Med: daemons: Fix user/group checking in based.

This fixes a bug introduced by bcc7c90.  The group members returned
by getgrnam will only include those users that are listed in /etc/group
for that group.  It won't include any users for which a group is their
primary.

In other words, if this is what's in /etc/passwd:

    hacluster:x:189:189:cluster user:/var/lib/pacemaker:/sbin/nologin

And this is what's in /etc/group:

    haclient:x:189:

Then getgrnam will not list hacluster as a member of the haclient group
and is_daemon_group_member will return false.  We need to re-introduce
the primary group check to fix this.

Author: clumens

daemons/based/based_remote.c

@@ -95,14 +95,36 @@ remote_auth_timeout_cb(gpointer data)
 static bool
 is_daemon_group_member(const char *user)
 {
-    const struct group *group = getgrnam(CRM_DAEMON_GROUP);
+    int rc = pcmk_rc_ok;
+    gid_t gid = 0;
+    const struct group *group = NULL;
 
+    /* group->gr_mem only contains those users that are listed in /etc/group.
+     * It won't list the user if the group is their primary (that is, it's in
+     * the GID field in /etc/passwd (or passwd->pw_gid as returned by getpwent).
+     * So, we first need to perform a primary group check.
+     */
+    rc = pcmk__lookup_user(user, NULL, &gid);
+    if (rc != pcmk_rc_ok) {
+        pcmk__notice("Rejecting remote client: could not find user '%s': %s",
+                     user, pcmk_rc_str(rc));
+        return false;
+    }
+
+    group = getgrnam(CRM_DAEMON_GROUP);
     if (group == NULL) {
         pcmk__err("Rejecting remote client: " CRM_DAEMON_GROUP " is not a "
                   "valid group");
         return false;
     }
 
+    if (group->gr_gid == gid) {
+        return true;
+    }
+
+    /* If that didn't work, check if CRM_DAEMON_GROUP is a secondary group for
+     * the user.
+     */
     for (const char *const *member = (const char *const *) group->gr_mem;
          *member != NULL; member++) {