How much should we work around buggy Solaris/OpenIndiana/Illumos > 16 groups bugs?
Andrew Bartlett
abartlet at samba.org
Mon Jun 10 16:33:00 MDT 2013
On Mon, 2013-06-10 at 18:27 -0400, Ira Cooper wrote:
>
>
>
> On Mon, Jun 10, 2013 at 5:54 PM, Andrew Bartlett <abartlet at samba.org>
> wrote:
> On Mon, 2013-06-10 at 15:41 -0400, Ira Cooper wrote:
> >
> >
> >
> > On Mon, Jun 10, 2013 at 3:01 PM, Jeremy Allison
> <jra at samba.org> wrote:
> > On Mon, Jun 10, 2013 at 02:37:37PM -0400, Ira Cooper
> wrote:
> > > Can someone point me at the actual illumos issue
> that was
> > raised in their
> > > bug tracker?
> >
> >
> > https://www.illumos.org/issues/3577
> >
> > I pinged one of the Illumos folks about this, but
> they're
> > a bit busy.
> >
> > > I know Andrew raised one, but as I remember, that
> one
> > wandered off track.
> > >
> > > This is very specific, and I'd guess most illumos
> devs could
> > fix it
> > > promptly. Heck, if it stops people from being as
> Jeremy so
> > nicely put it
> > > "completely sanctimonious
> > > pricks", it's something I can probably do.
> > >
> > > But, that said, there ARE broken systems, and
> there will be
> > broken systems,
> > > so some workaround will be needed... and probably
> for a long
> > time given the
> > > lifetime of Solaris systems.
> > >
> > > So detecting it might be nice... Can someone
> "detect" it if
> > I "fix" it.
> >
> >
> > Only as root I think. IMHO you should fix it for
> Illumos,
> > and we should add the workaround to Samba.
> >
> >
> > If you are building illumos, try this patch, and remove the
> qsort.
> > The problem should go away, if I understand the code right.
> >
> >
> > If not, can you please hand me solid reproduction code, and
> I'll "get
> > it right". We can then attach this patch to the bug, and
> talk to them
> > about RTI. (Getting it committed.)
>
>
> https://www.illumos.org/issues/3691 has the reproducer test
> programs I
> used.
>
> Just to close to loop back to here, after Björn Jacke raised
> the
> security aspect, I raised this with their security contact,
> but without
> a response yet. (I wouldn't normally mention such details,
> but this is
> already very well public).
>
>
> The patch I wrote fixes "testgroups4" though the groups come back
> sorted, so the program carps about that. (I don't consider that a
> "bug".)
Indeed, that's what it does on Linux. Comment out that check to be
double-sure, and let it run the actual ACL checks.
> I can submit it upstream if you wish to confirm that it works.
Can you just comment out the order check, and then do that? I don't
have a good means to rebuild the Illumos kernel right now.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
More information about the samba-technical
mailing list