We still need to clamp ngids if getgrouplist2() returns -1.

Otherwise, we end up with ngids set to the number of gids the user belongs to which may be larger than what the front-end specified. Fixes a regression introduced in the last commit here.
sudo-project · Aug 15, 2023 · cb01b90 · cb01b90
1 parent f17aebe
commit cb01b90
Showing 1 changed file with 3 additions and 2 deletions.
diff --git a/plugins/sudoers/pwutil_impl.c b/plugins/sudoers/pwutil_impl.c
@@ -307,8 +307,9 @@ PREFIX(make_gidlist_item)(const struct passwd *pw, char * const *gidstrs,
 		    "unable to allocate memory");
 		debug_return_ptr(NULL);
 	    }
-	    /* getgrouplist2() returns failure if it can't store all groups. */
-	    (void)PREFIX(getgrouplist2)(pw->pw_name, pw->pw_gid, &gids, &ngids);
+	    /* Clamp to max_groups if insufficient space for all groups. */
+	    if (PREFIX(getgrouplist2)(pw->pw_name, pw->pw_gid, &gids, &ngids) == -1)
+		ngids = sudo_pwutil_get_max_groups();
 	} else {
 	    gids = NULL;
 	    if (PREFIX(getgrouplist2)(pw->pw_name, pw->pw_gid, &gids, &ngids) == -1) {