isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add an administrative domain to the passwd/group cache key for

Browse Source 
AIX which can have different name <-> ID mappings depending
on whether the database is local, LDAP, etc.
This commit is contained in:
Todd C. Miller
2016-02-01 11:08:58 -07:00
parent 9b19ea440c
commit 6cbba7d665
10 changed files with 147 additions and 50 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
configure vendored
View File

@@ -14846,7 +14846,7 @@ done
COMMON_OBJS="${COMMON_OBJS} aix.lo" COMMON_OBJS="${COMMON_OBJS} aix.lo"
for _sym in aix_prep_user_v1 aix_restoreauthdb_v1 aix_setauthdb_v1; do for _sym in aix_prep_user_v1 aix_restoreauthdb_v1 aix_setauthdb_v1 aix_setauthdb_v2 aix_getauthregistry_v1; do
COMPAT_EXP="${COMPAT_EXP}${_sym} COMPAT_EXP="${COMPAT_EXP}${_sym}
" "
done done

2
configure.ac
View File

@@ -1749,7 +1749,7 @@ case "$host" in
[AC_CHECK_TYPES([authdb_t], [], [], [#include <usersec.h>])]) [AC_CHECK_TYPES([authdb_t], [], [], [#include <usersec.h>])])
COMMON_OBJS="${COMMON_OBJS} aix.lo" COMMON_OBJS="${COMMON_OBJS} aix.lo"
SUDO_APPEND_COMPAT_EXP(aix_prep_user_v1 aix_restoreauthdb_v1 aix_setauthdb_v1) SUDO_APPEND_COMPAT_EXP(aix_prep_user_v1 aix_restoreauthdb_v1 aix_setauthdb_v1 aix_setauthdb_v2 aix_getauthregistry_v1)
# These prototypes may be missing # These prototypes may be missing
AC_CHECK_DECLS([usrinfo], [], [], [ AC_CHECK_DECLS([usrinfo], [], [], [

5
include/sudo_util.h
View File

@@ -151,12 +151,15 @@
#endif #endif
/* aix.c */ /* aix.c */
__dso_public int aix_getauthregistry_v1(char *user, char *saved_registry);
#define aix_getauthregistry(_a, _b) aix_getauthregistry_v1((_a), (_b))
__dso_public int aix_prep_user_v1(char *user, const char *tty); __dso_public int aix_prep_user_v1(char *user, const char *tty);
#define aix_prep_user(_a, _b) aix_prep_user_v1((_a), (_b)) #define aix_prep_user(_a, _b) aix_prep_user_v1((_a), (_b))
__dso_public int aix_restoreauthdb_v1(void); __dso_public int aix_restoreauthdb_v1(void);
#define aix_restoreauthdb() aix_restoreauthdb_v1() #define aix_restoreauthdb() aix_restoreauthdb_v1()
__dso_public int aix_setauthdb_v1(char *user); __dso_public int aix_setauthdb_v1(char *user);
#define aix_setauthdb(_a) aix_setauthdb_v1((_a)) __dso_public int aix_setauthdb_v2(char *user, char *registry);
#define aix_setauthdb(_a, _b) aix_setauthdb_v2((_a), (_b))
/* gethostname.c */ /* gethostname.c */
__dso_public char *sudo_gethostname_v1(void); __dso_public char *sudo_gethostname_v1(void);

