-
-
Notifications
You must be signed in to change notification settings - Fork 48
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
client-auth.c: Fix authentication denial for valid logins #342
Conversation
From the getgrouplist man page on my Mac:
OpenBSD's implementation seems to match macOS:
But glibc's implementation is different:
The fact that you are seeing issues with 32 groups means we need to increase the size of that array, too. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Go ahead and increase the size of the "groups" array to 256 elements.
We can do that too for sure, but the issue was with the condition - the function probably returns 0 only when user would not be in any group (IMHO it is not possible, if the user exists, so it is not mentioned in man page), so it returned non-zero for my user (positive number of groups, since I'm not in more than 32 groups), so the execution got into the if scope and returned failure. |
d401783
to
9c2b7ec
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
See comments. We obviously need to do something here but need to be careful because getgrouplist is not POSIX.
ec443f1
to
d6c2c15
Compare
According man pages, `getgrouplist()` always return non-zero number, so we have to handle only the case when user is in more groups than we have static array for.
7d45fe1
to
6dd1e72
Compare
@michaelrsweet the message in Changelog is incorrect - it was not issue about user being in more than 32 groups. Auth failed if user was in any group (the function returned number of groups he's in) with glibc.
|
[v1.4.x cf6c821] Update the changelog for the getgrouplist fix. |
According man pages,
getgrouplist()
always return non-zero number, so we have to handle only the case when user is in more groups than we have static array for.This happens when you run PAPPL based printer application with
-o auth-service=password-auth -o admin-group=wheel
.