[cups.bugs] [HIGH] STR #2967: Group authentication with duplicated groups not work
Daniel Solano
cups at sattvik.com
Thu Oct 9 10:29:54 PDT 2008
DO NOT REPLY TO THIS MESSAGE. INSTEAD, POST ANY RESPONSES TO THE LINK BELOW.
[STR New]
If a particular system has multiple instances of a given group, group
authentication doesn't work.
For example on my Linux system using nss_ldap-258, I have two 'lp' groups.
The first group is retrieved from the /etc/group file, and the second is
retrieved from my LDAP server. Using getgrnam() only retrieves entry from
the first instance of the group.
In order to fix this problem, I propose using getgrent() instead of of
getgrnam(). This requires a more tedious verification since it requires
CUPS to iterate through each group.
My patch functions as follows:
1. Add a new local variable 'foundit' in order to flag if group membership
is confirmed.
2. Reinitialise the group database by calling setgrent() and set foundit
to 0.
3. Iterate through each group using getgrent():
a. If the name of the group does not match groupname, continue to the
next loop.
b. I first check to see if the user's gid matches the groups id. If
the two values match, I set foundit and break out of the loop. In the
original code, this is done later, but I do it sooner since it is a
theoretically quicker check.
c. Next, check to see if the username matches any group member's name.
If so, set foundit and break out of the loop.
4. Once the program leaves the loop, reset the group database by calling
endgrent().
5. Finally, if foundit has been set, exit the function signalling success.
Link: http://www.cups.org/str.php?L2967
Version: 1.3.8
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: cups-1.3.8-group_fix.patch
URL: <http://lists.cups.org/pipermail/cups-devel/attachments/20081009/0023136e/attachment.ksh>
More information about the cups-devel
mailing list