(const char *instr, int inlen, void *ent, char *buf, int buflen)
} }
static nss_status_t static nss_status_t
process_cstr(const char *instr, int inlen, struct nss_groupsbymem *gbm) process_cstr(const char *instr, int inlen, struct nss_groupsbymem *gbm,
int dynamic)
{ {
const char *user = gbm->username; const char *user = gbm->username;
nss_status_t ret = NSS_NOTFOUND; nss_status_t ret = NSS_NOTFOUND;
@@ -202,6 +300,10 @@ process_cstr(const char *instr, int inlen, struct nss_groupsbymem *gbm)
char **gr_mem; char **gr_mem;
int error, i; int error, i;
/* Hack to let us check whether the query was handled by nscd or us. */
if (gbm->force_slow_way != 0)
gbm->force_slow_way = 2;
buf = _nss_XbyY_buf_alloc(sizeof(struct group), NSS_BUFLEN_GROUP); buf = _nss_XbyY_buf_alloc(sizeof(struct group), NSS_BUFLEN_GROUP);
if (buf == NULL) if (buf == NULL)
return NSS_UNAVAIL; return NSS_UNAVAIL;
@@ -219,6 +321,17 @@ process_cstr(const char *instr, int inlen, struct nss_groupsbymem *gbm)
if (gbm->gid_array[i] == grp->gr_gid) if (gbm->gid_array[i] == grp->gr_gid)
goto done; /* already present */ goto done; /* already present */
} }
if (i == gbm->maxgids && dynamic) {
GETGROUPS_T *tmp = reallocarray(gbm->gid_array, gbm->maxgids,
2 * sizeof(GETGROUPS_T));
if (tmp == NULL) {
/* Out of memory, just return what we have. */
dynamic = 0;
} else {
gbm->gid_array = tmp;
gbm->maxgids <<= 1;
}
}
/* Store gid if there is space. */ /* Store gid if there is space. */
if (i < gbm->maxgids) if (i < gbm->maxgids)
gbm->gid_array[i] = grp->gr_gid; gbm->gid_array[i] = grp->gr_gid;
@@ -232,35 +345,91 @@ done:
return ret; return ret;
} }
static nss_status_t
process_cstr_static(const char *instr, int inlen, struct nss_groupsbymem *gbm)
{
return process_cstr(instr, inlen, gbm, 0);
}
static nss_status_t
process_cstr_dynamic(const char *instr, int inlen, struct nss_groupsbymem *gbm)
{
return process_cstr(instr, inlen, gbm, 1);
}
/* /*
* BSD-compatible getgrouplist(3) using nss_search(3) * Extended getgrouplist(3) using nss_search(3)
*/ */
int int
sudo_getgrouplist(const char *name, gid_t basegid, gid_t *groups, int *ngroupsp) sudo_getgrouplist2_v1(const char *name, GETGROUPS_T basegid,
GETGROUPS_T **groupsp, int *ngroupsp)
{ {
struct nss_groupsbymem gbm; struct nss_groupsbymem gbm;
static DEFINE_NSS_DB_ROOT(db_root); static DEFINE_NSS_DB_ROOT(db_root);
/* We support BSD semantics where the first element is the base gid */
if (*ngroupsp <= 0)
return -1;
groups[0] = basegid;
memset(&gbm, 0, sizeof(gbm)); memset(&gbm, 0, sizeof(gbm));
gbm.username = name; gbm.username = name;
gbm.gid_array = groups; gbm.gid_array = *groupsp;
gbm.maxgids = *ngroupsp; gbm.maxgids = *ngroupsp;
gbm.numgids = 1; /* for basegid */ gbm.numgids = 1; /* for basegid */
gbm.force_slow_way = 1; gbm.force_slow_way = 1;
gbm.str2ent = str2grp; gbm.str2ent = str2grp;
gbm.process_cstr = process_cstr;
if (gbm.gid_array == NULL) {
/* Dynamically-sized group vector. */
gbm.maxgids = (int)sysconf(_SC_NGROUPS_MAX);
if (gbm.maxgids < 0)
gbm.maxgids = NGROUPS_MAX;
gbm.gid_array = reallocarray(NULL, gbm.maxgids, 4 * sizeof(GETGROUPS_T));
if (gbm.gid_array == NULL)
return -1;
gbm.maxgids <<= 2;
gbm.process_cstr = process_cstr_dynamic;
} else {
/* Static group vector. */
if (gbm.maxgids <= 0)
return -1;
gbm.process_cstr = process_cstr_static;
}
/* We support BSD semantics where the first element is the base gid */
gbm.gid_array[0] = basegid;
/* /*
* Can't use nss_search return value since it may return NSS_UNAVAIL * Can't use nss_search return value since it may return NSS_UNAVAIL
* when no nsswitch.conf entry (e.g. compat mode). * when no nsswitch.conf entry (e.g. compat mode).
