Ack.
Regards,
Ramesh.
On 9/23/2014 10:19 AM, Hans Feldt wrote:
> osaf/libs/core/common/osaf_secutil.c | 13 +++++++------
> 1 files changed, 7 insertions(+), 6 deletions(-)
>
>
> In function osaf_user_is_member_of_group user's primary group is not checked.
> Current checking only checks the supplementary groups.
>
> Thanks to: Adrian Szwej
>
> diff --git a/osaf/libs/core/common/osaf_secutil.c
> b/osaf/libs/core/common/osaf_secutil.c
> --- a/osaf/libs/core/common/osaf_secutil.c
> +++ b/osaf/libs/core/common/osaf_secutil.c
> @@ -238,7 +238,7 @@ bool osaf_user_is_member_of_group(uid_t
> return false;
> }
>
> - // get user name
> + // get password file entry for user
> errno = 0;
> struct passwd *client_pwd = getpwuid(uid);
> if (client_pwd == NULL) {
> @@ -247,17 +247,18 @@ bool osaf_user_is_member_of_group(uid_t
> return false;
> }
>
> + // check the primary group of the user
> + if (client_pwd->pw_gid == grp.gr_gid)
> + return true;
> +
> /* loop list of usernames that are members of the group trying find a
> * match with the specified user name */
> for (member = grp.gr_mem; *member != NULL; member++) {
> if (strcmp(client_pwd->pw_name, *member) == 0)
> - break;
> + return true;
> }
>
> - if (*member != NULL)
> - return true;
> - else
> - return false;
> + return false;
> }
>
> /* used in libraries, do not log. Only trace */
------------------------------------------------------------------------------
Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk
_______________________________________________
Opensaf-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/opensaf-devel