86
lib/util/aix.c
View File

@@ -133,7 +133,7 @@ aix_setlimits(char *user)
typedef char authdb_t[16]; typedef char authdb_t[16];
# endif # endif
/* The empty string means to access all defined administrative domains. */ /* The empty string means to access all defined authentication registries. */
static authdb_t old_registry; static authdb_t old_registry;
# if defined(HAVE_DECL_SETAUTHDB) && !HAVE_DECL_SETAUTHDB # if defined(HAVE_DECL_SETAUTHDB) && !HAVE_DECL_SETAUTHDB
@@ -144,41 +144,93 @@ int usrinfo(int cmd, char *buf, int count);
# endif # endif
/* /*
* Look up administrative domain for user (SYSTEM in /etc/security/user) and * Look up authentication registry for user (SYSTEM in /etc/security/user) and
* set it as the default for the process. This ensures that password and * set it as the default for the process. This ensures that password and
* group lookups are made against the correct source (files, NIS, LDAP, etc). * group lookups are made against the correct source (files, NIS, LDAP, etc).
* Does not modify errno even on error since callers do not check rval. * Does not modify errno even on error since callers do not check rval.
*/ */
int int
aix_setauthdb_v1(char *user) aix_getauthregistry_v1(char *user, char *saved_registry)
{ {
char *registry;
int serrno = errno; int serrno = errno;
int rval = -1; int rval = -1;
debug_decl(aix_setauthdb, SUDO_DEBUG_UTIL) debug_decl(aix_getauthregistry, SUDO_DEBUG_UTIL)
saved_registry[0] = '\0';
if (user != NULL) { if (user != NULL) {
char *registry;
if (setuserdb(S_READ) != 0) { if (setuserdb(S_READ) != 0) {
sudo_warn(U_("unable to open userdb")); sudo_warn(U_("unable to open userdb"));
goto done; goto done;
} }
if (getuserattr(user, S_REGISTRY, &registry, SEC_CHAR) == 0) { rval = getuserattr(user, S_REGISTRY, &registry, SEC_CHAR);
if (setauthdb(registry, old_registry) != 0) { if (rval == 0) {
sudo_warn(U_("unable to switch to registry \"%s\" for %s"), /* sizeof(authdb_t) is guaranteed to be 16 */
registry, user); if (strlcpy(saved_registry, registry, 16) >= 16) {
goto done; sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO,
"registry for user %s too long: %s", user, registry);
} }
sudo_debug_printf(SUDO_DEBUG_INFO,
"%s: saved authentication registry for user %s is %s",
__func__, user, saved_registry);
} }
enduserdb(); enduserdb();
} else {
/* Get the process-wide registry. */
rval = getauthdb(saved_registry);
} }
rval = 0;
done: done:
errno = serrno; errno = serrno;
debug_return_int(rval); debug_return_int(rval);
} }
/* /*
* Restore the saved administrative domain, if any. * Set the specified authentication registry for user (SYSTEM in
* /etc/security/user) and set it as the default for the process.
* This ensures that password and group lookups are made against
* the correct source (files, NIS, LDAP, etc).
* If registry is NULL, look it up based on the user name.
* Does not modify errno even on error since callers do not check rval.
*/
int
aix_setauthdb_v1(char *user)
{
return aix_setauthdb_v2(user, NULL);
}
int
aix_setauthdb_v2(char *user, char *registry)
{
authdb_t regbuf;
int serrno = errno;
int rval = -1;
debug_decl(aix_setauthdb, SUDO_DEBUG_UTIL)
if (user != NULL) {
/* Look up authentication registry if one is not provided. */
if (registry == NULL) {
if (aix_getauthregistry(user, regbuf) != 0)
goto done;
registry = regbuf;
}
rval = setauthdb(registry, old_registry);
if (rval != 0) {
sudo_warn(U_("unable to switch to registry \"%s\" for %s"),
registry, user);
} else {
sudo_debug_printf(SUDO_DEBUG_INFO,
"%s: setting authentication registry to %s",
__func__, registry);
}
}
done:
errno = serrno;
debug_return_int(rval);
}
/*
* Restore the saved authentication registry, if any.
* Does not modify errno even on error since callers do not check rval. * Does not modify errno even on error since callers do not check rval.
*/ */
int int
@@ -191,7 +243,11 @@ aix_restoreauthdb_v1(void)
if (setauthdb(old_registry, NULL) != 0) { if (setauthdb(old_registry, NULL) != 0) {
sudo_warn(U_("unable to restore registry")); sudo_warn(U_("unable to restore registry"));
rval = -1; rval = -1;
} } else {
sudo_debug_printf(SUDO_DEBUG_INFO,
"%s: setting authentication registry to %s",
__func__, old_registry);
}
errno = serrno; errno = serrno;
debug_return_int(rval); debug_return_int(rval);
} }
@@ -215,8 +271,8 @@ aix_prep_user_v1(char *user, const char *tty)
free(info); free(info);
#ifdef HAVE_SETAUTHDB #ifdef HAVE_SETAUTHDB
/* set administrative domain */ /* set authentication registry */
if (aix_setauthdb(user) != 0) if (aix_setauthdb(user, NULL) != 0)
debug_return_int(-1); debug_return_int(-1);
#endif #endif

