Don't assume that getgrnam() calls don't modify contents of
struct passwd returned by getpwnam(). On FreeBSD w/ NIS this can happen. Based on a patch from Kirk Webb.
This commit is contained in:
Todd C. Miller
18
parse.c
18
parse.c
@@ -443,25 +443,27 @@ usergr_matches(group, user)
|
|||||||
{
|
{
|
||||||
struct group *grp;
|
struct group *grp;
|
||||||
struct passwd *pw;
|
struct passwd *pw;
|
||||||
|
gid_t pw_gid;
|
||||||
char **cur;
|
char **cur;
|
||||||
|
|
||||||
/* make sure we have a valid usergroup, sudo style */
|
/* make sure we have a valid usergroup, sudo style */
|
||||||
if (*group++ != '%')
|
if (*group++ != '%')
|
||||||
return(FALSE);
|
return(FALSE);
|
||||||
|
|
||||||
|
/* look up user's primary gid in the passwd file (XXX - reduce lookups) */
|
||||||
|
if ((pw = getpwnam(user)) == NULL)
|
||||||
|
return(FALSE);
|
||||||
|
pw_gid = pw->pw_gid;
|
||||||
|
|
||||||
if ((grp = getgrnam(group)) == NULL)
|
if ((grp = getgrnam(group)) == NULL)
|
||||||
return(FALSE);
|
return(FALSE);
|
||||||
|
|
||||||
/*
|
/* check against user's primary (passwd file) gid */
|
||||||
* Check against user's real gid as well as group's user list
|
if (grp->gr_gid == pw_gid)
|
||||||
*/
|
|
||||||
if ((pw = getpwnam(user)) == NULL)
|
|
||||||
return(FALSE);
|
|
||||||
|
|
||||||
if (grp->gr_gid == pw->pw_gid)
|
|
||||||
return(TRUE);
|
return(TRUE);
|
||||||
|
|
||||||
for (cur=grp->gr_mem; *cur; cur++) {
|
/* check to see if user is explicitly listed in the group */
|
||||||
|
for (cur = grp->gr_mem; *cur; cur++) {
|
||||||
if (strcmp(*cur, user) == 0)
|
if (strcmp(*cur, user) == 0)
|
||||||
return(TRUE);
|
return(TRUE);
|
||||||
}
|
}
|
||||||
|
|||||||
Reference in New Issue
Block a user