Date: Fri, 12 Dec 2003 19:29:52 -0500 (EST) From: Robert Watson <rwatson@freebsd.org> To: Brooks Davis <brooks@one-eyed-alien.net> Cc: Kris Kennaway <kris@obsecurity.org> Subject: Re: [RC1] Login not possible Message-ID: <Pine.NEB.3.96L.1031212192815.26485A-100000@fledge.watson.org> In-Reply-To: <20031212224259.GA4959@Odin.AC.HMC.Edu>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, 12 Dec 2003, Brooks Davis wrote: > > > Dec 12 21:37:24 golulu login: setusercontext() failed - exiting > > > > > > _With_ those lines in /etc/group, id gives: > > > > > > uid=1000(kjwolf) gid=20(staff) groups=20(staff), 0(wheel), 5(operator), > > > 13(games), 68(dialer), 69(network), 100(users), 1000(kjwolf), > > > 1200(wolf), 2000(wstaff), 2001(mm), 2002(develop), 2003(classifd), > > > 2004(mirror), 2005(mirrors), 2006(sw) > > > > That's 18 groups..there might be a limit of 16 somewhere that is > > causing login to have problems. > > A recent change to initgroups() changed the behavior of having too many > groups from silent truncation to error which breaks login... One of our > users at work ran into this. Fortunately, we were able to delete a > number of groups for projects that never go cleaned up, but it was > annoying and the error in extremely non-obvious. FWIW, I think that failing here is the right thing to do (since otherwise the kernel silently changes the access control rights of processes), but that the failure error is a bit obscure. That said, the setusercontext() API isn't really set up to provide more detailed error information, so we'll need to expand the API. I wonder if it would make sense to modify the pw/etc commands to generate warnings if they discover a user in too many groups... Robert N M Watson FreeBSD Core Team, TrustedBSD Projects robert@fledge.watson.org Senior Research Scientist, McAfee Research
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.NEB.3.96L.1031212192815.26485A-100000>