Move max_groups out of sudoers_user_context and into pwutil.c.

It is only used by the local password pwutil implementation.

plugins/sudoers/policy.c

@@ -360,13 +360,15 @@ sudoers_policy_deserialize_info(void *v, struct defaults_list *defaults)
 	    continue;
 	}
 	if (MATCHES(*cur, "max_groups=")) {
+	    int max_groups;
 	    errno = 0;
 	    p = *cur + sizeof("max_groups=") - 1;
-	    user_ctx.max_groups = (int)sudo_strtonum(p, 1, 1024, &errstr);
+	    max_groups = (int)sudo_strtonum(p, 1, 1024, &errstr);
-	    if (user_ctx.max_groups == 0) {
+	    if (max_groups == 0) {
 		sudo_warnx(U_("%s: %s"), *cur, U_(errstr));
 		goto bad;
 	    }
+	    sudo_pwutil_set_max_groups(max_groups);
 	    continue;
 	}
 	if (MATCHES(*cur, "remote_host=")) {

plugins/sudoers/pwutil.c

@@ -58,6 +58,8 @@ static int  cmp_pwuid(const void *, const void *);
 static int  cmp_pwnam(const void *, const void *);
 static int  cmp_grgid(const void *, const void *);
 
+static int max_groups;
+
 /*
  * Default functions for building cache items.
  */
@@ -102,6 +104,20 @@ sudo_pwutil_set_backend(sudo_make_pwitem_t pwitem, sudo_make_gritem_t gritem,
     debug_return;
 }
 
+/* Get the max number of user groups if set, or 0 if not set. */
+int
+sudo_pwutil_get_max_groups(void)
+{
+    return max_groups;
+}
+
+/* Set the max number of user groups (negative values ignored). */
+void
+sudo_pwutil_set_max_groups(int n)
+{
+    max_groups = n > 0 ? n : 0;
+}
+
 /*
  * Compare by user-ID.
  * v1 is the key to find or data to insert, v2 is in-tree data.

plugins/sudoers/pwutil_impl.c

@@ -299,17 +299,16 @@ PREFIX(make_gidlist_item)(const struct passwd *pw, char * const *gidstrs,
 	type = ENTRY_TYPE_FRONTEND;
     } else {
 	type = ENTRY_TYPE_QUERIED;
-	if (user_ctx.max_groups > 0) {
+	ngids = sudo_pwutil_get_max_groups();
-	    ngids = user_ctx.max_groups;
+	if (ngids > 0) {
 	    gids = reallocarray(NULL, (size_t)ngids, sizeof(GETGROUPS_T));
 	    if (gids == NULL) {
 		sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO,
 		    "unable to allocate memory");
 		debug_return_ptr(NULL);
 	    }
-	    /* Clamp to max_groups if insufficient space for all groups. */
+	    /* getgrouplist2() returns failure if it can't store all groups. */
-	    if (PREFIX(getgrouplist2)(pw->pw_name, pw->pw_gid, &gids, &ngids) == -1)
+	    (void)PREFIX(getgrouplist2)(pw->pw_name, pw->pw_gid, &gids, &ngids);
-		ngids = user_ctx.max_groups;
 	} else {
 	    gids = NULL;
 	    if (PREFIX(getgrouplist2)(pw->pw_name, pw->pw_gid, &gids, &ngids) == -1) {

plugins/sudoers/sudoers.h

@@ -109,7 +109,6 @@ struct sudoers_user_context {
     int   closefrom;
     int   lines;
     int   cols;
-    int   max_groups;
     int   timeout;
     mode_t umask;
     uid_t uid;
@@ -324,6 +323,8 @@ void sudo_pw_addref(struct passwd *);
 void sudo_pw_delref(struct passwd *);
 int  sudo_set_gidlist(struct passwd *pw, char * const *gids, unsigned int type);
 int  sudo_set_grlist(struct passwd *pw, char * const *groups);
+int  sudo_pwutil_get_max_groups(void);
+void sudo_pwutil_set_max_groups(int);
 void sudo_pwutil_set_backend(sudo_make_pwitem_t, sudo_make_gritem_t, sudo_make_gidlist_item_t, sudo_make_grlist_item_t);
 void sudo_setspent(void);