getgrouplist via getgrset on AIX, rather than iterating over getgrent.
This allows, eg, Match and AllowGroups directives to work with NIS and
LDAP groups.
SSLeay_add_all_algorithms as a macro already.
- (dtucker) [key.c defines.h openbsd-compat/openssl-compat.h] Move old OpenSSL
compat glue into openssl-compat.h.
+ - (dtucker) [configure.ac openbsd-compat/port-aix.{c,h}] Bug #1081: Implement
+ getgrouplist via getgrset on AIX, rather than iterating over getgrent.
+ This allows, eg, Match and AllowGroups directives to work with NIS and
+ LDAP groups.
20080225
- (dtucker) [openbsd-compat/fake-rfc2553.h] rename ssh_gai_strerror hack
[],
[#include <usersec.h>]
)
- AC_CHECK_FUNCS(setauthdb)
+ AC_CHECK_FUNCS(getgrset setauthdb)
AC_CHECK_DECL(F_CLOSEM,
AC_DEFINE(HAVE_FCNTL_CLOSEM, 1, [Use F_CLOSEM fcntl for closefrom]),
[],
/*
*
* Copyright (c) 2001 Gert Doering. All rights reserved.
- * Copyright (c) 2003,2004,2005 Darren Tucker. All rights reserved.
+ * Copyright (c) 2003,2004,2005,2006 Darren Tucker. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
}
# endif /* AIX_GETNAMEINFO_HACK */
+# if defined(USE_GETGRSET)
+# include <stdlib.h>
+int
+getgrouplist(const char *user, gid_t pgid, gid_t *groups, int *grpcnt)
+{
+ char *cp, *grplist, *grp;
+ gid_t gid;
+ int ret = 0, ngroups = 0, maxgroups;
+ long l;
+
+ maxgroups = *grpcnt;
+
+ if ((cp = grplist = getgrset(user)) == NULL)
+ return -1;
+
+ /* handle zero-length case */
+ if (maxgroups <= 0) {
+ *grpcnt = 0;
+ return -1;
+ }
+
+ /* copy primary group */
+ groups[ngroups++] = pgid;
+
+ /* copy each entry from getgrset into group list */
+ while ((grp = strsep(&grplist, ",")) != NULL) {
+ l = strtol(grp, NULL, 10);
+ if (ngroups >= maxgroups || l == LONG_MIN || l == LONG_MAX) {
+ ret = -1;
+ goto out;
+ }
+ gid = (gid_t)l;
+ if (gid == pgid)
+ continue; /* we have already added primary gid */
+ groups[ngroups++] = gid;
+ }
+out:
+ free(cp);
+ *grpcnt = ngroups;
+ return ret;
+}
+
+int
+ssh_initgroups(const char *user, gid_t group)
+{
+ gid_t grps[NGROUPS_MAX];
+ int grpcnt = NGROUPS_MAX;
+
+ if (getgrouplist(user, group, grps, &grpcnt) == -1)
+ return -1;
+ return setgroups(grpcnt, grps);
+}
+# endif /* USE_GETGRSET */
+
#endif /* _AIX */
/*
*
* Copyright (c) 2001 Gert Doering. All rights reserved.
- * Copyright (c) 2004, 2005 Darren Tucker. All rights reserved.
+ * Copyright (c) 2004,2005,2006 Darren Tucker. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
# define getnameinfo(a,b,c,d,e,f,g) (sshaix_getnameinfo(a,b,c,d,e,f,g))
#endif
+/*
+ * We use getgrset in preference to multiple getgrent calls for efficiency
+ * plus it supports NIS and LDAP groups.
+ */
+#if !defined(HAVE_GETGROUPLIST) && defined(HAVE_GETGRSET)
+# define HAVE_GETGROUPLIST
+# define USE_GETGRSET
+int getgrouplist(const char *, gid_t, gid_t *, int *);
+int ssh_initgroups(const char *, gid_t);
+# define initgroups(a, b) ssh_initgroups((a), (b))
+#endif
+
#endif /* _AIX */