From owner-cvs-src@FreeBSD.ORG  Sun Dec 14 14:55:25 2003
Return-Path: <owner-cvs-src@FreeBSD.ORG>
Delivered-To: cvs-src@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id 27C5016A4CF; Sun, 14 Dec 2003 14:55:25 -0800 (PST)
Received: from hermes.aueb.gr (hermes.aueb.gr [195.251.255.142])
	by mx1.FreeBSD.org (Postfix) with ESMTP
	id 1E71C43D1D; Sun, 14 Dec 2003 14:55:19 -0800 (PST)
	(envelope-from dds@aueb.gr)
Received: from aueb.gr (faculty06.right.dialup.aueb.gr [195.251.255.250])
	by hermes.aueb.gr (8.12.9/8.12.9) with ESMTP id hBF2p12a008822;
	Mon, 15 Dec 2003 04:51:02 +0200
Message-ID: <3FDCEA54.2040705@aueb.gr>
Date: Mon, 15 Dec 2003 00:55:16 +0200
From: Diomidis Spinellis <dds@aueb.gr>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US;
	rv:1.5) Gecko/20031007
X-Accept-Language: en-us, en, el, de
MIME-Version: 1.0
To: Brooks Davis <brooks@one-eyed-alien.net>
References: <Pine.NEB.3.96L.1031213210011.58711D-100000@fledge.watson.org>
	<3FDC7D65.3040406@aueb.gr> <20031214213624.GA4077@Odin.AC.HMC.Edu>
In-Reply-To: <20031214213624.GA4077@Odin.AC.HMC.Edu>
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
cc: cvs-src@FreeBSD.org
cc: src-committers@FreeBSD.org
cc: Robert Watson <rwatson@FreeBSD.org>
cc: dds@FreeBSD.org
cc: cvs-all@FreeBSD.org
Subject: Re: cvs commit: src UPDATING (initgroups)
X-BeenThere: cvs-src@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: CVS commit messages for the src tree <cvs-src.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/cvs-src>,
	<mailto:cvs-src-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/cvs-src>
List-Post: <mailto:cvs-src@freebsd.org>
List-Help: <mailto:cvs-src-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/cvs-src>,
	<mailto:cvs-src-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 14 Dec 2003 22:55:25 -0000

Brooks Davis wrote:
[...]
> I don't think a syslog message mentioning "invalid argument" is
> sufficent in STABLE.  We've turned accounts with a minor problem that
> few people noticed into accounts that can't login.  I don't think it's
> reasionable to force admins to back trace from "invalid argument" to
> EINVAL to a non-standard meaning listed in the function call manpage,
> espeicaly since we could emit a useful error instead.

Reinterpreting errno on a case-by-case basis as in

     if (initgroups(pwd->pw_name, pwd->pw_gid) == -1) {
	if (errno == EINVAL)
            syslog(LOG_ERR, "initgroups(%s,%lu): too many groups", 
pwd->pw_name, (u_long)pwd->pw_gid);
	else
            syslog(LOG_ERR, "initgroups(%s,%lu): %m", pwd->pw_name,
                    (u_long)pwd->pw_gid);

will introduce changes in 34 source code files (many of them contributed 
and not under our direct control), or result on a non-orthogonal 
treatment of this problem.  Interpreting the error message through the 
errno value and the associated manpage is EXACTLY what any competent 
Unix system administrator should be able and expected to do.

On the other hand, if non-working accounts cause a significant problem 
for a number of installations we could add a temporary fix to ignore the 
error and report the cause just in lib/libutil/login_class.c (which 
seems to cause the problem).  This could then be removed after a 
deprecation period (say six months):

     if (initgroups(pwd->pw_name, pwd->pw_gid) == -1) {
	if (errno == EINVAL)
            syslog(LOG_ERR, "initgroups(%s,%lu): deprecated feature: 
member of > NGROUPS error ignored", pwd->pw_name, (u_long)pwd->pw_gid);
	else {
            syslog(LOG_ERR, "initgroups(%s,%lu): %m", pwd->pw_name,
                    (u_long)pwd->pw_gid);
             login_close(llc);
             return -1;
         }

 > On Sun, Dec 14, 2003 at 05:10:29PM +0200, Diomidis Spinellis wrote:
>>Given that this type of error was silently ignored in the past (with 
>>group memberships more than NGROUPS being silently ignored), I agree 
>>that we might want to help users check their systems.  The following 
>>script will check a typical group(5) file and report cases where 
>>setgroups would overflow.
>>
>>#!/bin/sh
>>awk -F'[:,]' '
>>{ for (i = 4; i <= NF; i++) if (length($i)) g[$i]++; }
>>END { for (u in g) if (g[u] > '`sysctl -n kern.ngroups`' - 2) print "Too 
>>many group memberships for user " u }
>>' /etc/group
>>
>>I suggest we add it in the corresponding UPDATING entry/entries.
> 
> 
> This is insufficent.  It would not have caught the case we saw at work
> because the user got the extra groups from NIS.

#!/bin/sh
(ypcat group 2>&1 ; cat /etc/group) |
awk -F'[:,]' '
{ for (i = 4; i <= NF; i++) if (length($i)) g[$i]++; }
END { for (u in g) if (g[u] > '`sysctl -n kern.ngroups`' - 2) print "Too
many group memberships for user " u }'

Again, I am sure there will be cases that this script will not recognize.

Diomidis - dds@