[RC1] Login not possible
Robert Watson
rwatson at freebsd.org
Fri Dec 12 16:30:08 PST 2003
On Fri, 12 Dec 2003, Brooks Davis wrote:
> > > Dec 12 21:37:24 golulu login: setusercontext() failed - exiting
> > >
> > > _With_ those lines in /etc/group, id gives:
> > >
> > > uid=1000(kjwolf) gid=20(staff) groups=20(staff), 0(wheel), 5(operator),
> > > 13(games), 68(dialer), 69(network), 100(users), 1000(kjwolf),
> > > 1200(wolf), 2000(wstaff), 2001(mm), 2002(develop), 2003(classifd),
> > > 2004(mirror), 2005(mirrors), 2006(sw)
> >
> > That's 18 groups..there might be a limit of 16 somewhere that is
> > causing login to have problems.
>
> A recent change to initgroups() changed the behavior of having too many
> groups from silent truncation to error which breaks login... One of our
> users at work ran into this. Fortunately, we were able to delete a
> number of groups for projects that never go cleaned up, but it was
> annoying and the error in extremely non-obvious.
FWIW, I think that failing here is the right thing to do (since otherwise
the kernel silently changes the access control rights of processes), but
that the failure error is a bit obscure. That said, the setusercontext()
API isn't really set up to provide more detailed error information, so
we'll need to expand the API. I wonder if it would make sense to modify
the pw/etc commands to generate warnings if they discover a user in too
many groups...
Robert N M Watson FreeBSD Core Team, TrustedBSD Projects
robert at fledge.watson.org Senior Research Scientist, McAfee Research
More information about the freebsd-current
mailing list