How much should we work around buggy Solaris/OpenIndiana/Illumos > 16 groups bugs?

Andrew Bartlett abartlet at samba.org
Mon Jun 10 16:33:00 MDT 2013 

On Mon, 2013-06-10 at 18:27 -0400, Ira Cooper wrote:
> 
> 
> 
> On Mon, Jun 10, 2013 at 5:54 PM, Andrew Bartlett <abartlet at samba.org>
> wrote:
>         On Mon, 2013-06-10 at 15:41 -0400, Ira Cooper wrote:
>         >
>         >
>         >
>         > On Mon, Jun 10, 2013 at 3:01 PM, Jeremy Allison
>         <jra at samba.org> wrote:
>         >         On Mon, Jun 10, 2013 at 02:37:37PM -0400, Ira Cooper
>         wrote:
>         >         > Can someone point me at the actual illumos issue
>         that was
>         >         raised in their
>         >         > bug tracker?
>         >
>         >
>         >         https://www.illumos.org/issues/3577
>         >
>         >         I pinged one of the Illumos folks about this, but
>         they're
>         >         a bit busy.
>         >
>         >         > I know Andrew raised one, but as I remember, that
>         one
>         >         wandered off track.
>         >         >
>         >         > This is very specific, and I'd guess most illumos
>         devs could
>         >         fix it
>         >         > promptly.  Heck, if it stops people from being as
>         Jeremy so
>         >         nicely put it
>         >         > "completely sanctimonious
>         >         > pricks", it's something I can probably do.
>         >         >
>         >         > But, that said, there ARE broken systems, and
>         there will be
>         >         broken systems,
>         >         > so some workaround will be needed... and probably
>         for a long
>         >         time given the
>         >         > lifetime of Solaris systems.
>         >         >
>         >         > So detecting it might be nice...  Can someone
>         "detect" it if
>         >         I "fix" it.
>         >
>         >
>         >         Only as root I think. IMHO you should fix it for
>         Illumos,
>         >         and we should add the workaround to Samba.
>         >
>         >
>         > If you are building illumos, try this patch, and remove the
>         qsort.
>         >  The problem should go away, if I understand the code right.
>         >
>         >
>         > If not, can you please hand me solid reproduction code, and
>         I'll "get
>         > it right".  We can then attach this patch to the bug, and
>         talk to them
>         > about RTI.  (Getting it committed.)
>         
>         
>         https://www.illumos.org/issues/3691 has the reproducer test
>         programs I
>         used.
>         
>         Just to close to loop back to here, after Björn Jacke raised
>         the
>         security aspect, I raised this with their security contact,
>         but without
>         a response yet.  (I wouldn't normally mention such details,
>         but this is
>         already very well public).
> 
> 
> The patch I wrote fixes "testgroups4" though the groups come back
> sorted, so the program carps about that.  (I don't consider that a
> "bug".)

Indeed, that's what it does on Linux.  Comment out that check to be
double-sure, and let it run the actual ACL checks. 

> I can submit it upstream if you wish to confirm that it works.

Can you just comment out the order check, and then do that?  I don't
have a good means to rebuild the Illumos kernel right now.

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

More information about the samba-technical mailing list