search for: ga_free

...mpty and one of user's groups - * isn't listed there + * Return false if AllowGroups isn't empty and one of + * user's groups isn't listed there */ if (options.num_allow_groups > 0) if (!ga_match(options.allow_groups, options.num_allow_groups)) { ga_free(); - log("User %.100s not allowed because none of user's groups are listed in AllowGroups", + if (options.num_deny_users > 0 || + options.num_allow_users > 0) { + log("User %.100s not allowed because not in AllowUsers nor user's groups in AllowGroups&qu...

...> 0) +#ifndef GROUP_MATCH_HOST_AND_IP if (ga_match(options.deny_groups, options.num_deny_groups)) { +#else /* GROUP_MATCH_HOST_AND_IP */ + if (ga_match_host_and_ip(options.deny_groups, + options.num_deny_groups, hostname, ipaddr)) { +#endif /* GROUP_MATCH_HOST_AND_IP */ ga_free(); logit("User %.100s from %.100s not allowed " "because a group is listed in DenyGroups", @@ -223,8 +228,13 @@ * isn't listed there */ if (options.num_allow_groups > 0) +#ifndef GROUP_MATCH_HOST_AND_IP if (!ga_match(options.allow_groups,...

...quot;, ! pw->pw_name); return 0; + } /* Return false if one of user's groups is listed in DenyGroups */ if (options.num_deny_groups > 0) *************** *** 98,103 **** --- 113,120 ---- if (ga_match(options.deny_groups, options.num_deny_groups)) { ga_free(); + log("User %.100s not allowed because a group is listed in DenyGroups", + pw->pw_name); return 0; } /* *************** *** 108,113 **** --- 125,132 ---- if (!ga_match(options.allow_groups, options.num_allow_groups)) { ga_free(); + log...

...> 0) { + /* load up the user's group list */ + if (ga_init(pw->pw_name, pw->pw_gid) == 0) + return 0; + + /* return false if the user is in a denied group */ + if (access.num_deny_groups > 0) + if (ga_match(access.deny_groups, + access.num_deny_groups)) { + ga_free(); + return 0; + } + + /* + * Return false if the allowed groups are specified and the + * user is not in one + */ + if (access.num_allow_groups > 0) + if (!ga_match(access.allow_groups, + access.num_allow_groups)) { + ga_free(); + return 0; + } +...

...+static char **groups_byname; /* * Initialize group access list for user with primary (base) and @@ -40,20 +40,33 @@ int ga_init(const char *user, gid_t base) { - gid_t groups_bygid[NGROUPS_MAX + 1]; - int i, j; + gid_t *groups_bygid; + int i; struct group *gr; if (ngroups > 0) ga_free(); - ngroups = sizeof(groups_bygid) / sizeof(gid_t); + getgrouplist(user, base, NULL, &ngroups); + groups_bygid = xmalloc(ngroups * sizeof(*groups_bygid)); + groups_byname = xmalloc(ngroups * sizeof(*groups_byname)); + if (getgrouplist(user, base, groups_bygid, &ngroups) == -1) logit...

Could everyone please test the latest snapshots as we will be making a new release soon. If you have any patches you would like us to consider, please resend them to the list ASAP. -d -- | Damien Miller <djm at mindrot.org> \ ``E-mail attachments are the poor man's | http://www.mindrot.org / distributed filesystem'' - Dan Geer

OpenSSH 3.0 has just been released. It will be available from the mirrors listed at http://www.openssh.com/ shortly. OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0 implementation and includes sftp client and server support. This release contains many portability bug-fixes (listed in the ChangeLog) as well as several new features (listed below). We would like to thank the

http://bugzilla.mindrot.org/show_bug.cgi?id=787 ------- Additional Comments From openssh_bugzilla at hockin.org 2004-02-20 13:01 ------- Created an attachment (id=548) --> (http://bugzilla.mindrot.org/attachment.cgi?id=548&action=view) NGROUPS patch ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.