Group-based authorization lookup fail when having more than 512 groups

[vmihalko]

In GitLab by @jeremie.laval on Sep 23, 2021, 14:08

There is a (long standing as it seems) bug with polkit authorization check based on user-group: (or equivalent JS-based check) in that the system is hardcoded to only lookup up to 512 groups for a user: https://gitlab.freedesktop.org/polkit/polkit/-/blob/master/src/polkitbackend/polkitbackendjsauthority.cpp#L833-844

It seems to use the return value of getgrouplist incorrectly in this case since from what I gather of the man page, having a negative value (or rather -1) returned for that call is not necessarily indicative of an error like the current logic assumes but instead is an indication that a bigger buffer array needs to be provided as there are more groups to be returned.

We are seeing this problem internally where because of our LDAP setup, it's not uncommon for more than 512 unique groups to be assigned to a user and when they cross that threshold our policy configuration fails.

[vmihalko]

In GitLab by @yrro on Feb 3, 2022, 12:56

Duplicate of #43?

[vmihalko]

In GitLab by @jeremie.laval on Feb 3, 2022, 16:18

Indeed. Feel free to close as duplicate, the other issue seems to be pointing out to the right underlying problem as well.