Subject: Re: possible problem in getgrouplist (#groups > NGROUPS_MAX)
To: David Laight <david@l8s.co.uk>
From: Bill Studenmund <wrstuden@netbsd.org>
List: tech-userlevel
Date: 05/01/2002 09:28:09
On Wed, 1 May 2002, David Laight wrote:

> On Tue, Apr 30, 2002 at 02:53:04PM -0700, Bill Studenmund wrote:
> > On Tue, 30 Apr 2002, Tim Bandy wrote:
> >
> > Not sure, but it actually doesn't sound like that bad a behavior. As
> > counter-intuitive as that may sound, what else should we do if someone is
> > in more than NGROUPS_MAX groups? Just pick a random 16 of them? By
> > returning -1, we indicate that there's a (big) problem.
> >
> > We probably should document this behavior though.
>
> Would it be sensible to set the first NGROUOS_MAX and report -1.
> Otherwise there could be a security problem
> (as opposed to a DoS problem)

How is it a security problem?

Oh, you're actually going to let someone log in when you can't represent
all of the groups s/he is in? If we can't set all of the groups someone is
in, we shouldn't let them it. Locking them out is a big red flag, and
strikes me as a much better thing than silently let him/her in and
truncate groups. A lock-out will get the problem fixed *now* whereas who
knows when silent truncation will get noticed.

Take care,

Bill