On Wed, 1 May 2002, David Laight wrote:

> On Tue, Apr 30, 2002 at 02:53:04PM -0700, Bill Studenmund wrote:
> > On Tue, 30 Apr 2002, Tim Bandy wrote:
> >
> > Not sure, but it actually doesn't sound like that bad a behavior. As
> > counter-intuitive as that may sound, what else should we do if someone is
> > in more than NGROUPS_MAX groups? Just pick a random 16 of them? By
> > returning -1, we indicate that there's a (big) problem.
> >
> > We probably should document this behavior though.
>
> Would it be sensible to set the first NGROUOS_MAX and report -1.
> Otherwise there could be a security problem
> (as opposed to a DoS problem)

How is it a security problem?

Oh, you're actually going to let someone log in when you can't represent
all of the groups s/he is in? If we can't set all of the groups someone is
in, we shouldn't let them it. Locking them out is a big red flag, and
strikes me as a much better thing than silently let him/her in and
truncate groups. A lock-out will get the problem fixed *now* whereas who
knows when silent truncation will get noticed.

Take care,

Bill