sys_setgroups in samba-3.3.X fails, cause a panic
Andrew Bartlett
abartlet at samba.org
Thu Aug 6 23:33:36 MDT 2009
On Fri, 2009-08-07 at 11:19 +0800, Zhou Weikuan wrote:
> Hi All,
> Samba-3.3 updates source3/smbd/sec_ctx.c, checks the return value of sys_setgroups, panic if sys_setgroups fails.
> Does anyone here like to help me understand what is the problem if we still follow the original way to handle failure of sys_setgroup?
> Why is the failure so severe that we must panic instead of any other handlings.
> Could we switch to other methods? For example, check the number of
> groups first, and if it exceeds the limit NGROUP_MAX, just truncate
> the groups and then call sys_setgroups?
Truncation would open up security holes where a group is denied access to a file by an ACL.
Andrew Bartlett
--
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Cisco Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20090807/124e3fbb/attachment.pgp>
More information about the samba-technical
mailing list