How much should we work around buggy Solaris/OpenIndiana/Illumos > 16 groups bugs?
bj at sernet.de
Mon Jun 10 12:12:59 MDT 2013
On 2013-06-10 at 10:32 -0700 Jeremy Allison sent off:
> tl;dr. It's a harmless change as far as I can see. It makes
> things universally better for Solaris OS's.
> Why should we not do this ?
because other userspace programms most probably don't fix the kernel bug in
userspace by sorting the groups and thus other processes might access data that
should not be accessable. By adding the qsort workaround we actively support
those systems not to get fixed and leave a known security hole (deny-ACEs being
of users with > 16 groups possibly being unevaluated) open.
SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
☎ +49-551-370000-0, ℻ +49-551-370000-9
AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen
More information about the samba-technical