New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

take supplementary groups into account #168

Open

r5r3 wants to merge 1 commit into google:master from r5r3:master

r5r3 commented May 26, 2020

Fix for issue #167.
The changes certainly needs to be properly reviewed.


          take supplementary groups into account

916de0a

googlebot commented May 26, 2020

Thanks for your pull request. It looks like this may be your first contribution to a Google open source project (if not, look below for help). Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

📝 Please visit https://cla.developers.google.com/ to sign.

Once you've signed (or fixed any issues), please reply here with @googlebot I signed it! and we'll verify it.

What to do if you already signed the CLA

Individual signers

It's possible we don't have your GitHub username or you're using a different email address on your commit. Check your existing CLA data and verify that your email is set on your git commits.

Corporate signers

Your company has a Point of Contact who decides which employees are authorized to participate. Ask your POC to be added to the group of authorized contributors. If you don't know who your Point of Contact is, direct the Google project maintainer to go/cla#troubleshoot (Public version).
The email used to register you as an authorized contributor must be the email used for the Git commit. Check your existing CLA data and verify that your email is set on your git commits.
The email used to register you as an authorized contributor must also be attached to your GitHub account.

ℹ️ Googlers: Go here for more info.

googlebot added the cla: no label

Author

r5r3 commented May 26, 2020

@googlebot I signed it!

googlebot commented May 26, 2020

CLAs look good, thanks!

ℹ️ Googlers: Go here for more info.

googlebot added cla: yes and removed cla: no labels

ThomasHabets requested changes

View reviewed changes

Collaborator

ThomasHabets left a comment

Nice work.

src/pam_google_authenticator.c

+                // get number of groups for the user
+                GroupList user_groups;
+                user_groups.n_groups = 0;
+                int err = getgrouplist(username, gid, NULL, &user_groups.n_groups);

Collaborator

ThomasHabets May 26, 2020

Also check for the error.

src/pam_google_authenticator.c

+                }
+                // store the old list of groups of this process
+                old_groups->n_groups = getgroups(0, NULL);

Collaborator

ThomasHabets May 26, 2020

check for error (-1 return value)

src/pam_google_authenticator.c

                 gid_t gid = pw->pw_gid;
                 free(buf);
+                // to access the secret file, we may have to be member of the same groups as the

Collaborator

ThomasHabets May 26, 2020

Break out all this grouplist fetching into its own function, so that it's easy to follow the failure path, that should presumably be to degrade to the current behaviour of no extra groups.

Bonus points for hiding this behind a HAVE_SETGROUPLIST since it's apparently nonstandard.

src/pam_google_authenticator.c

+                // store the old list of groups of this process
+                old_groups->n_groups = getgroups(0, NULL);
+                old_groups->gids = malloc(sizeof(gid_t)*old_groups->n_groups);

Collaborator

ThomasHabets May 26, 2020

check for malloc fail.

Also above.

src/pam_google_authenticator.c

+                // store the old list of groups of this process
+                old_groups->n_groups = getgroups(0, NULL);
+                old_groups->gids = malloc(sizeof(gid_t)*old_groups->n_groups);
+                err = getgroups(old_groups->n_groups, old_groups->gids);

Collaborator

ThomasHabets May 26, 2020

From the manpage:

       It is unspecified whether the effective group ID of the calling process
       is included in the returned list.  (Thus, an  application  should  also
       call getegid(2) and add or remove the resulting value.)

Are we already capturing this using old_gid, so no need?

src/pam_google_authenticator.c

+                }
+                // cleanup user group list
+                free(user_groups.gids);
+                user_groups.n_groups = -1;

Collaborator

ThomasHabets May 26, 2020

why not 0?

Well, if this is in its own function then this auto variable will go out of scope anyway.

src/pam_google_authenticator.c

@@ @@ -2132,6 +2174,13 @@ static int google_authenticator(pam_handle_t *pamh, @@
                                 "but can't switch back", old_uid, uid);
                   }
                 }
+                // restore old supplementary groups for process
+                if (old_groups.n_groups > 0) {

Collaborator

ThomasHabets May 26, 2020

If the list is empty we still want to call setgroups(), no? That is, we want to drop whatever groups we added before.

Author

r5r3 May 28, 2020

I think when we make sure that the effective group is taken into account, then the list can never be empty. Except for platforms where not all functions are available. I will make sure that this case is also handled correctly.

Collaborator

ThomasHabets commented May 26, 2020

And you've confirmed that this fixes the issue for you?

ThomasHabets added the enhancement label

Author

r5r3 commented May 28, 2020

Thank you for your comments! I will move my changes into a separate function and hide it behind HAVE_SETGROUPLIST.

I can also confirm that the issue #167 is solved when supplementary groups are taken into account.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

cla: yes enhancement