"GOT", but the "O" is a cute, smiling sun Index | Thread

From:
Stefan Sperling <stsp@stsp.name>
Subject:
Re: fix gotd group auth
To:
"Todd C. Miller" <Todd.Miller@millert.dev>
Cc:
gameoftrees@openbsd.org
Date:
Sun, 20 Nov 2022 15:09:47 +0100

Download raw body.

On Thu, Nov 17, 2022 at 09:22:44AM -0700, Todd C. Miller wrote:
> On Thu, 17 Nov 2022 17:18:35 +0100, Stefan Sperling wrote:
> 
> > These functions read files or yellow pages and can fail for reasons
> > such as i/o failures. Our getpwuid implementation sets errno on failure.
> >
> > Since errno is not mentioned in the man page, I agree that we should
> > probably not check it. I ended up reading the implementation because
> > the man page was too vague. I have no idea how portable checking for
> > errno is in this case... :-/
> 
> I don't think it is portable at all.
> 
>  - todd

Our man page says:

     The getpwnam(), getpwnam_r(), getpwuid(), and getpwuid_r() functions may
     also fail for any of the errors specified for dbopen(3) and its get()
     routine.

     If YP is active, they may also fail due to errors caused by the YP
     subsystem.

So, for now, I have done the following.

It is stupid that getpwuid() does not offer an explicit way to tell an
internal error apart from the usual "user not found" failure case.
I supose we want to be using getpwuid_r() instead, which returns a non-zero
errno code on failure and zero on success. I'll see about that later.

-----------------------------------------------
commit e18d071f3cc8912b9bfb6fb392689dc7394355dd (main, origin/main)
from: Stefan Sperling <stsp@stsp.name>
date: Sun Nov 20 14:01:04 2022 UTC
 
 getpwuid() returns NULL without setting errno if no user is found
 
 pointed out by millert@
 
diff 4cad5be9f88baeb0583b4b63a546f5815929a270 e18d071f3cc8912b9bfb6fb392689dc7394355dd
commit - 4cad5be9f88baeb0583b4b63a546f5815929a270
commit + e18d071f3cc8912b9bfb6fb392689dc7394355dd
blob - 03cfa9264e97a034a49d4be7da221944cb1eda34
blob + ed5bbd87051a58c687b26b3585c2a1e3714d65f3
--- gotd/auth.c
+++ gotd/auth.c
@@ -120,8 +120,12 @@ gotd_auth_check(struct gotd_access_rule_list *rules, c
 	int ngroups = NGROUPS_MAX;
 
 	pw = getpwuid(euid);
-	if (pw == NULL)
-		return got_error_from_errno("getpwuid");
+	if (pw == NULL) {
+		if (errno)
+			return got_error_from_errno("getpwuid");
+		else
+			return got_error_set_errno(EACCES, repo_name);
+	}
 
 	if (getgrouplist(pw->pw_name, pw->pw_gid, groups, &ngroups) == -1)
 		log_warnx("group membership list truncated");