How much should we work around buggy Solaris/OpenIndiana/Illumos > 16 groups bugs?
Jeremy Allison
jra at samba.org
Mon Jun 10 11:32:13 MDT 2013
On Mon, Jun 10, 2013 at 08:54:46AM +1000, Andrew Bartlett wrote:
> On Sun, 2013-06-09 at 21:14 +0200, Björn Jacke wrote:
> > On 2013-06-08 at 13:49 +1000 Andrew Bartlett sent off:
> > > I've uploaded to https://bugzilla.samba.org/show_bug.cgi?id=7588 the
> > > attached two patches that will help some sites that can't fix their OS,
> > > but need more than 16 groups.
> > >
> > > Given that a number of sites seem to deploy this, and there has been no
> > > reaction on the Illumos side indicating a desire to fix this, should we
> > > just do the qsort() unconditionally on Solaris-based OS's, for the sake
> > > of our users?
> > >
> > > I don't propose to detect buggy versions, if we did this I figured to
> > > make it happen on all Solaris builds.
> > >
> > > Any thoughts?
> >
> > with Solaris this is being fixed with a hotfix and with 10u11 so this is the
> > recommended solution for everybody on Solarais who installed the update that
> > broke this setgroups call before.
> >
> > With Illumos - well they know about this security issue since some weeks and
> > there is no realy reaction since then. I think working around such bugs in
> > Samba is not a good compensation for a OS vendor ignoring security related
> > issues. I would not like to get the qsort workaround in samba generally on
> > Solaris-like platforms just because Illumos does not fix well known blocker
> > bugs.
>
> Thanks, I hadn't really considered the security issue side of things.
>
> Regardless this really, really needed to be fixed in the OS, and my
> mails on the topic seem to hit highly on google searches for 'Illumos 16
> groups', so hopefully folks hitting this don't loose too much more time
> before at least understanding the issue.
Personally I agree with Andrew that adding the unconditional qsort()
to this code path on Solaris-based-OS's in Samba is the "right thing
to do (tm)" :-).
Yes, it should be fixed in the OS, and yes, it isn't really
our problem, but as the implications of not having the sorted
group list are so severe, I think it is childish of us to refuse
to add this simple fix merely to punish a reluctant vendor.
tl;dr. It's a harmless change as far as I can see. It makes
things universally better for Solaris OS's.
Why should we not do this ?
Jeremy.
More information about the samba-technical
mailing list