2
lib/util/getgrouplist.c
View File

@@ -62,7 +62,7 @@ sudo_getgrouplist(const char *name, gid_t basegid, gid_t *groups, int *ngroupsp)
groups[0] = basegid; groups[0] = basegid;
#ifdef HAVE_SETAUTHDB #ifdef HAVE_SETAUTHDB
aix_setauthdb((char *) name); aix_setauthdb((char *) name, NULL);
#endif #endif
if ((grset = getgrset(name)) != NULL) { if ((grset = getgrset(name)) != NULL) {
char *last; char *last;

85
plugins/sudoers/pwutil.c
View File

@@ -56,6 +56,18 @@ static int cmp_grgid(const void *, const void *);
#define cmp_grnam cmp_pwnam #define cmp_grnam cmp_pwnam
/*
* AIX has the concept of authentication registries (files, NIS, LDAP, etc).
* This allows you to have separate ID <-> name mappings based on which
* authentication registries the user was looked up in.
* We store the registry as part of the key and use it when matching.
*/
#ifdef HAVE_SETAUTHDB
# define getauthregistry(u, r) aix_getauthregistry((u), (r))
#else
# define getauthregistry(u, r) ((r)[0] = '\0')
#endif
/* /*
* Compare by uid. * Compare by uid.
*/ */
@@ -64,6 +76,8 @@ cmp_pwuid(const void *v1, const void *v2)
{ {
const struct cache_item *ci1 = (const struct cache_item *) v1; const struct cache_item *ci1 = (const struct cache_item *) v1;
const struct cache_item *ci2 = (const struct cache_item *) v2; const struct cache_item *ci2 = (const struct cache_item *) v2;
if (ci1->k.uid == ci2->k.uid)
return strcmp(ci1->registry, ci2->registry);
return ci1->k.uid - ci2->k.uid; return ci1->k.uid - ci2->k.uid;
} }
@@ -75,7 +89,10 @@ cmp_pwnam(const void *v1, const void *v2)
{ {
const struct cache_item *ci1 = (const struct cache_item *) v1; const struct cache_item *ci1 = (const struct cache_item *) v1;
const struct cache_item *ci2 = (const struct cache_item *) v2; const struct cache_item *ci2 = (const struct cache_item *) v2;
return strcmp(ci1->k.name, ci2->k.name); int rval = strcmp(ci1->k.name, ci2->k.name);
if (rval == 0)
rval = strcmp(ci1->registry, ci2->registry);
return rval;
} }
void void
@@ -117,17 +134,20 @@ sudo_getpwuid(uid_t uid)
debug_decl(sudo_getpwuid, SUDOERS_DEBUG_NSS) debug_decl(sudo_getpwuid, SUDOERS_DEBUG_NSS)
key.k.uid = uid; key.k.uid = uid;
getauthregistry(IDtouser(uid), key.registry);
if ((node = rbfind(pwcache_byuid, &key)) != NULL) { if ((node = rbfind(pwcache_byuid, &key)) != NULL) {
item = node->data; item = node->data;
sudo_debug_printf(SUDO_DEBUG_DEBUG, "%s: uid %u -> user %s (cache hit)", sudo_debug_printf(SUDO_DEBUG_DEBUG,
__func__, (unsigned int)uid, item->d.pw->pw_name); "%s: uid %u [%s] -> user %s [%s] (cache hit)", __func__,
(unsigned int)uid, key.registry, item->d.pw->pw_name,
item->registry);
goto done; goto done;
} }
/* /*
* Cache passwd db entry if it exists or a negative response if not. * Cache passwd db entry if it exists or a negative response if not.
*/ */
#ifdef HAVE_SETAUTHDB #ifdef HAVE_SETAUTHDB
aix_setauthdb(IDtouser(uid)); aix_setauthdb(IDtouser(uid), key.registry);
#endif #endif
item = sudo_make_pwitem(uid, NULL); item = sudo_make_pwitem(uid, NULL);
#ifdef HAVE_SETAUTHDB #ifdef HAVE_SETAUTHDB
