shadow/shadow-4.1.5.1-pam_group.patch

Date: Thu Apr  6 16:04:17 CEST 2017
Bug:  bnc#1031643
Upstream: https://github.com/shadow-maint/shadow/pull/74

dynamically added users via pam_group are not listed in groups
databases but are still valid.


Index: shadow-4.1.5.1/src/newgrp.c
===================================================================
--- shadow-4.1.5.1.orig/src/newgrp.c
+++ shadow-4.1.5.1/src/newgrp.c
@@ -372,6 +372,7 @@ int main (int argc, char **argv)
 {
 	bool initflag = false;
 	int i;
+	bool is_member = false;
 	bool cflag = false;
 	int err = 0;
 	gid_t gid;
@@ -610,6 +611,18 @@ int main (int argc, char **argv)
 		goto failure;
 	}
 
+#ifdef HAVE_SETGROUPS
+	/* when using pam_group, she will not be listed in the groups
+	 * database. However getgroups() will return the group. So 
+	 * if she is listed there already it is ok to grant membership.
+	 */
+	for (i = 0; i < ngroups; i++) {
+		if (grp->gr_gid == grouplist[i]) {
+			is_member = true;
+			break;
+		}
+	}
+#endif                          /* HAVE_SETGROUPS */
 	/*
 	 * For splitted groups (due to limitations of NIS), check all 
 	 * groups of the same GID like the requested group for
@@ -638,7 +651,9 @@ int main (int argc, char **argv)
 	/*
 	 * Check if the user is allowed to access this group.
 	 */
-	check_perms (grp, pwd, group);
+	if (!is_member) {
+		check_perms (grp, pwd, group);
+	}
 
 	/*
 	 * all successful validations pass through this point. The group id
Accepting request 497707 from home:adamm:branches:Base:System - New upstream version 4.5 - Refreshed patches: * shadow-login_defs.patch * chkname-regex.patch * getdef-new-defs.patch * useradd-mkdirs.patch - Upstreamed patches: * shadow-4.1.5.1-manfix.patch * shadow-4.1.5.1-errmsg.patch * shadow-4.1.5.1-backup-mode.patch * shadow-4.1.5.1-audit-owner.patch * shadow-4.2.1-defs-chroot.patch * shadow-4.2.1-merge-group.patch * Fix-user-busy-errors-at-userdel.patch * useradd-clear-tallylog.patch - shadow.keyring: update keyring with current maintainer's keyid only - Serge Hallyn 'F1D08DB778185BF784002DFFE9FEEA06A85E3F9D' - disable_new_audit_function.patch: Disable newer libaudit functionality for older distributions OBS-URL: https://build.opensuse.org/request/show/497707 OBS-URL: https://build.opensuse.org/package/show/Base:System/shadow?expand=0&rev=32 2017-05-23 12:25:13 +00:00			`Date: Thu Apr 6 16:04:17 CEST 2017`
			`Bug: bnc#1031643`
			`Upstream: https://github.com/shadow-maint/shadow/pull/74`

			`dynamically added users via pam_group are not listed in groups`
			`databases but are still valid.`


			`Index: shadow-4.1.5.1/src/newgrp.c`
			`===================================================================`
			`--- shadow-4.1.5.1.orig/src/newgrp.c`
			`+++ shadow-4.1.5.1/src/newgrp.c`
			`@@ -372,6 +372,7 @@ int main (int argc, char **argv)`
			`{`
			`bool initflag = false;`
			`int i;`
			`+ bool is_member = false;`
			`bool cflag = false;`
			`int err = 0;`
			`gid_t gid;`
			`@@ -610,6 +611,18 @@ int main (int argc, char **argv)`
			`goto failure;`
			`}`

			`+#ifdef HAVE_SETGROUPS`
			`+ /* when using pam_group, she will not be listed in the groups`
			`+ * database. However getgroups() will return the group. So`
			`+ * if she is listed there already it is ok to grant membership.`
			`+ */`
			`+ for (i = 0; i < ngroups; i++) {`
			`+ if (grp->gr_gid == grouplist[i]) {`
			`+ is_member = true;`
			`+ break;`
			`+ }`
			`+ }`
			`+#endif /* HAVE_SETGROUPS */`
			`/*`
			`* For splitted groups (due to limitations of NIS), check all`
			`* groups of the same GID like the requested group for`
			`@@ -638,7 +651,9 @@ int main (int argc, char **argv)`
			`/*`
			`* Check if the user is allowed to access this group.`
			`*/`
			`- check_perms (grp, pwd, group);`
			`+ if (!is_member) {`
			`+ check_perms (grp, pwd, group);`
			`+ }`

			`/*`
			`* all successful validations pass through this point. The group id`