why is (gid_t)-1 treated as a group mapping failure?

James Peach jpeach at samba.org
Tue May 1 23:27:58 GMT 2007

Hi all,

There's a bunch of code sprinkled throughout the passdb layer(s) that  
asserts that -1 cannot be a valid ID. While this is often true, there  
is historical precedent for systems using -1 (and -2). Darwin still  
uses -1 for the group "nogroup", which maps to the SID S-1-0-0.

If I reference against the 3.0.10(!!) code, then -1 was still treated  
as invalid, but that seems to have been because nametogid() had no way  
to return an error. Is there a current justification for excluding -1?

For example, in pdb_default_delete_dom_group():

         if (!get_domain_group_from_sid(group_sid, &map)) {
                 DEBUG(10, ("Could not find group for rid %d\n", rid));
                 return NT_STATUS_NO_SUCH_GROUP;

         /* We need the group name for the smb_delete_group later on */

         if (map.gid == (gid_t)-1) {
                 return NT_STATUS_NO_SUCH_GROUP;

         grp = getgrgid(map.gid);
         if (grp == NULL) {
                 return NT_STATUS_NO_SUCH_GROUP;

The check for -1 is superfluous because if get_domain_group_from_sid  
failed, it should return False, and if map.gid is invalid, getgrgid  
will fail.

James Peach | jpeach at samba.org

More information about the samba-technical mailing list