cvs commit: src UPDATING (initgroups)

Diomidis Spinellis dds at aueb.gr
Sun Dec 14 14:55:25 PST 2003 

Brooks Davis wrote:
[...]
> I don't think a syslog message mentioning "invalid argument" is
> sufficent in STABLE.  We've turned accounts with a minor problem that
> few people noticed into accounts that can't login.  I don't think it's
> reasionable to force admins to back trace from "invalid argument" to
> EINVAL to a non-standard meaning listed in the function call manpage,
> espeicaly since we could emit a useful error instead.

Reinterpreting errno on a case-by-case basis as in

     if (initgroups(pwd->pw_name, pwd->pw_gid) == -1) {
	if (errno == EINVAL)
            syslog(LOG_ERR, "initgroups(%s,%lu): too many groups", 
pwd->pw_name, (u_long)pwd->pw_gid);
	else
            syslog(LOG_ERR, "initgroups(%s,%lu): %m", pwd->pw_name,
                    (u_long)pwd->pw_gid);

will introduce changes in 34 source code files (many of them contributed 
and not under our direct control), or result on a non-orthogonal 
treatment of this problem.  Interpreting the error message through the 
errno value and the associated manpage is EXACTLY what any competent 
Unix system administrator should be able and expected to do.

On the other hand, if non-working accounts cause a significant problem 
for a number of installations we could add a temporary fix to ignore the 
error and report the cause just in lib/libutil/login_class.c (which 
seems to cause the problem).  This could then be removed after a 
deprecation period (say six months):

     if (initgroups(pwd->pw_name, pwd->pw_gid) == -1) {
	if (errno == EINVAL)
            syslog(LOG_ERR, "initgroups(%s,%lu): deprecated feature: 
member of > NGROUPS error ignored", pwd->pw_name, (u_long)pwd->pw_gid);
	else {
            syslog(LOG_ERR, "initgroups(%s,%lu): %m", pwd->pw_name,
                    (u_long)pwd->pw_gid);
             login_close(llc);
             return -1;
         }

 > On Sun, Dec 14, 2003 at 05:10:29PM +0200, Diomidis Spinellis wrote:
>>Given that this type of error was silently ignored in the past (with 
>>group memberships more than NGROUPS being silently ignored), I agree 
>>that we might want to help users check their systems.  The following 
>>script will check a typical group(5) file and report cases where 
>>setgroups would overflow.
>>
>>#!/bin/sh
>>awk -F'[:,]' '
>>{ for (i = 4; i <= NF; i++) if (length($i)) g[$i]++; }
>>END { for (u in g) if (g[u] > '`sysctl -n kern.ngroups`' - 2) print "Too 
>>many group memberships for user " u }
>>' /etc/group
>>
>>I suggest we add it in the corresponding UPDATING entry/entries.
> 
> 
> This is insufficent.  It would not have caught the case we saw at work
> because the user got the extra groups from NIS.

#!/bin/sh
(ypcat group 2>&1 ; cat /etc/group) |
awk -F'[:,]' '
{ for (i = 4; i <= NF; i++) if (length($i)) g[$i]++; }
END { for (u in g) if (g[u] > '`sysctl -n kern.ngroups`' - 2) print "Too
many group memberships for user " u }'

Again, I am sure there will be cases that this script will not recognize.

Diomidis - dds@

More information about the cvs-src mailing list