X-Git-Url: http://andersk.mit.edu/gitweb/openssh.git/blobdiff_plain/23c2a7a5276426c153d5b7bdc10635e145a624b2..d03186af8de9b660564ccc1804d2a9c2e93b2e58:/groupaccess.c

diff --git a/groupaccess.c b/groupaccess.c
index ac9e00ac..2381aeb1 100644
--- a/groupaccess.c
+++ b/groupaccess.c
@@ -1,5 +1,4 @@
-/*	$OpenBSD: groupaccess.c,v 1.3 2001/01/29 01:58:15 niklas Exp $	*/
-
+/* $OpenBSD: groupaccess.c,v 1.13 2008/07/04 03:44:59 djm Exp $ */
 /*
  * Copyright (c) 2001 Kevin Steves.  All rights reserved.
  *
@@ -26,33 +25,57 @@
 
 #include "includes.h"
 
-#include "groupaccess.h"
+#include <sys/types.h>
+#include <sys/param.h>
+
+#include <grp.h>
+#include <unistd.h>
+#include <stdarg.h>
+#include <string.h>
+
 #include "xmalloc.h"
+#include "groupaccess.h"
 #include "match.h"
 #include "log.h"
 
 static int ngroups;
-static char *groups_byname[NGROUPS_MAX + 1];	/* +1 for base/primary group */
+static char **groups_byname;
 
+/*
+ * Initialize group access list for user with primary (base) and
+ * supplementary groups.  Return the number of groups in the list.
+ */
 int
 ga_init(const char *user, gid_t base)
 {
-	gid_t groups_bygid[NGROUPS_MAX + 1];
+	gid_t *groups_bygid;
 	int i, j;
 	struct group *gr;
 
 	if (ngroups > 0)
 		ga_free();
 
-	ngroups = sizeof(groups_bygid) / sizeof(gid_t);
+	ngroups = NGROUPS_MAX;
+#if defined(HAVE_SYSCONF) && defined(_SC_NGROUPS_MAX)
+	ngroups = MAX(NGROUPS_MAX, sysconf(_SC_NGROUPS_MAX));
+#endif
+
+	groups_bygid = xcalloc(ngroups, sizeof(*groups_bygid));
+	groups_byname = xcalloc(ngroups, sizeof(*groups_byname));
+
 	if (getgrouplist(user, base, groups_bygid, &ngroups) == -1)
-		log("getgrouplist: groups list too small");
+		logit("getgrouplist: groups list too small");
 	for (i = 0, j = 0; i < ngroups; i++)
 		if ((gr = getgrgid(groups_bygid[i])) != NULL)
 			groups_byname[j++] = xstrdup(gr->gr_name);
+	xfree(groups_bygid);
 	return (ngroups = j);
 }
 
+/*
+ * Return 1 if one of user's groups is contained in groups.
+ * Return 0 otherwise.  Use match_pattern() for string comparison.
+ */
 int
 ga_match(char * const *groups, int n)
 {
@@ -65,6 +88,33 @@ ga_match(char * const *groups, int n)
 	return 0;
 }
 
+/*
+ * Return 1 if one of user's groups matches group_pattern list.
+ * Return 0 on negated or no match.
+ */
+int
+ga_match_pattern_list(const char *group_pattern)
+{
+	int i, found = 0;
+	size_t len = strlen(group_pattern);
+
+	for (i = 0; i < ngroups; i++) {
+		switch (match_pattern_list(groups_byname[i],
+		    group_pattern, len, 0)) {
+		case -1:
+			return 0;	/* Negated match wins */
+		case 0:
+			continue;
+		case 1:
+			found = 1;
+		}
+	}
+	return found;
+}
+
+/*
+ * Free memory allocated for group access list.
+ */
 void
 ga_free(void)
 {
@@ -74,5 +124,6 @@ ga_free(void)
 		for (i = 0; i < ngroups; i++)
 			xfree(groups_byname[i]);
 		ngroups = 0;
+		xfree(groups_byname);
 	}
 }