*/ */
(void)nss_search(&db_root, _nss_initf_group, NSS_DBOP_GROUP_BYMEMBER, &gbm); for (;;) {
GETGROUPS_T *tmp;
(void)nss_search(&db_root, _nss_initf_group, NSS_DBOP_GROUP_BYMEMBER,
&gbm);
/*
* If this was a statically-sized group vector or nscd was not used
* we are done.
*/
if (gbm.process_cstr != process_cstr_dynamic || gbm.force_slow_way == 2)
break;
/*
* If gid_array is full and the query was handled by nscd, there
* may be more data, so double gid_array and try again.
*/
if (gbm.numgids != gbm.maxgids)
break;
tmp = reallocarray(gbm.gid_array, gbm.maxgids, 2 * sizeof(GETGROUPS_T));
if (tmp == NULL) {
free(gbm.gid_array);
return -1;
}
gbm.gid_array = tmp;
gbm.maxgids <<= 1;
}
/* Note: we can only detect a too-small group list if nscd is not used. */
*groupsp = gbm.gid_array;
if (gbm.numgids <= gbm.maxgids) { if (gbm.numgids <= gbm.maxgids) {
*ngroupsp = gbm.numgids; *ngroupsp = gbm.numgids;
return 0; return 0;
@@ -269,22 +438,37 @@ sudo_getgrouplist(const char *name, gid_t basegid, gid_t *groups, int *ngroupsp)
return -1; return -1;
} }
#else /* !HAVE_GETGRSET && !HAVE__GETGROUPSBYMEMBER */ #else /* !HAVE_GETGROUPLIST && !HAVE_GETGRSET && !HAVE__GETGROUPSBYMEMBER */
/* /*
* BSD-compatible getgrouplist(3) using getgrent(3) * Extended getgrouplist(3) using getgrent(3)
*/ */
int int
sudo_getgrouplist(const char *name, gid_t basegid, gid_t *groups, int *ngroupsp) sudo_getgrouplist2_v1(const char *name, GETGROUPS_T basegid,
GETGROUPS_T **groupsp, int *ngroupsp)
{ {
int i, ngroups = 1; GETGROUPS_T *groups = *groupsp;
int grpsize = *ngroupsp; int grpsize = *ngroupsp;
int i, ngroups = 1;
int ret = -1; int ret = -1;
struct group *grp; struct group *grp;
if (groups == NULL) {
/* Dynamically-sized group vector. */
grpsize = (int)sysconf(_SC_NGROUPS_MAX);
if (grpsize < 0)
grpsize = NGROUPS_MAX;
groups = reallocarray(NULL, grpsize, 4 * sizeof(*groups));
if (groups == NULL)
return -1;
grpsize <<= 2;
} else {
/* Static group vector. */
if (grpsize <= 0)
return -1;
}
/* We support BSD semantics where the first element is the base gid */ /* We support BSD semantics where the first element is the base gid */
if (grpsize <= 0)
return -1;
groups[0] = basegid; groups[0] = basegid;
setgrent(); setgrent();
@@ -305,8 +489,23 @@ sudo_getgrouplist(const char *name, gid_t basegid, gid_t *groups, int *ngroupsp)
break; break;
} }
if (i == ngroups) { if (i == ngroups) {
if (ngroups == grpsize) if (ngroups == grpsize) {
goto done; GETGROUPS_T *tmp;
if (*groupsp != NULL) {
/* Static group vector. */
goto done;
}
tmp = reallocarray(groups, grpsize, 2 * sizeof(*groups));
if (tmp == NULL) {
free(groups);
groups = NULL;
ngroups = 0;
goto done;
}
groups = tmp;
grpsize <<= 1;
}
groups[ngroups++] = grp->gr_gid; groups[ngroups++] = grp->gr_gid;
} }
} }
@@ -314,9 +513,9 @@ sudo_getgrouplist(const char *name, gid_t basegid, gid_t *groups, int *ngroupsp)
done: done:
endgrent(); endgrent();
*groupsp = groups;
*ngroupsp = ngroups; *ngroupsp = ngroups;
return ret; return ret;
} }
#endif /* !HAVE_GETGRSET && !HAVE__GETGROUPSBYMEMBER */ #endif /* !HAVE_GETGROUPLIST && !HAVE_GETGRSET && !HAVE__GETGROUPSBYMEMBER */
#endif /* HAVE_GETGROUPLIST */

1
lib/util/util.exp.in
View File

@@ -69,6 +69,7 @@ sudo_fatal_callback_register_v1
sudo_fatal_nodebug_v1 sudo_fatal_nodebug_v1
sudo_fatalx_nodebug_v1 sudo_fatalx_nodebug_v1
sudo_get_ttysize_v1 sudo_get_ttysize_v1
sudo_getgrouplist2_v1
sudo_gethostname_v1 sudo_gethostname_v1
sudo_gettime_mono_v1 sudo_gettime_mono_v1
sudo_gettime_real_v1 sudo_gettime_real_v1