cvs commit: src UPDATING (initgroups)
Diomidis Spinellis
dds at aueb.gr
Sun Dec 14 14:55:25 PST 2003
Brooks Davis wrote:
[...]
> I don't think a syslog message mentioning "invalid argument" is
> sufficent in STABLE. We've turned accounts with a minor problem that
> few people noticed into accounts that can't login. I don't think it's
> reasionable to force admins to back trace from "invalid argument" to
> EINVAL to a non-standard meaning listed in the function call manpage,
> espeicaly since we could emit a useful error instead.
Reinterpreting errno on a case-by-case basis as in
if (initgroups(pwd->pw_name, pwd->pw_gid) == -1) {
if (errno == EINVAL)
syslog(LOG_ERR, "initgroups(%s,%lu): too many groups",
pwd->pw_name, (u_long)pwd->pw_gid);
else
syslog(LOG_ERR, "initgroups(%s,%lu): %m", pwd->pw_name,
(u_long)pwd->pw_gid);
will introduce changes in 34 source code files (many of them contributed
and not under our direct control), or result on a non-orthogonal
treatment of this problem. Interpreting the error message through the
errno value and the associated manpage is EXACTLY what any competent
Unix system administrator should be able and expected to do.
On the other hand, if non-working accounts cause a significant problem
for a number of installations we could add a temporary fix to ignore the
error and report the cause just in lib/libutil/login_class.c (which
seems to cause the problem). This could then be removed after a
deprecation period (say six months):
if (initgroups(pwd->pw_name, pwd->pw_gid) == -1) {
if (errno == EINVAL)
syslog(LOG_ERR, "initgroups(%s,%lu): deprecated feature:
member of > NGROUPS error ignored", pwd->pw_name, (u_long)pwd->pw_gid);
else {
syslog(LOG_ERR, "initgroups(%s,%lu): %m", pwd->pw_name,
(u_long)pwd->pw_gid);
login_close(llc);
return -1;
}
> On Sun, Dec 14, 2003 at 05:10:29PM +0200, Diomidis Spinellis wrote:
>>Given that this type of error was silently ignored in the past (with
>>group memberships more than NGROUPS being silently ignored), I agree
>>that we might want to help users check their systems. The following
>>script will check a typical group(5) file and report cases where
>>setgroups would overflow.
>>
>>#!/bin/sh
>>awk -F'[:,]' '
>>{ for (i = 4; i <= NF; i++) if (length($i)) g[$i]++; }
>>END { for (u in g) if (g[u] > '`sysctl -n kern.ngroups`' - 2) print "Too
>>many group memberships for user " u }
>>' /etc/group
>>
>>I suggest we add it in the corresponding UPDATING entry/entries.
>
>
> This is insufficent. It would not have caught the case we saw at work
> because the user got the extra groups from NIS.
#!/bin/sh
(ypcat group 2>&1 ; cat /etc/group) |
awk -F'[:,]' '
{ for (i = 4; i <= NF; i++) if (length($i)) g[$i]++; }
END { for (u in g) if (g[u] > '`sysctl -n kern.ngroups`' - 2) print "Too
many group memberships for user " u }'
Again, I am sure there will be cases that this script will not recognize.
Diomidis - dds@
More information about the cvs-src
mailing list