Subject: Re: possible problem in getgrouplist (#groups > NGROUPS_MAX)
To: David Laight <>
From: Tim Bandy <>
List: tech-userlevel
Date: 05/01/2002 09:56:20
>>>>> "David" == David Laight <> writes:
    David>  On Tue, Apr 30, 2002 at 02:53:04PM -0700, Bill Studenmund
    David> wrote:
    >> On Tue, 30 Apr 2002, Tim Bandy wrote:
    >> > I created a test account, and added that test account to more
    >> than > NGROUPS_MAX groups, which is 16.  This seems to cause
    >> initgroups to > return -1, which causes problems for (at least)
    >> both sshd and > telnetd.  Is this intended behavior?  If not, I
    >> believe that I have > found (at least part of) the problem in
    >> getgrouplist.c, and can > send-pr.
    >> Not sure, but it actually doesn't sound like that bad a
    >> behavior. As counter-intuitive as that may sound, what else
    >> should we do if someone is in more than NGROUPS_MAX groups?
    >> Just pick a random 16 of them? By returning -1, we indicate
    >> that there's a (big) problem.
    >> We probably should document this behavior though.

    David>  Would it be sensible to set the first NGROUOS_MAX and
    David> report -1.  Otherwise there could be a security problem (as
    David> opposed to a DoS problem)

That makes sense to me.  It would seem to be more reasonable to me to
set as many groups as possible, then return a non-fatal error.  As to
the question of which groups to pick, I think that just using getgrent
is entirely reasonable.  One could then use newgrp (which doesn't
exist, I know) to change groups to any which are not set by

As Bill stated, this does seem counter-intuitive to me, so if there's
a good reason for doing this, please let me know what it is.  I
disagree that being in more groups than NGROUPS_MAX is a big problem.

If there is a good reason, could the manpage for initgroups and
getgroups be updated to reflect this behavior?

Tim Bandy (

Thank goodness modern convenience is a thing of the remote future.
                -- Pogo, by Walt Kelly