Bug 30938

Summary: <allow group="foo"> only matches against auxiliary groups, not primary group
Product: dbus Reporter: Sascha Silbe <sascha-web-bugs.freedesktop.org>
Component: coreAssignee: Havoc Pennington <hp>
Status: RESOLVED MOVED QA Contact: John (J5) Palmieri <johnp>
Severity: normal    
Priority: medium CC: chengwei.yang.cn, msniko14
Version: 1.5Keywords: patch
Hardware: All   
OS: All   
Whiteboard: review? for test
i915 platform: i915 features:
Attachments: [PATCH] policy: check against primary group as well, not just auxiliary groups (fd.o#30938)
Add a manual test for user/group info on Unix

Description Sascha Silbe 2010-10-17 09:04:01 UTC
<allow group="foo"> only matches against auxiliary groups, not the primary one. There's no way to match against the primary group specifically and the documentation doesn't mention this limitation anywhere so I assume it's a bug.
Comment 1 Sascha Silbe 2010-10-17 09:18:54 UTC
Patch posted on the dbus mailing list: http://lists.freedesktop.org/archives/dbus/2010-October/013635.html
Comment 2 Sascha Silbe 2010-10-28 23:55:48 UTC
Created attachment 39878 [details] [review]
[PATCH] policy: check against primary group as well, not just auxiliary groups (fd.o#30938)

Attaching the patch to this bug as well now since I didn't get any reply on the mailing list.
Comment 3 Simon McVittie 2013-08-27 17:33:18 UTC
(In reply to comment #2)
> [PATCH] policy: check against primary group as well, not just auxiliary
> groups (fd.o#30938)

Is this still wrong in 1.6.x? On what operating system?

As far as I can see, DBusUserInfo.group_ids is meant to be filled with all the groups (specifically including the primary GID), but fill_user_info() in dbus-sysdeps-unix.c omits the primary GID on the HAVE_GETGROUPLIST code path. I'd prefer to fix it in fill_user_info() rather than working around it elsewhere.
Comment 4 Simon McVittie 2013-08-27 18:22:51 UTC
Created attachment 84739 [details] [review]
Add a manual test for user/group info on Unix

---

This seems to work fine for me, on Debian unstable (early development of Debian 8) with Linux 3.10 and glibc 2.17. I get my primary group ID in both primary_gid and group_ids[0], as documented.
Comment 5 Chengwei Yang 2013-11-24 13:12:20 UTC
(In reply to comment #3)
> (In reply to comment #2)
> > [PATCH] policy: check against primary group as well, not just auxiliary
> > groups (fd.o#30938)
> 
> Is this still wrong in 1.6.x? On what operating system?
> 
> As far as I can see, DBusUserInfo.group_ids is meant to be filled with all
> the groups (specifically including the primary GID), but fill_user_info() in
> dbus-sysdeps-unix.c omits the primary GID on the HAVE_GETGROUPLIST code
> path. I'd prefer to fix it in fill_user_info() rather than working around it
> elsewhere.

I see on the HAVE_GETGROUPLIST code path in fill_user_info() call getgrouplist(3) to fill user group list. Which does return the primary group as well auxiliary groups.
Comment 6 Simon McVittie 2014-09-23 14:47:27 UTC
(In reply to comment #3)
> Is this still wrong in 1.6.x? On what operating system?

Please answer, and preferably try the manual test that I attached.
Comment 7 GitLab Migration User 2018-10-12 21:07:18 UTC
-- GitLab Migration Automatic Message --

This bug has been migrated to freedesktop.org's GitLab instance and has been closed from further activity.

You can subscribe and participate further through the new bug through this link to our GitLab instance: https://gitlab.freedesktop.org/dbus/dbus/issues/32.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.