isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

Define _DARWIN_UNLIMITED_GETGROUPS on macOS to suport > 16 groups.

Browse Source 
On macOS 10.6 and above, getgroups(2) can return more than NGROUPS_MAX
if _DARWIN_UNLIMITED_GETGROUPS or _DARWIN_C_SOURCE is defined.
Bug #946
This commit is contained in:
Todd C. Miller
2020-12-07 13:15:25 -07:00
parent 1cdc4716c2
commit 0e3e13d872
4 changed files with 20 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
config.h.in
View File

@@ -1371,6 +1371,11 @@
# undef _LINUX_SOURCE_COMPAT
#endif
/* Enable unlimited getgroups(2) support on macOS. */
#ifndef _DARWIN_UNLIMITED_GETGROUPS
# undef _DARWIN_UNLIMITED_GETGROUPS
#endif
/* Enable prototypes in GCC fixed includes on older systems. */
#ifndef __USE_FIXED_PROTOTYPES__
# undef __USE_FIXED_PROTOTYPES__

4
configure vendored
View File

@@ -16183,6 +16183,10 @@ fi
done
# macOS >= 10.6 getgroups(2) can support more than > 16 groups
$as_echo "#define _DARWIN_UNLIMITED_GETGROUPS 1" >>confdefs.h
# We need to force a flat namespace to make libc
# symbol hooking work like it does on ELF.
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether the linker accepts -Wl,-force_flat_namespace" >&5

8
configure.ac
View File

@@ -2292,6 +2292,9 @@ case "$host" in
# Undocumented API that dynamically allocates the groups.
AC_CHECK_FUNCS([getgrouplist_2], [AC_CHECK_DECLS([getgrouplist_2])])
# macOS >= 10.6 getgroups(2) can support more than > 16 groups
AC_DEFINE([_DARWIN_UNLIMITED_GETGROUPS])
# We need to force a flat namespace to make libc
# symbol hooking work like it does on ELF.
AX_CHECK_LINK_FLAG([-Wl,-force_flat_namespace], [AX_APPEND_FLAG([-Wl,-force_flat_namespace], [SUDO_LDFLAGS])])
@@ -5019,6 +5022,11 @@ AH_BOTTOM([/* Symbol visibility controls */
# undef _LINUX_SOURCE_COMPAT
#endif
/* Enable unlimited getgroups(2) support on macOS. */
#ifndef _DARWIN_UNLIMITED_GETGROUPS
# undef _DARWIN_UNLIMITED_GETGROUPS
#endif
/* Enable prototypes in GCC fixed includes on older systems. */
#ifndef __USE_FIXED_PROTOTYPES__
# undef __USE_FIXED_PROTOTYPES__

5
src/sudo.c
View File

@@ -431,9 +431,10 @@ get_user_groups(struct user_details *ud)
if (maxgroups < 0)
maxgroups = NGROUPS_MAX;
/* Note that macOS may return ngroups > NGROUPS_MAX. */
if ((ud->ngroups = getgroups(0, NULL)) > 0) {
/* Use groups from kernel if not too many or source is static. */
if (ud->ngroups < maxgroups || group_source == GROUP_SOURCE_STATIC) {
/* Use groups from kernel if not at limit or source is static. */
if (ud->ngroups != maxgroups || group_source == GROUP_SOURCE_STATIC) {
ud->groups = reallocarray(NULL, ud->ngroups, sizeof(GETGROUPS_T));
if (ud->groups == NULL)
goto done;