client-auth.c: Fix authentication denial for valid logins

[zdohnal]

According man pages, getgrouplist() always return non-zero number, so we have to handle only the case when user is in more groups than we have static array for.

This happens when you run PAPPL based printer application with -o auth-service=password-auth -o admin-group=wheel.

[michaelrsweet]

From the getgrouplist man page on my Mac:

RETURN VALUES
     The getgrouplist() function returns 0 on success.  If the size of the
     group list is too small to hold all the user's groups, getgrouplist()
     returns -1 to indicate failure.  In this case, the group array will be
     filled with as many groups as will fit.

OpenBSD's implementation seems to match macOS:

RETURN VALUES

The getgrouplist() function returns 0 if successful and -1 if the size of the group list is too small to hold all the user's groups. Here, the group array will be filled with as many groups as will fit.

But glibc's implementation is different:

RETURN VALUE

       If the number of groups of which user is a member is less than or
       equal to *ngroups, then the value *ngroups is returned.

       If the user is a member of more than *ngroups groups, then
       getgrouplist() returns -1.  In this case, the value returned in
       *ngroups can be used to resize the buffer passed to a further
       call to getgrouplist().

The fact that you are seeing issues with 32 groups means we need to increase the size of that array, too.

[zdohnal]

But glibc's implementation is different:

RETURN VALUE

       If the number of groups of which user is a member is less than or
       equal to *ngroups, then the value *ngroups is returned.

       If the user is a member of more than *ngroups groups, then
       getgrouplist() returns -1.  In this case, the value returned in
       *ngroups can be used to resize the buffer passed to a further
       call to getgrouplist().

The fact that you are seeing issues with 32 groups means we need to increase the size of that array, too.

We can do that too for sure, but the issue was with the condition - the function probably returns 0 only when user would not be in any group (IMHO it is not possible, if the user exists, so it is not mentioned in man page), so it returned non-zero for my user (positive number of groups, since I'm not in more than 32 groups), so the execution got into the if scope and returned failure.

[zdohnal]

@michaelrsweet the message in Changelog is incorrect - it was not issue about user being in more than 32 groups. Auth failed if user was in any group (the function returned number of groups he's in) with glibc.

$ groups zdohnal
zdohnal : zdohnal wheel libvirt wireshark mock

[michaelrsweet]

[v1.4.x cf6c821] Update the changelog for the getgrouplist fix.