@@ -143,6 +163,7 @@ sudo_getpwuid(uid_t uid)
item->k.uid = uid; item->k.uid = uid;
/* item->d.pw = NULL; */ /* item->d.pw = NULL; */
} }
strlcpy(item->registry, key.registry, sizeof(item->registry));
switch (rbinsert(pwcache_byuid, item, NULL)) { switch (rbinsert(pwcache_byuid, item, NULL)) {
case 1: case 1:
/* should not happen */ /* should not happen */
@@ -157,9 +178,10 @@ sudo_getpwuid(uid_t uid)
item->refcnt = 0; item->refcnt = 0;
break; break;
} }
sudo_debug_printf(SUDO_DEBUG_DEBUG, "%s: uid %u -> user %s (cached)", sudo_debug_printf(SUDO_DEBUG_DEBUG,
__func__, (unsigned int)uid, "%s: uid %u [%s] -> user %s [%s] (cached)", __func__,
item->d.pw ? item->d.pw->pw_name : "unknown"); (unsigned int)uid, key.registry,
item->d.pw ? item->d.pw->pw_name : "unknown", item->registry);
done: done:
item->refcnt++; item->refcnt++;
debug_return_ptr(item->d.pw); debug_return_ptr(item->d.pw);
@@ -176,17 +198,19 @@ sudo_getpwnam(const char *name)
debug_decl(sudo_getpwnam, SUDOERS_DEBUG_NSS) debug_decl(sudo_getpwnam, SUDOERS_DEBUG_NSS)
key.k.name = (char *) name; key.k.name = (char *) name;
getauthregistry((char *) name, key.registry);
if ((node = rbfind(pwcache_byname, &key)) != NULL) { if ((node = rbfind(pwcache_byname, &key)) != NULL) {
item = node->data; item = node->data;
sudo_debug_printf(SUDO_DEBUG_DEBUG, "%s: user %s -> uid %u (cache hit)", sudo_debug_printf(SUDO_DEBUG_DEBUG,
__func__, name, (unsigned int)item->d.pw->pw_uid); "%s: user %s [%s] -> uid %u [%s] (cache hit)", __func__, name,
key.registry, (unsigned int)item->d.pw->pw_uid, item->registry);
goto done; goto done;
} }
/* /*
* Cache passwd db entry if it exists or a negative response if not. * Cache passwd db entry if it exists or a negative response if not.
*/ */
#ifdef HAVE_SETAUTHDB #ifdef HAVE_SETAUTHDB
aix_setauthdb((char *) name); aix_setauthdb((char *) name, key.registry);
#endif #endif
item = sudo_make_pwitem((uid_t)-1, name); item = sudo_make_pwitem((uid_t)-1, name);
#ifdef HAVE_SETAUTHDB #ifdef HAVE_SETAUTHDB
@@ -203,6 +227,7 @@ sudo_getpwnam(const char *name)
memcpy(item->k.name, name, len); memcpy(item->k.name, name, len);
/* item->d.pw = NULL; */ /* item->d.pw = NULL; */
} }
strlcpy(item->registry, key.registry, sizeof(item->registry));
switch (rbinsert(pwcache_byname, item, NULL)) { switch (rbinsert(pwcache_byname, item, NULL)) {
case 1: case 1:
/* should not happen */ /* should not happen */
@@ -215,8 +240,9 @@ sudo_getpwnam(const char *name)
item->refcnt = 0; item->refcnt = 0;
break; break;
} }
sudo_debug_printf(SUDO_DEBUG_DEBUG, "%s: user %s -> uid %d (cached)", sudo_debug_printf(SUDO_DEBUG_DEBUG,
__func__, name, item->d.pw ? (int)item->d.pw->pw_uid : -1); "%s: user %s [%s] -> uid %d [%s] (cached)", __func__, name,
key.registry, item->d.pw ? (int)item->d.pw->pw_uid : -1, item->registry);
done: done:
item->refcnt++; item->refcnt++;
debug_return_ptr(item->d.pw); debug_return_ptr(item->d.pw);
@@ -289,6 +315,7 @@ sudo_mkpwent(const char *user, uid_t uid, gid_t gid, const char *home,
