Skip to content

Med: daemons: Fix user/group checking in based. #4055

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
nrwahl2 merged 1 commit into from
Feb 10, 2026
+23 −1
Merged

Med: daemons: Fix user/group checking in based. #4055

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
24 changes: 23 additions & 1 deletion daemons/based/based_remote.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -95,14 +95,36 @@ remote_auth_timeout_cb(gpointer data)
static bool
is_daemon_group_member(const char *user)
{
const struct group *group = getgrnam(CRM_DAEMON_GROUP);
int rc = pcmk_rc_ok;
gid_t gid = 0;
const struct group *group = NULL;

/* group->gr_mem only contains those users that are listed in /etc/group.
* It won't list the user if the group is their primary (that is, it's in
* the GID field in /etc/passwd (or passwd->pw_gid as returned by getpwent).
* So, we first need to perform a primary group check.
*/
rc = pcmk__lookup_user(user, NULL, &gid);
if (rc != pcmk_rc_ok) {
pcmk__notice("Rejecting remote client: could not find user '%s': %s",
user, pcmk_rc_str(rc));
return false;
}

group = getgrnam(CRM_DAEMON_GROUP);
if (group == NULL) {
pcmk__err("Rejecting remote client: " CRM_DAEMON_GROUP " is not a "
"valid group");
return false;
}

if (group->gr_gid == gid) {
return true;
}

/* If that didn't work, check if CRM_DAEMON_GROUP is a secondary group for
* the user.
*/
Copy link
Contributor

@nrwahl2 nrwahl2 Feb 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code looks good, thanks!

One thing I'm on the fence about comment-wise, is whether to state explicitly that group->gr_mem includes only the users listed in /etc/group -- not necessarily all members of the group. To make it super clear why this isn't enough on its own. Some of the other comments could probably be trimmed down or removed if you wanted.

On the other hand, you explained it well in the commit message. I made sure to check the 14d9ae4 commit message before bcc7c90, but I didn't realize that this loop wouldn't catch a primary group match.

Up to you. Feel free to merge this as-is. I appreciate you taking care of this. I hadn't started on it yet.

Copy link
Contributor Author

@clumens clumens Feb 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Updated and shortened comments. It's always kind of a struggle to know how much to add to inline comments vs. in the commit message. Sometimes commit messages don't make a lot of sense without the context of what comes before and after, unless you get really verbose and redundant. On the other hand, I'd love to avoid the "what exactly was I thinking five years ago" situation that comes up so often.

Copy link
Contributor

@nrwahl2 nrwahl2 Feb 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I totally agree. I just try to avoid comments stating WHAT fairly obvious code is doing, unless it's a long or complicated function where those comments serve more as visual delimiters than as explanations.

for (const char *const *member = (const char *const *) group->gr_mem;
*member != NULL; member++) {

Expand Down