Date: Mon, 15 Dec 2003 19:51:18 +0200 From: Diomidis Spinellis <dds@aueb.gr> To: Robert Watson <rwatson@freebsd.org> Cc: cvs-all@freebsd.org Subject: Re: cvs commit: src UPDATING (initgroups) Message-ID: <3FDDF496.8090507@aueb.gr> In-Reply-To: <Pine.NEB.3.96L.1031215102002.89260A-100000@fledge.watson.org> References: <Pine.NEB.3.96L.1031215102002.89260A-100000@fledge.watson.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Robert Watson wrote:
> I assume there's not time to change the behavior of 5.2 even to log, but
> we might want to see if there's a simple one-line change that will cover
> 90% of the interesting cases -- i.e., add a two-line change to
> setusercontext() so that it syslogs over the problem if it happens,
> without changing behavior.
Logging was done by default, but the log message (Invalid argument) can
be considered obscure. The change for a better syslog entry (to be
added in 5.2) would be to modify lib/libutil/login_class.c as follows:
if (initgroups(pwd->pw_name, pwd->pw_gid) == -1) {
if (errno == EINVAL)
syslog(LOG_ERR, "initgroups(%s,%lu): user group membership
limit (NGROUPS) exceeded", pwd->pw_name, (u_long)pwd->pw_gid);
else
syslog(LOG_ERR, "initgroups(%s,%lu): %m", pwd->pw_name,
(u_long)pwd->pw_gid);
On STABLE we need to decide whether we make the change completely
configurable as in
#define IGNORE_NGROUP_OVERFLOW /* group membership > NGROUPS is silently
ignored */
or we add only a special case in the login procedure by patching
lib/libutil/login_class.c. This would still leave the change visible to
other applications like daemons. I propose to avoid the special
login_class.c case and have the old behaviour be the default
configuration for all uses of initgroups.
Diomidis - dds@
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3FDDF496.8090507>