item->k.name = pw->pw_name; item->k.name = pw->pw_name;
pwcache = pwcache_byname; pwcache = pwcache_byname;
} }
getauthregistry(NULL, item->registry);
switch (rbinsert(pwcache, item, &node)) { switch (rbinsert(pwcache, item, &node)) {
case 1: case 1:
/* Already exists. */ /* Already exists. */
@@ -385,6 +412,8 @@ cmp_grgid(const void *v1, const void *v2)
{ {
const struct cache_item *ci1 = (const struct cache_item *) v1; const struct cache_item *ci1 = (const struct cache_item *) v1;
const struct cache_item *ci2 = (const struct cache_item *) v2; const struct cache_item *ci2 = (const struct cache_item *) v2;
if (ci1->k.gid == ci2->k.gid)
return strcmp(ci1->registry, ci2->registry);
return ci1->k.gid - ci2->k.gid; return ci1->k.gid - ci2->k.gid;
} }
@@ -427,10 +456,13 @@ sudo_getgrgid(gid_t gid)
debug_decl(sudo_getgrgid, SUDOERS_DEBUG_NSS) debug_decl(sudo_getgrgid, SUDOERS_DEBUG_NSS)
key.k.gid = gid; key.k.gid = gid;
getauthregistry(NULL, key.registry);
if ((node = rbfind(grcache_bygid, &key)) != NULL) { if ((node = rbfind(grcache_bygid, &key)) != NULL) {
item = node->data; item = node->data;
sudo_debug_printf(SUDO_DEBUG_DEBUG, "%s: gid %u -> group %s (cache hit)", sudo_debug_printf(SUDO_DEBUG_DEBUG,
__func__, (unsigned int)gid, item->d.gr->gr_name); "%s: gid %u [%s] -> group %s [%s] (cache hit)", __func__,
(unsigned int)gid, key.registry, item->d.gr->gr_name,
item->registry);
goto done; goto done;
} }
/* /*
@@ -447,6 +479,7 @@ sudo_getgrgid(gid_t gid)
item->k.gid = gid; item->k.gid = gid;
/* item->d.gr = NULL; */ /* item->d.gr = NULL; */
} }
strlcpy(item->registry, key.registry, sizeof(item->registry));
switch (rbinsert(grcache_bygid, item, NULL)) { switch (rbinsert(grcache_bygid, item, NULL)) {
case 1: case 1:
/* should not happen */ /* should not happen */
@@ -461,9 +494,10 @@ sudo_getgrgid(gid_t gid)
item->refcnt = 0; item->refcnt = 0;
break; break;
} }
sudo_debug_printf(SUDO_DEBUG_DEBUG, "%s: gid %u -> group %s (cached)", sudo_debug_printf(SUDO_DEBUG_DEBUG,
__func__, (unsigned int)gid, "%s: gid %u [%s] -> group %s [%s] (cached)", __func__,
item->d.gr ? item->d.gr->gr_name : "unknown"); (unsigned int)gid, key.registry,
item->d.gr ? item->d.gr->gr_name : "unknown", item->registry);
done: done:
item->refcnt++; item->refcnt++;
debug_return_ptr(item->d.gr); debug_return_ptr(item->d.gr);
@@ -480,10 +514,12 @@ sudo_getgrnam(const char *name)
debug_decl(sudo_getgrnam, SUDOERS_DEBUG_NSS) debug_decl(sudo_getgrnam, SUDOERS_DEBUG_NSS)
key.k.name = (char *) name; key.k.name = (char *) name;
getauthregistry(NULL, key.registry);
if ((node = rbfind(grcache_byname, &key)) != NULL) { if ((node = rbfind(grcache_byname, &key)) != NULL) {
item = node->data; item = node->data;
sudo_debug_printf(SUDO_DEBUG_DEBUG, "%s: group %s -> gid %u (cache hit)", sudo_debug_printf(SUDO_DEBUG_DEBUG,
__func__, name, (unsigned int)item->d.gr->gr_gid); "%s: group %s [%s] -> gid %u [%s] (cache hit)", __func__, name,
key.registry, (unsigned int)item->d.gr->gr_gid, item->registry);
goto done; goto done;
} }
/* /*
@@ -501,6 +537,7 @@ sudo_getgrnam(const char *name)
