Doing away with NGROUPS_MAX in src/sys/sys/syslimits.h?

Boris Kochergin spawk at acm.poly.edu
Mon Mar 23 09:24:44 PDT 2009 

n0g0013 wrote:
> On 23.03-10:20, Boris Kochergin wrote:
> [ ... ]
>   
>> Well, bumping it does get rid of messages like:
>>
>> Mar 22 20:44:26 hydrogen sshd[96152]: getgrouplist: groups list too small
>> Mar 22 20:44:26 hydrogen sshd[96152]: fatal: initgroups: [user]: Invalid 
>> argument
>>     
>
> yes, that's great but you may be surprised to learn that it doesn't
> actually solve your problem.  i think (and without looking
> specifically at the impact my even be confident enough to say
> definately) if you get a groups list it will only be cropped and the
> error message is being erroneously avoided, not corrected.  i'd also
> suggest that you may be opening up your system to some overflows
> although, generally, the code sections use the same limits and so
> you might get away with it.
>
> [ ... ]
>   
>> I'd love to see a resolution to this other than having to recompile the 
>> kernel. Let me know if I can help things along somehow.
>>     
>
> if you can grab my patch, confirm it builds for you and that it doesn't
> crash your system , that would be a big help.  unfortunately i was
> going to test it on my xen box only to discover that it doesn't work
> with amd64 yet.  i'm currently coding blind and am not a good
> programmer so this is bad[tm].
>
> if you can do this and are happy to run a few further tests after that
> then i'll be sure to put some heat under the rest of the process and
> get the group limits removed correctly.
>
>   
On my 7.0 system, and a kernel recompiled with NGROUPS_MAX set to 64, a 
getgrouplist() call for a user who is in more than 16 groups (24, to be 
exact) will populate the array specified by the "gid_t *groups" argument 
with the 24 groups the user is in, in addition to the group specified in 
the "gid_t basegid" argument. The value of the variable specified in the 
"int *ngroups" will also be 25, and the getgrouplist() call will return 
0. So, as far as being a hack for a specific problem, it seems to work 
properly.

Sure, I'll test the patch. Can you point me at it?

-Boris

More information about the freebsd-hackers mailing list