Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Improve tsusers/tsadmins group support #2815

Merged
merged 4 commits into from
Oct 6, 2023
Merged

Improve tsusers/tsadmins group support #2815

merged 4 commits into from
Oct 6, 2023

Conversation

matt335672
Copy link
Member

Fixes #2806

The first couple of commits in this PR use getgrouplist (if available) to check whether a user is in a group in g_check_user_in_group().

This approach is more likely to succeed where a directory service is being used for the following reasons:-

  • Some directory services allow group member enumerations to be disabled for speed or security reasons.
  • When using directory services a user may be referred to by more than one name. Using a name comparison to check the group member list is risky in these situations.

Although very widely available, getgrouplist() isn't defined by POSIX. If getgrouplist() is not detected, os_calls falls back to using the existing code.

g_check_user_in_group() now returns success if the passed-in group is the primary group of the user. That allows us to remove a couple of other checks in sesman (3rd commit).

The 4th commit reworks the group checking in sesman/sesexec, to allow primarily for much better logging. This is intended primarily for the devel branch. Commits 1-3 can be easily back-ported to V0.9 if required.

@matt335672
Add getgrouplist() detection functionality
84a0bef 
Defines the macro HAVE_GETGROUPLIST if getgrouplist() is
available, and defines the type passed to the GID array as
GETGROUPS_T
@matt335672
Add getgrouplist() support to os_calls
cf677da 
On enterprise systems, using getgrouplist() (if available)
is more efficient than iterating over the members of the group,
and is also more likely to work
@matt335672
access_login_allowed: Remove primary group check
5837dea 
This check is now performed within g_check_user_in_group()
@matt335672
Update logging in sesman access control
cf5c271 
Improve the built-in access checks for sesman/sesexec:-
- Group existence is checked for at login-time rather than program
  start time
- The name of the group is now included in the message

Also, check for UID == 0 when checking for root, rather than just
checking the name (which might be an alias)
@metalefty
Copy link
Member

+1 to backport since the reporter is using v0.9.

@matt335672 matt335672 merged commit bce303c into neutrinolabs:devel Oct 6, 2023
13 checks passed
@matt335672 matt335672 deleted the groups_patch branch October 6, 2023 09:48
@matt335672 matt335672 mentioned this pull request Oct 6, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Parameter TerminalServerUsers in sesman.ini does not work in combination with winbind AD integration
2 participants
@matt335672 @metalefty