From: Stefan Sperling Subject: Re: fix gotd group auth To: "Todd C. Miller" Cc: gameoftrees@openbsd.org Date: Sun, 20 Nov 2022 15:09:47 +0100 On Thu, Nov 17, 2022 at 09:22:44AM -0700, Todd C. Miller wrote: > On Thu, 17 Nov 2022 17:18:35 +0100, Stefan Sperling wrote: > > > These functions read files or yellow pages and can fail for reasons > > such as i/o failures. Our getpwuid implementation sets errno on failure. > > > > Since errno is not mentioned in the man page, I agree that we should > > probably not check it. I ended up reading the implementation because > > the man page was too vague. I have no idea how portable checking for > > errno is in this case... :-/ > > I don't think it is portable at all. > > - todd Our man page says: The getpwnam(), getpwnam_r(), getpwuid(), and getpwuid_r() functions may also fail for any of the errors specified for dbopen(3) and its get() routine. If YP is active, they may also fail due to errors caused by the YP subsystem. So, for now, I have done the following. It is stupid that getpwuid() does not offer an explicit way to tell an internal error apart from the usual "user not found" failure case. I supose we want to be using getpwuid_r() instead, which returns a non-zero errno code on failure and zero on success. I'll see about that later. ----------------------------------------------- commit e18d071f3cc8912b9bfb6fb392689dc7394355dd (main, origin/main) from: Stefan Sperling date: Sun Nov 20 14:01:04 2022 UTC getpwuid() returns NULL without setting errno if no user is found pointed out by millert@ diff 4cad5be9f88baeb0583b4b63a546f5815929a270 e18d071f3cc8912b9bfb6fb392689dc7394355dd commit - 4cad5be9f88baeb0583b4b63a546f5815929a270 commit + e18d071f3cc8912b9bfb6fb392689dc7394355dd blob - 03cfa9264e97a034a49d4be7da221944cb1eda34 blob + ed5bbd87051a58c687b26b3585c2a1e3714d65f3 --- gotd/auth.c +++ gotd/auth.c @@ -120,8 +120,12 @@ gotd_auth_check(struct gotd_access_rule_list *rules, c int ngroups = NGROUPS_MAX; pw = getpwuid(euid); - if (pw == NULL) - return got_error_from_errno("getpwuid"); + if (pw == NULL) { + if (errno) + return got_error_from_errno("getpwuid"); + else + return got_error_set_errno(EACCES, repo_name); + } if (getgrouplist(pw->pw_name, pw->pw_gid, groups, &ngroups) == -1) log_warnx("group membership list truncated");