Now that CAN-2003-0689 is published officially, we need to make possible

to build on systems with fixed getgrouplist() in GNU libc < 2.3.2.
Unfortunately, we can't detect correctness of getgrouplist() functioning in
portable way so this is left up to developer/packager.

This patch adds --with-good-getgrouplist[=no] switch to configure which packagers
on Linux platforms could use to specify in their own builds if they now that glibc
on their platform is fixed w.r.t CAN-2003-0689. By default we still think that glibc
is vulnerable and perform our version check.

** This patch does not change default behaviour in Samba 3.0 -- by default we are not
vulnerable on glibc as we are not using getgrouplist()

See http://www.securityfocus.com/bid/8477 for vulnerability description.

Right now there are following Linux vendors released glibc updates for CAN-2003-0689:

RedHat -- https://rhn.redhat.com/errata/RHSA-2003-249.html
ALTLinux -- http://www.altlinux.com/index.php?module=sisyphus&package=glibc

diff --git a/source/configure.in b/source/configure.in
index a2e04b5d480a7dae30cf8dbfdc758bdd9b5cc9be..151411feb89a4228fb7af6b8f688623a27869149 100644 (file)
--- a/source/configure.in
+++ b/source/configure.in
@@ -883,8 +883,23 @@ AC_CHECK_FUNCS(open64 _open64 __open64 creat64)
 #
 case "$host_os" in
     *linux*)
-       # glibc <= 2.3.2 has a broken getgrouplist
-       AC_TRY_RUN([
+       # test if user trusts its own glibc version w.r.t. CAN-2003-0689
+       # Some vendors already provided glibc builds with this fix so getgrouplist() is usable 
+       # on those platforms. Unfortunately, we can't get this information from compiling yet.
+       AC_MSG_CHECKING([whether GNU libc has good getgrouplist w.r.t. CAN-2003-0689])
+       AC_ARG_WITH(good-getgrouplist,
+       [  --with-good-getgrouplist[=no]     whether GNU libc has good getgrouplist w.r.t. CAN-2003-0689 ],
+       [  case "$with_good_getgrouplist" in
+         yes)
+         AC_MSG_RESULT(yes)
+          AC_DEFINE(HAVE_GETGROUPLIST, 1, [Have good getgrouplist])
+         ;;
+         *)
+         AC_MSG_RESULT(no)
+         ;;
+         esac],
+# glibc <= 2.3.2 has a broken getgrouplist
+AC_TRY_RUN([
 #include <unistd.h>
 #include <sys/utsname.h>
 main() {
@@ -902,8 +917,12 @@ main() {
 }
 ], [linux_getgrouplist_ok=yes], [linux_getgrouplist_ok=no])
        if test x"$linux_getgrouplist_ok" = x"yes"; then
+          AC_MSG_RESULT(yes)
           AC_DEFINE(HAVE_GETGROUPLIST, 1, [Have good getgrouplist])
+       else
+          AC_MSG_RESULT(no)
        fi
+)
        ;;
     *)
        AC_CHECK_FUNCS(getgrouplist)