sys_setgroups in samba-3.3.X fails, cause a panic

Andrew Bartlett abartlet at
Thu Aug 6 23:33:36 MDT 2009

On Fri, 2009-08-07 at 11:19 +0800, Zhou Weikuan wrote:
> Hi All,
> Samba-3.3 updates source3/smbd/sec_ctx.c, checks the return value of sys_setgroups, panic if sys_setgroups fails. 

> Does anyone here like to help me understand what is the problem if we still follow the original way to handle failure of sys_setgroup? 
> Why is the failure so severe that we must panic instead of any other handlings. 
> Could we switch to other methods? For example, check the number of
> groups first, and if it exceeds the limit NGROUP_MAX, just truncate
> the groups and then call sys_setgroups? 

Truncation would open up security holes where a group is denied access to a file by an ACL.

Andrew Bartlett

Andrew Bartlett
Authentication Developer, Samba Team 
Samba Developer, Cisco Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <>

More information about the samba-technical mailing list