System : OpenBSD 5.0
Details : OpenBSD 5.0 (GENERIC) #43: Wed Aug 17 10:10:52 MDT 2011
[email protected]:/usr/src/sys/arch/i386/compile/GENERIC
Architecture: OpenBSD.i386
Machine : i386
Description:
If a group is defined in /etc/authpf/authpf.allowed and a user,
which is not in the defined group, tries to login with authpf, the login
attempt will fail. If the user is in the defined group and the group is not the
last entry in /etc/group, the login will also fail <- wrong.
Is the user not a member of any group defined as allowed in the authpf
file, but the user is member of the group which is the last entry in /etc/group, the
login will work <- wrong.
How-To-Repeat:
1. Create a authpf setup for e.g. test_user1.
2. Add test_user1 to a group which isn't the last entry in /etc/group e.g.
network.
3. Add a group to /etc/authpf/authpf.allowed which not includes the user
test_user1 e.g. proxy.
4. Try to login -> login isn't possible.
5. Change the placement of the group network (which includes the user) to be
the last entry in /etc/group.
6. Try to login -> login is possible.
1. Change /etc/authpf/authpf.allowed to include the group network (which
include the user test_user1).
2. Change the position of the group network in /etc/group, so it isn't the last
entry.
3. Try to login -> login isn't possible.
Workaround (Thanks to Luigi):
--- authpf.c_orig Mon Nov 29 21:57:04 2010
+++ authpf.c Thu Nov 10 17:07:30 2011
@@ -518,18 +518,18 @@
int cnt;
struct group *group;
+ if (!gl_init) {
+ (void) getgrouplist(pw->pw_name,
+ pw->pw_gid, groups, &ngroups);
+ gl_init++;
+ }
+
if ((group = getgrnam(buf + 1)) == NULL) {
syslog(LOG_ERR,
"invalid group '%s' in %s
(%s)",
buf + 1, PATH_ALLOWFILE,
strerror(errno));
return (0);
- }
-
- if (!gl_init) {
- (void) getgrouplist(pw->pw_name,
- pw->pw_gid, groups, &ngroups);
- gl_init++;
}
for ( cnt = 0; cnt < ngroups; cnt++) {
