cvs commit: src UPDATING (initgroups)
Brooks Davis
brooks at one-eyed-alien.net
Sun Dec 14 13:36:36 PST 2003
On Sun, Dec 14, 2003 at 05:10:29PM +0200, Diomidis Spinellis wrote:
> Robert Watson wrote:
> >On Sat, 13 Dec 2003, Brooks Davis wrote:
> >>A similar change is needed in 4.x or the change should be backed there.
> >>I think we should back it out (in stable) until the various users of
> >>initgroups are fixed to output something useful and, preferably, not
> >>exit when this happens. As it is, we turned an rarely hit edge case
> >>that was somewhat difficult to debug into a fatal error that that is
> >>about equally difficult to debug and breaks the account in question.
> >
> >Sigh. I agree. I didn't realize the MFC had happened, but sure enough,
> >it's change 1.3.8.2. I have somewhat mixed feelings: I feel strongly we
> >should generate an error and fail closed, but I also agree that the
> >transition period was too short (we should have a warning period on the
> >-STABLE branch), and that we need to do something about error handling.
> >I'm surprised more people haven't bumped into it, but I guess the MFC was
> >only a couple of days ago.
>
> I have checked all instances in our code where initgroups(3) is called.
> Appart from a single case, where the error value is silently
> propagated upward (openpam_borrow_cred), in all other cases the returned
> value is either checked and appropriately reported or ignored (see
> attached file). So, error handling is not a problem.
Error handling IS a problem. With a fairly standard configuration,
accounts with >16 groups can not log in at least under STABLE.
> The problem reported in current@ was probably through a call to
> setusercontext(3). The call should have generated a syslog message of
> the form:
> "initgroups(kjwolf, 1000): invalid argument"
> EINVAL is now appropriately documented in setgroups(2):
> "The number specified in the ngroups argument is larger than the NGROUPS
> limit."
> so again, the error should be visible in the hosts syslog.
I don't think a syslog message mentioning "invalid argument" is
sufficent in STABLE. We've turned accounts with a minor problem that
few people noticed into accounts that can't login. I don't think it's
reasionable to force admins to back trace from "invalid argument" to
EINVAL to a non-standard meaning listed in the function call manpage,
espeicaly since we could emit a useful error instead.
> Given that this type of error was silently ignored in the past (with
> group memberships more than NGROUPS being silently ignored), I agree
> that we might want to help users check their systems. The following
> script will check a typical group(5) file and report cases where
> setgroups would overflow.
>
> #!/bin/sh
> awk -F'[:,]' '
> { for (i = 4; i <= NF; i++) if (length($i)) g[$i]++; }
> END { for (u in g) if (g[u] > '`sysctl -n kern.ngroups`' - 2) print "Too
> many group memberships for user " u }
> ' /etc/group
>
> I suggest we add it in the corresponding UPDATING entry/entries.
This is insufficent. It would not have caught the case we saw at work
because the user got the extra groups from NIS.
-- Brooks
--
Any statement of the form "X is the one, true Y" is FALSE.
PGP fingerprint 655D 519C 26A7 82E7 2529 9BF0 5D8E 8BE9 F238 1AD4
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/cvs-src/attachments/20031214/b473dc76/attachment.bin
More information about the cvs-src
mailing list