Subject: Re: possible problem in getgrouplist (#groups > NGROUPS_MAX)
To: David Laight <david@l8s.co.uk>
From: Tim Bandy <bandy@timn8r.org>
List: tech-userlevel
Date: 05/01/2002 09:56:20
>>>>> "David" == David Laight <david@l8s.co.uk> writes:
David> On Tue, Apr 30, 2002 at 02:53:04PM -0700, Bill Studenmund
David> wrote:
>> On Tue, 30 Apr 2002, Tim Bandy wrote:
>>
>> > I created a test account, and added that test account to more
>> than > NGROUPS_MAX groups, which is 16. This seems to cause
>> initgroups to > return -1, which causes problems for (at least)
>> both sshd and > telnetd. Is this intended behavior? If not, I
>> believe that I have > found (at least part of) the problem in
>> getgrouplist.c, and can > send-pr.
>>
>> Not sure, but it actually doesn't sound like that bad a
>> behavior. As counter-intuitive as that may sound, what else
>> should we do if someone is in more than NGROUPS_MAX groups?
>> Just pick a random 16 of them? By returning -1, we indicate
>> that there's a (big) problem.
>>
>> We probably should document this behavior though.
David> Would it be sensible to set the first NGROUOS_MAX and
David> report -1. Otherwise there could be a security problem (as
David> opposed to a DoS problem)
That makes sense to me. It would seem to be more reasonable to me to
set as many groups as possible, then return a non-fatal error. As to
the question of which groups to pick, I think that just using getgrent
is entirely reasonable. One could then use newgrp (which doesn't
exist, I know) to change groups to any which are not set by
initgroups.
As Bill stated, this does seem counter-intuitive to me, so if there's
a good reason for doing this, please let me know what it is. I
disagree that being in more groups than NGROUPS_MAX is a big problem.
If there is a good reason, could the manpage for initgroups and
getgroups be updated to reflect this behavior?
--
Tim Bandy (bandy@timn8r.org)
Thank goodness modern convenience is a thing of the remote future.
-- Pogo, by Walt Kelly