From 20baa390071c3f98a417800b4782357e95aaaac0 Mon Sep 17 00:00:00 2001 From: "Todd C. Miller" Date: Mon, 14 Aug 2023 16:29:15 -0600 Subject: [PATCH] Move max_groups out of sudoers_user_context and into pwutil.c. It is only used by the local password pwutil implementation. --- plugins/sudoers/policy.c | 6 ++++-- plugins/sudoers/pwutil.c | 16 ++++++++++++++++ plugins/sudoers/pwutil_impl.c | 9 ++++----- plugins/sudoers/sudoers.h | 3 ++- 4 files changed, 26 insertions(+), 8 deletions(-) diff --git a/plugins/sudoers/policy.c b/plugins/sudoers/policy.c index 6971bbf5c..7396f1fba 100644 --- a/plugins/sudoers/policy.c +++ b/plugins/sudoers/policy.c @@ -360,13 +360,15 @@ sudoers_policy_deserialize_info(void *v, struct defaults_list *defaults) continue; } if (MATCHES(*cur, "max_groups=")) { + int max_groups; errno = 0; p = *cur + sizeof("max_groups=") - 1; - user_ctx.max_groups = (int)sudo_strtonum(p, 1, 1024, &errstr); - if (user_ctx.max_groups == 0) { + max_groups = (int)sudo_strtonum(p, 1, 1024, &errstr); + if (max_groups == 0) { sudo_warnx(U_("%s: %s"), *cur, U_(errstr)); goto bad; } + sudo_pwutil_set_max_groups(max_groups); continue; } if (MATCHES(*cur, "remote_host=")) { diff --git a/plugins/sudoers/pwutil.c b/plugins/sudoers/pwutil.c index 24207990d..e29dd7c43 100644 --- a/plugins/sudoers/pwutil.c +++ b/plugins/sudoers/pwutil.c @@ -58,6 +58,8 @@ static int cmp_pwuid(const void *, const void *); static int cmp_pwnam(const void *, const void *); static int cmp_grgid(const void *, const void *); +static int max_groups; + /* * Default functions for building cache items. */ @@ -102,6 +104,20 @@ sudo_pwutil_set_backend(sudo_make_pwitem_t pwitem, sudo_make_gritem_t gritem, debug_return; } +/* Get the max number of user groups if set, or 0 if not set. */ +int +sudo_pwutil_get_max_groups(void) +{ + return max_groups; +} + +/* Set the max number of user groups (negative values ignored). */ +void +sudo_pwutil_set_max_groups(int n) +{ + max_groups = n > 0 ? n : 0; +} + /* * Compare by user-ID. * v1 is the key to find or data to insert, v2 is in-tree data. diff --git a/plugins/sudoers/pwutil_impl.c b/plugins/sudoers/pwutil_impl.c index f23191c93..097e6f682 100644 --- a/plugins/sudoers/pwutil_impl.c +++ b/plugins/sudoers/pwutil_impl.c @@ -299,17 +299,16 @@ PREFIX(make_gidlist_item)(const struct passwd *pw, char * const *gidstrs, type = ENTRY_TYPE_FRONTEND; } else { type = ENTRY_TYPE_QUERIED; - if (user_ctx.max_groups > 0) { - ngids = user_ctx.max_groups; + ngids = sudo_pwutil_get_max_groups(); + if (ngids > 0) { gids = reallocarray(NULL, (size_t)ngids, sizeof(GETGROUPS_T)); if (gids == NULL) { sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO, "unable to allocate memory"); debug_return_ptr(NULL); } - /* Clamp to max_groups if insufficient space for all groups. */ - if (PREFIX(getgrouplist2)(pw->pw_name, pw->pw_gid, &gids, &ngids) == -1) - ngids = user_ctx.max_groups; + /* getgrouplist2() returns failure if it can't store all groups. */ + (void)PREFIX(getgrouplist2)(pw->pw_name, pw->pw_gid, &gids, &ngids); } else { gids = NULL; if (PREFIX(getgrouplist2)(pw->pw_name, pw->pw_gid, &gids, &ngids) == -1) { diff --git a/plugins/sudoers/sudoers.h b/plugins/sudoers/sudoers.h index 7cc37fd70..4c50d36b7 100644 --- a/plugins/sudoers/sudoers.h +++ b/plugins/sudoers/sudoers.h @@ -109,7 +109,6 @@ struct sudoers_user_context { int closefrom; int lines; int cols; - int max_groups; int timeout; mode_t umask; uid_t uid; @@ -324,6 +323,8 @@ void sudo_pw_addref(struct passwd *); void sudo_pw_delref(struct passwd *); int sudo_set_gidlist(struct passwd *pw, char * const *gids, unsigned int type); int sudo_set_grlist(struct passwd *pw, char * const *groups); +int sudo_pwutil_get_max_groups(void); +void sudo_pwutil_set_max_groups(int); void sudo_pwutil_set_backend(sudo_make_pwitem_t, sudo_make_gritem_t, sudo_make_gidlist_item_t, sudo_make_grlist_item_t); void sudo_setspent(void);