Subject: Re: possible problem in getgrouplist (#groups > NGROUPS_MAX)
To: Bill Studenmund <wrstuden@netbsd.org>
From: Nathan J. Williams <nathanw@wasabisystems.com>
List: tech-userlevel
Date: 05/01/2002 13:33:00
Bill Studenmund <wrstuden@netbsd.org> writes:
> Oh, you're actually going to let someone log in when you can't represent
> all of the groups s/he is in? If we can't set all of the groups someone is
> in, we shouldn't let them it. Locking them out is a big red flag, and
> strikes me as a much better thing than silently let him/her in and
> truncate groups. A lock-out will get the problem fixed *now* whereas who
> knows when silent truncation will get noticed.
The login system for MIT Athena often encounters this situation, and
it used to issue the diagnostic message:
"Warning: You are in too many groups. Some of them will be ignored."
This tended to happen because Athena has a central list-management
system, which is used for both mailing lists and ACLs, including
filesystem ACLs, and mailing lists often got the "this is also a
filesystem ACL" bit set when they didn't really need it.
We eventually got rid of the error because it usually didn't represent
a problem, but the message tended to generate questions from
users. (It didn't usually affect anybody because the local grouplist
was only used for NFS "authentication", and Athena had almost entirely
managed to get rid of shared, authenticated NFS file service).
The phrase of the warning messsage, though, lives on as a great way to
describe life in general...
- Nathan