allow switching to secondary group without checking the membership

(patch from upstream)

shadow-4.1.5.1-newgrp-grouplist.patch

@@ -0,0 +1,70 @@
+diff -up shadow-4.1.5.1/src/newgrp.c.grouplist shadow-4.1.5.1/src/newgrp.c
+--- shadow-4.1.5.1/src/newgrp.c.grouplist	2016-06-28 10:23:46.686334213 +0200
++++ shadow-4.1.5.1/src/newgrp.c	2017-08-14 10:26:58.300757328 +0200
+@@ -382,6 +382,7 @@ int main (int argc, char **argv)
+ {
+ 	bool initflag = false;
+ 	int i;
++	bool is_member = false;
+ 	bool cflag = false;
+ 	int err = 0;
+ 	gid_t gid;
+@@ -631,22 +632,36 @@ int main (int argc, char **argv)
+ 		goto failure;
+ 	}
+ 
++#ifdef HAVE_SETGROUPS
++	/* when using pam_group, she will not be listed in the groups
++	 * database. However getgroups() will return the group. So
++	 * if she is listed there already it is ok to grant membership.
++	 */
++	for (i = 0; i < ngroups; i++) {
++		if (grp->gr_gid == grouplist[i]) {
++			is_member = true;
++			break;
++		}
++	}
++#endif                          /* HAVE_SETGROUPS */
+ 	/*
+ 	 * For splitted groups (due to limitations of NIS), check all 
+ 	 * groups of the same GID like the requested group for
+ 	 * membership of the current user.
+ 	 */
+-	grp = find_matching_group (name, grp);
+-	if (NULL == grp) {
+-		/*
+-		 * No matching group found. As we already know that
+-		 * the group exists, this happens only in the case
+-		 * of a requested group where the user is not member.
+-		 *
+-		 * Re-read the group entry for further processing.
+-		 */
+-		grp = xgetgrnam (group);
+-		assert (NULL != grp);
++	if (!is_member) {
++		grp = find_matching_group (name, grp);
++		if (NULL == grp) {
++			/*
++			 * No matching group found. As we already know that
++			 * the group exists, this happens only in the case
++			 * of a requested group where the user is not member.
++			 *
++			 * Re-read the group entry for further processing.
++			 */
++			grp = xgetgrnam (group);
++			assert (NULL != grp);
++		}
+ 	}
+ #ifdef SHADOWGRP
+ 	sgrp = getsgnam (group);
+@@ -659,7 +674,9 @@ int main (int argc, char **argv)
+ 	/*
+ 	 * Check if the user is allowed to access this group.
+ 	 */
+-	check_perms (grp, pwd, group);
++	if (!is_member) {
++		check_perms (grp, pwd, group);
++	}
+ 
+ 	/*
+ 	 * all successful validations pass through this point. The group id

shadow-utils.spec

@@ -1,7 +1,7 @@
 Summary: Utilities for managing accounts and shadow password files
 Name: shadow-utils
 Version: 4.5
-Release: 3%{?dist}
+Release: 4%{?dist}
 Epoch: 2
 URL: http://pkg-shadow.alioth.debian.org/
 Source0: https://github.com/shadow-maint/shadow/releases/download/%{version}/shadow-%{version}.tar.xz
@@ -28,6 +28,7 @@ Patch23: shadow-4.5-usermod-unlock.patch
 Patch24: shadow-4.2.1-no-lock-dos.patch
 Patch28: shadow-4.3.1-selinux-perms.patch
 Patch29: shadow-4.2.1-null-tm.patch
+Patch30: shadow-4.1.5.1-newgrp-grouplist.patch
 
 License: BSD and GPLv2+
 Group: System Environment/Base
@@ -76,6 +77,7 @@ are used for managing group accounts.
 %patch24 -p1 -b .no-lock-dos
 %patch28 -p1 -b .selinux-perms
 %patch29 -p1 -b .null-tm
+%patch30 -p1 -b .grouplist
 
 iconv -f ISO88591 -t utf-8  doc/HOWTO > doc/HOWTO.utf8
 cp -f doc/HOWTO.utf8 doc/HOWTO
@@ -232,6 +234,10 @@ rm -rf $RPM_BUILD_ROOT
 %{_mandir}/man8/vigr.8*
 
 %changelog
+* Mon Aug 14 2017 Tomáš Mráz <tmraz@redhat.com> - 2:4.5-4
+- allow switching to secondary group without checking the membership
+  explicitly (patch from upstream)
+
 * Thu Aug 03 2017 Fedora Release Engineering <releng@fedoraproject.org> - 2:4.5-3
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild