On Fri, 12 Dec 2003, Brooks Davis wrote: > > > Dec 12 21:37:24 golulu login: setusercontext() failed - exiting > > > > > > _With_ those lines in /etc/group, id gives: > > > > > > uid=1000(kjwolf) gid=20(staff) groups=20(staff), 0(wheel), 5(operator), > > > 13(games), 68(dialer), 69(network), 100(users), 1000(kjwolf), > > > 1200(wolf), 2000(wstaff), 2001(mm), 2002(develop), 2003(classifd), > > > 2004(mirror), 2005(mirrors), 2006(sw) > > > > That's 18 groups..there might be a limit of 16 somewhere that is > > causing login to have problems. > > A recent change to initgroups() changed the behavior of having too many > groups from silent truncation to error which breaks login... One of our > users at work ran into this. Fortunately, we were able to delete a > number of groups for projects that never go cleaned up, but it was > annoying and the error in extremely non-obvious. FWIW, I think that failing here is the right thing to do (since otherwise the kernel silently changes the access control rights of processes), but that the failure error is a bit obscure. That said, the setusercontext() API isn't really set up to provide more detailed error information, so we'll need to expand the API. I wonder if it would make sense to modify the pw/etc commands to generate warnings if they discover a user in too many groups... Robert N M Watson FreeBSD Core Team, TrustedBSD Projects robert_at_fledge.watson.org Senior Research Scientist, McAfee ResearchReceived on Fri Dec 12 2003 - 15:30:08 UTC
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:37:33 UTC