authpf wrong handling of group entries in /etc/authpf/authpf.allowed

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

authpf wrong handling of group entries in /etc/authpf/authpf.allowed

Jummo
System      : OpenBSD 5.0
Details     : OpenBSD 5.0 (GENERIC) #43: Wed Aug 17 10:10:52 MDT 2011

[hidden email]:/usr/src/sys/arch/i386/compile/GENERIC

  Architecture: OpenBSD.i386
  Machine     : i386

Description:
If a group is defined in /etc/authpf/authpf.allowed and a user,
which is not in the defined group, tries to login with authpf, the login
attempt will fail. If the user is in the defined group and the group is not the
last entry in /etc/group, the login will also fail <- wrong.
Is the user not a member of any group defined as allowed in the authpf
file, but the user is member of the group which is the last entry in /etc/group, the
login will work <- wrong.

How-To-Repeat:
1. Create a authpf setup for e.g. test_user1.
2. Add test_user1 to a group which isn't the last entry in /etc/group e.g. network.
3. Add a group to /etc/authpf/authpf.allowed which not includes the user test_user1 e.g. proxy.
4. Try to login -> login isn't possible.
5. Change the placement of the group network (which includes the user) to be the last entry in /etc/group.
6. Try to login -> login is possible.

1. Change /etc/authpf/authpf.allowed to include the group network (which include the user test_user1).
2. Change the position of the group network in /etc/group, so it isn't the last entry.
3. Try to login -> login isn't possible.

Workaround (Thanks to Luigi):

--- authpf.c_orig       Mon Nov 29 21:57:04 2010
+++ authpf.c    Thu Nov 10 17:07:30 2011
@@ -518,18 +518,18 @@
                                  int cnt;
                                  struct group *group;

+                               if (!gl_init) {
+                                       (void) getgrouplist(pw->pw_name,
+                                           pw->pw_gid, groups, &ngroups);
+                                       gl_init++;
+                               }
+
                                  if ((group = getgrnam(buf + 1)) == NULL) {
                                          syslog(LOG_ERR,
                                              "invalid group '%s' in %s
(%s)",
                                              buf + 1, PATH_ALLOWFILE,
                                              strerror(errno));
                                          return (0);
-                               }
-
-                               if (!gl_init) {
-                                       (void) getgrouplist(pw->pw_name,
-                                           pw->pw_gid, groups, &ngroups);
-                                       gl_init++;
                                  }

                                  for ( cnt = 0; cnt < ngroups; cnt++) {

Reply | Threaded
Open this post in threaded view
|

Re: authpf wrong handling of group entries in /etc/authpf/authpf.allowed

Jummo
Anything wrong with my previous mail?

Reply | Threaded
Open this post in threaded view
|

Re: authpf wrong handling of group entries in /etc/authpf/authpf.allowed

Bob Beck-4
No Jummo, and fix looks right. Thank you..

On 30 November 2011 08:54, Jummo <[hidden email]> wrote:
> Anything wrong with my previous mail?