Mailing List Archive

getgrouplist: groups list too small on AIX / GID greater or equal LONG_MAX
Dear SSH developers,

Thank you for your valuable work!
I found the following issue with openssh Server on AIX:

Login to a sshd (OpenSSH_8.1p1, OpenSSL 1.0.2u 20 Dec 2019 (from the IBM download site)),
fails with "getgrouplist: groups list too small"
if user is member in a group with GID >= 2147483647 (LONG_MAX)
and sshd_conf contains a "match group ..." statement.
AIX version doesn't matter, tested on 7200-04-02-2028 and 7100-05-05-1937.

...
debug1: userauth-request for user winkel2 service ssh-connection method none [preauth]
debug1: attempt 0 failures 0 [preauth]
debug3: mm_getpwnamallow entering [preauth]
debug3: mm_request_send entering: type 8 [preauth]
debug3: mm_getpwnamallow: waiting for MONITOR_ANS_PWNAM [preauth]
debug3: mm_request_receive_expect entering: type 9 [preauth]
debug3: mm_request_receive entering [preauth]
debug3: mm_request_receive entering
debug3: monitor_read: checking request 8
debug3: mm_answer_pwnamallow
debug2: parse_server_config: config reprocess config len 456
debug3: checking match for 'group SFTPONLY' user winkel2 host 10.1.2.3 addr 10.1.2.3 laddr 10.1.2.3 lport 23
getgrouplist: groups list too small
debug1: do_cleanup
...

I assume that it happens because getgrouplist() in openssh-portable/openbsd-compat/port-aix.c
returns -1 if it finds a GID >= LONG_MAX.
The code in getgrouplist() in port-aix.c is stil the same in the actual openssh version.
The issue doesn't happen with OpenSSH_7.5p1, OpenSSL 1.0.2t 10 Sep 2019 (also from the IBM download site).
I don't understand, why OpenSSH_7.5p1 is not affected even if it has the same code in getgrouplist().

Due to
https://www.ibm.com/docs/en/aix/7.2?topic=accounts-user-group-ids
https://www.ibm.com/docs/en/aix/7.2?topic=files-limitsh-file
AIX permits UIDs and GIDs up to 4294967295 (ULONG_MAX).



May I suggest to replace

l = strtol(grp, NULL, 10);
if (ngroups >= maxgroups || l == LONG_MIN || l == LONG_MAX) {

with

l = strtoll(grp, NULL, 10);
if (ngroups >= maxgroups || l < 0 || l > UID_MAX) {

in the port-aix.c file.



Thank you very much
Ralf Winkel




_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: getgrouplist: groups list too small on AIX / GID greater or equal LONG_MAX [ In reply to ]
On Wed, 16 Jun 2021 at 18:49, Winkel,Ralf <ralf.winkel@tui.com> wrote:

> I assume that it happens because getgrouplist() in
> openssh-portable/openbsd-compat/port-aix.c
> returns -1 if it finds a GID >= LONG_MAX.
> The code in getgrouplist() in port-aix.c is stil the same in the actual
> openssh version.
> The issue doesn't happen with OpenSSH_7.5p1, OpenSSL 1.0.2t 10 Sep 2019
> (also from the IBM download site).
> I don't understand, why OpenSSH_7.5p1 is not affected even if it has the
> same code in getgrouplist().
>

Maybe the one without the problem was compiled 64bit?

$ grep -C1 LONG_MAX /usr/include/limits.h
#ifdef __64BIT__
#define LONG_MAX (9223372036854775807)

AIX permits UIDs and GIDs up to 4294967295 (ULONG_MAX).
>

On my system it's UINT_MAX.

May I suggest to replace
>
> l = strtol(grp, NULL, 10);
> if (ngroups >= maxgroups || l == LONG_MIN || l == LONG_MAX) {
>
> with
>
> l = strtoll(grp, NULL, 10);
> if (ngroups >= maxgroups || l < 0 || l > UID_MAX) {
>

I can see how that would explain it, although I have not been able to
reproduce it on my (ancient, 32bit) AIX system. I'll make the change you
suggest.

Thanks for the analysis and report.

--
Darren Tucker (dtucker at dtucker.net)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new)
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev