1 From: <hweidner@gmx.net>
2 Subject: Add check for egid to properly works like "shadow" enabled authentications
4 --- libnss-mysql-bg-1.5/src/lookup.c 2011-09-13 09:28:30.000000000 +0200
5 +++ libnss-mysql-bg-1.5/src/lookup.c 2011-09-13 09:47:16.000000000 +0200
8 #include <stdio.h> /* snprintf () */
9 #include <string.h> /* strcpy () */
10 +#include <sys/types.h>
16 int attempts = MAX_QUERY_ATTEMPTS; /* Attempt # (countdown) */
17 static uid_t euid = -1; /* Last known euid for change detect */
18 uid_t cur_euid; /* CURRENT euid */
19 + gid_t cur_egid; /* CURRENT egid */
20 + gid_t shadow_gid; /* gid for group shadow (usually 42 on Debian) */
24 cur_euid = geteuid ();
26 + /* Get shadow gid, if needed */
28 + cur_egid = getegid ();
29 + struct group *grp = getgrnam("shadow");
30 + shadow_gid = (grp ? grp->gr_gid : -1);
33 D ("%s: restricted = %d, cur_euid = %u", FUNCNAME, restricted, cur_euid);
34 - if (restricted == ntrue && cur_euid != 0)
35 + if (restricted == ntrue && cur_euid != 0 && (shadow_gid == -1 || cur_egid != shadow_gid))
36 DSRETURN (NSS_NOTFOUND)
38 /* Make sure euid hasn't changed, thus changing our access abilities */