memcpy(item->k.name, name, len); memcpy(item->k.name, name, len);
/* item->d.gr = NULL; */ /* item->d.gr = NULL; */
} }
strlcpy(item->registry, key.registry, sizeof(item->registry));
switch (rbinsert(grcache_byname, item, NULL)) { switch (rbinsert(grcache_byname, item, NULL)) {
case 1: case 1:
/* should not happen */ /* should not happen */
@@ -513,8 +550,9 @@ sudo_getgrnam(const char *name)
item->refcnt = 0; item->refcnt = 0;
break; break;
} }
sudo_debug_printf(SUDO_DEBUG_DEBUG, "%s: group %s -> gid %d (cache hit)", sudo_debug_printf(SUDO_DEBUG_DEBUG,
__func__, name, item->d.gr ? (int)item->d.gr->gr_gid : -1); "%s: group %s [%s] -> gid %d [%s] (cache hit)", __func__, name,
key.registry, item->d.gr ? (int)item->d.gr->gr_gid : -1, item->registry);
done: done:
item->refcnt++; item->refcnt++;
debug_return_ptr(item->d.gr); debug_return_ptr(item->d.gr);
@@ -569,6 +607,7 @@ sudo_fakegrnam(const char *group)
gritem->cache.k.name = gr->gr_name; gritem->cache.k.name = gr->gr_name;
grcache = grcache_byname; grcache = grcache_byname;
} }
getauthregistry(NULL, item->registry);
switch (rbinsert(grcache, item, &node)) { switch (rbinsert(grcache, item, &node)) {
case 1: case 1:
/* Already exists. */ /* Already exists. */
@@ -680,6 +719,7 @@ sudo_get_grlist(const struct passwd *pw)
debug_decl(sudo_get_grlist, SUDOERS_DEBUG_NSS) debug_decl(sudo_get_grlist, SUDOERS_DEBUG_NSS)
key.k.name = pw->pw_name; key.k.name = pw->pw_name;
getauthregistry(pw->pw_name, key.registry);
if ((node = rbfind(grlist_cache, &key)) != NULL) { if ((node = rbfind(grlist_cache, &key)) != NULL) {
item = node->data; item = node->data;
goto done; goto done;
@@ -692,6 +732,7 @@ sudo_get_grlist(const struct passwd *pw)
/* Out of memory? */ /* Out of memory? */
debug_return_ptr(NULL); debug_return_ptr(NULL);
} }
strlcpy(item->registry, key.registry, sizeof(item->registry));
switch (rbinsert(grlist_cache, item, NULL)) { switch (rbinsert(grlist_cache, item, NULL)) {
case 1: case 1:
/* should not happen */ /* should not happen */
@@ -730,11 +771,13 @@ sudo_set_grlist(struct passwd *pw, char * const *groups, char * const *gids)
* Cache group db entry if it doesn't already exist * Cache group db entry if it doesn't already exist
*/ */
key.k.name = pw->pw_name; key.k.name = pw->pw_name;
getauthregistry(NULL, key.registry);
if ((node = rbfind(grlist_cache, &key)) == NULL) { if ((node = rbfind(grlist_cache, &key)) == NULL) {
if ((item = sudo_make_grlist_item(pw, groups, gids)) == NULL) { if ((item = sudo_make_grlist_item(pw, groups, gids)) == NULL) {
sudo_warnx(U_("unable to parse groups for %s"), pw->pw_name); sudo_warnx(U_("unable to parse groups for %s"), pw->pw_name);
debug_return_int(-1); debug_return_int(-1);
} }
strlcpy(item->registry, key.registry, sizeof(item->registry));
switch (rbinsert(grlist_cache, item, NULL)) { switch (rbinsert(grlist_cache, item, NULL)) {
case 1: case 1:
sudo_warnx(U_("unable to cache group list for %s, already exists"), sudo_warnx(U_("unable to cache group list for %s, already exists"),

