Subject: Re: possible problem in getgrouplist (#groups > NGROUPS_MAX)
To: None <>
From: David Laight <>
List: tech-userlevel
Date: 05/01/2002 00:32:50
On Tue, Apr 30, 2002 at 02:53:04PM -0700, Bill Studenmund wrote:
> On Tue, 30 Apr 2002, Tim Bandy wrote:
> > I created a test account, and added that test account to more than
> > NGROUPS_MAX groups, which is 16.  This seems to cause initgroups to
> > return -1, which causes problems for (at least) both sshd and
> > telnetd.  Is this intended behavior?  If not, I believe that I have
> > found (at least part of) the problem in getgrouplist.c, and can
> > send-pr.
> Not sure, but it actually doesn't sound like that bad a behavior. As
> counter-intuitive as that may sound, what else should we do if someone is
> in more than NGROUPS_MAX groups? Just pick a random 16 of them? By
> returning -1, we indicate that there's a (big) problem.
> We probably should document this behavior though.

Would it be sensible to set the first NGROUOS_MAX and report -1.
Otherwise there could be a security problem
(as opposed to a DoS problem)


David Laight: