add secondary groups as well

2023-05-05 15:20:27 -07:00 · 2023-05-05 15:20:27 -07:00 · b11e87b384
parent e0b641bafc
commit b11e87b384
3 changed files with 47 additions and 0 deletions
--- a/apps/wolfsshd/auth.c
+++ b/apps/wolfsshd/auth.c
@ -1122,6 +1122,38 @@ int wolfSSHD_AuthReducePermissions(WOLFSSHD_AUTH* auth)
    return ret;
 }

+
+/* sets the extended groups the user is in, returns WS_SUCCESS on success */
+int wolfSSHD_AuthSetGroups(const WOLFSSHD_AUTH* auth, const char* usr,
+        WGID_T gid)
+{
+    int grpListSz = 0;
+    gid_t* grpList = NULL;
+    int ret = WS_SUCCESS;
+
+    /* should return -1 if grpListSz is smaller than actual groups */
+    if (getgrouplist(usr, gid, NULL, &grpListSz) == -1) {
+        grpList = (gid_t*)WMALLOC(sizeof(gid_t) * grpListSz, auth->heap,
+            DYNTYPE_SSHD);
+        if (grpList == NULL) {
+            ret = WS_MEMORY_E;
+        }
+        else {
+            if (getgrouplist(usr, gid, grpList, &grpListSz)
+                    != grpListSz) {
+                ret = WS_FATAL_ERROR;
+            }
+            else {
+                setgroups(grpListSz, grpList);
+            }
+            WFREE(grpList, auth->heap, DYNTYPE_SSHD);
+        }
+    }
+
+    return ret;
+}
+
+
 /* return the time in seconds for grace timeout period */
 long wolfSSHD_AuthGetGraceTime(const WOLFSSHD_AUTH* auth)
 {
--- a/apps/wolfsshd/auth.h
+++ b/apps/wolfsshd/auth.h
@ -62,6 +62,8 @@ int wolfSSHD_AuthReducePermissions(WOLFSSHD_AUTH* auth);
 int wolfSSHD_AuthRaisePermissions(WOLFSSHD_AUTH* auth);
 int wolfSSHD_AuthReducePermissionsUser(WOLFSSHD_AUTH* auth, WUID_T uid,
    WGID_T gid);
+int wolfSSHD_AuthSetGroups(const WOLFSSHD_AUTH* auth, const char* usr,
+    WGID_T gid);
 long wolfSSHD_AuthGetGraceTime(const WOLFSSHD_AUTH* auth);
 WOLFSSHD_CONFIG* wolfSSHD_AuthGetUserConf(const WOLFSSHD_AUTH* auth,
        const char* usr, const char* host,
--- a/apps/wolfsshd/wolfsshd.c
+++ b/apps/wolfsshd/wolfsshd.c
@ -490,6 +490,12 @@ static int SFTP_Subsystem(WOLFSSHD_CONNECTION* conn, WOLFSSH* ssh,
        }
    }

+    /* set additional groups if needed */
+    if (ret == WS_SUCCESS) {
+        ret = wolfSSHD_AuthSetGroups(conn->auth, wolfSSH_GetUsername(ssh),
+                pPasswd->pw_gid);
+    }
+
    if (wolfSSHD_AuthReducePermissionsUser(conn->auth, pPasswd->pw_uid,
            pPasswd->pw_gid) != WS_SUCCESS) {
        wolfSSH_Log(WS_LOG_ERROR, "[SSHD] Error setting user ID");
@ -668,6 +674,13 @@ static int SHELL_Subsystem(WOLFSSHD_CONNECTION* conn, WOLFSSH* ssh,
            }
        }

+        /* set additional groups if needed */
+        if ( wolfSSHD_AuthSetGroups(conn->auth, wolfSSH_GetUsername(ssh),
+                pPasswd->pw_gid) != WS_SUCCESS) {
+            wolfSSH_Log(WS_LOG_ERROR, "[SSHD] Error setting user groups");
+            return WS_FATAL_ERROR;
+        }
+
        if (wolfSSHD_AuthReducePermissionsUser(conn->auth, pPasswd->pw_uid,
            pPasswd->pw_gid) != WS_SUCCESS) {
            wolfSSH_Log(WS_LOG_ERROR, "[SSHD] Error setting user ID");