1
plugins/sudoers/pwutil.h
View File

@@ -24,6 +24,7 @@
*/ */
struct cache_item { struct cache_item {
unsigned int refcnt; unsigned int refcnt;
char registry[16];
/* key */ /* key */
union { union {
uid_t uid; uid_t uid;

6
plugins/sudoers/pwutil_impl.c
View File

@@ -68,7 +68,7 @@ do { \
* Dynamically allocate space for a struct item plus the key and data * Dynamically allocate space for a struct item plus the key and data
* elements. If name is non-NULL it is used as the key, else the * elements. If name is non-NULL it is used as the key, else the
* uid is the key. Fills in datum from struct password. * uid is the key. Fills in datum from struct password.
* Returns NULL on malloc error or unknown name/id, setting errno * Returns NULL on calloc error or unknown name/id, setting errno
* to ENOMEM or ENOENT respectively. * to ENOMEM or ENOENT respectively.
*/ */
struct cache_item * struct cache_item *
@@ -151,7 +151,7 @@ sudo_make_pwitem(uid_t uid, const char *name)
* Dynamically allocate space for a struct item plus the key and data * Dynamically allocate space for a struct item plus the key and data
* elements. If name is non-NULL it is used as the key, else the * elements. If name is non-NULL it is used as the key, else the
* gid is the key. Fills in datum from struct group. * gid is the key. Fills in datum from struct group.
* Returns NULL on malloc error or unknown name/id, setting errno * Returns NULL on calloc error or unknown name/id, setting errno
* to ENOMEM or ENOENT respectively. * to ENOMEM or ENOENT respectively.
*/ */
struct cache_item * struct cache_item *
@@ -338,7 +338,7 @@ again:
*/ */
#ifdef HAVE_SETAUTHDB #ifdef HAVE_SETAUTHDB
if (grp == NULL) if (grp == NULL)
aix_setauthdb((char *) pw->pw_name); aix_setauthdb((char *) pw->pw_name, NULL);
#endif #endif
ngroups = 0; ngroups = 0;
for (i = 0; i < ngids; i++) { for (i = 0; i < ngids; i++) {

6
plugins/sudoers/set_perms.c
View File

@@ -1573,13 +1573,7 @@ runas_setgroups(void)
} }
pw = runas_pw ? runas_pw : sudo_user.pw; pw = runas_pw ? runas_pw : sudo_user.pw;
#ifdef HAVE_SETAUTHDB
aix_setauthdb(pw->pw_name);
#endif
grlist = sudo_get_grlist(pw); grlist = sudo_get_grlist(pw);
#ifdef HAVE_SETAUTHDB
aix_restoreauthdb();
#endif
if (grlist != NULL) { if (grlist != NULL) {
if (sudo_setgroups(grlist->ngids, grlist->gids) < 0) { if (sudo_setgroups(grlist->ngids, grlist->gids) < 0) {
sudo_grlist_delref(grlist); sudo_grlist_delref(grlist);

2
src/sudo.c
View File

@@ -803,7 +803,7 @@ command_info_to_details(char * const info[], struct command_details *details)
details->egid = details->gid; details->egid = details->gid;
#ifdef HAVE_SETAUTHDB #ifdef HAVE_SETAUTHDB
aix_setauthdb(IDtouser(details->euid)); aix_setauthdb(IDtouser(details->euid), NULL);
#endif #endif
details->pw = getpwuid(details->euid); details->pw = getpwuid(details->euid);
if (details->pw != NULL && (details->pw = pw_dup(details->pw)) == NULL) if (details->pw != NULL && (details->pw = pw_dup(details->pw)) == NULL)