How much should we work around buggy Solaris/OpenIndiana/Illumos > 16 groups bugs?

Andrew Bartlett abartlet at
Sun Jun 9 16:54:46 MDT 2013

On Sun, 2013-06-09 at 21:14 +0200, Björn Jacke wrote:
> On 2013-06-08 at 13:49 +1000 Andrew Bartlett sent off:
> > I've uploaded to the
> > attached two patches that will help some sites that can't fix their OS,
> > but need more than 16 groups. 
> > 
> > Given that a number of sites seem to deploy this, and there has been no
> > reaction on the Illumos side indicating a desire to fix this, should we
> > just do the qsort() unconditionally on Solaris-based OS's, for the sake
> > of our users?
> > 
> > I don't propose to detect buggy versions, if we did this I figured to
> > make it happen on all Solaris builds.
> > 
> > Any thoughts?
> with Solaris this is being fixed with a hotfix and with 10u11 so this is the
> recommended solution for everybody on Solarais who installed the update that
> broke this setgroups call before.
> With Illumos - well they know about this security issue since some weeks and
> there is no realy reaction since then. I think working around such bugs in
> Samba is not a good compensation for a OS vendor ignoring security related
> issues. I would not like to get the qsort workaround in samba generally on
> Solaris-like platforms just because Illumos does not fix well known blocker
> bugs.

Thanks, I hadn't really considered the security issue side of things.  

Regardless this really, really needed to be fixed in the OS, and my
mails on the topic seem to hit highly on google searches for 'Illumos 16
groups', so hopefully folks hitting this don't loose too much more time
before at least understanding the issue.


Andrew Bartlett

Andrew Bartlett                      
Authentication Developer, Samba Team 

More information about the samba-technical mailing list