[cups-devel] [UNKN] STR #4585: Authentication of group membership fails for large groups

[Blindauer]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

DO NOT REPLY TO THIS MESSAGE.  INSTEAD, POST ANY RESPONSES TO THE LINK BELOW.

[STR New]

A printer can get an ACL for printing, with keywords "Allow" and "Deny".
If I specify a group, "Allow @largeGroup", the actual code try to get all
members of the group with 'getgrnam' (scheduler/auth.c:1279).

When very large groups are used, on linux at least, with ldap backend
(Active Directory or ldap+rfc2307bis), group membership is stored with
memberOf, and the server limits the number of membership to a reasonable
value for the system (1000 for openldap iirc, 1500 for active directory).
So not all member of the group are retrieved. This makes cups fail to
verify the ACL on a printer.

The code should use to get all groups of the users which try to print, and
verify the ACL vs. this list of groups. The subroutine 'getgrouplist' makes
the job on OSX and linux at least.

Link: https://www.cups.org/str.php?L4585
Version: 2.0-current
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
Comment: GPGTools - https://gpgtools.org

iQIcBAEBCgAGBQJU5uPdAAoJENujp6sI12Ijcn0QAKSRaVXMH2jLJWMIyiHB1eWL
LyRN6Fx9Jtz5m7uHgWKbnnPRswfUTYunl915ifXTursOFrIEHaZal9Vcwi2XlXv1
WXFzia/18RYBWUCGGNaHWe6D6JGnuAo05g0c7r5GuB8lw23s7g4Ul/m4B1KSXb0G
0ZH455aq1rjYvqc6DfiKZpQdD8QmpP0g1reL9MakDoqR1bP33WcTZbuCNDrIcWQp
HfroES1/KsBcBJyuUOO+LiE7+sMVPJIb8ctW67ErSew8wu8QD52F51y6SDuWF+nc
IfoGVMykLXbxueH6EOUc7aV4FXDSs+RyKWWRGkIsH5F8SqW/T29RrIqja9WSqIfP
ZBEhZjAu1TDr6ZYTEFPO571laq1y/kjerJDpxwrYj/kH89BfVhnA+vtKF2bkka+6
oWBPsyiRZ5kAHnpHR/56H4/ZZ3cCMjHp6F4esd4IWnwMOS3sEqzJIprtgGXE2bqK
83QNE1G7JJEoTuC1xuLJzkSGYJd/t33/A8y3WBDJL+ACvusM6NHZKoZomwciUCyF
Zh/orrhjc7rTp9BqMO19Bu0belpXLzKpleqIIe0ZNK5GvGLZmYyCzr6dxD20NLYr
ShltLrFsFPHLYk76FyNqzM/Q45IN2GNI27Lx1tENEcPX/GhyiakYSqxaTAmkE+4P
jhNVREquUhcHiDVvv3Mj
=dysF
-----END PGP SIGNATURE-----