> setusercontext(login_cap_t *lc, struct passwd *pwd,
>                uid_t uid, u_int flags)
> ...
> 
> That function does all sorts of checks. I think that is
> the one you are referring to.

No - it is actually libc/gen/initgroups.c (called by the above).

    getgrouplist(uname, group, grouplist, &ngroups)
always sets ngroups the total number of groups found - even if larger
than the original value. So following it with
    setgroups(grouplist, ngroups)
passes the actual number of groups to the kernel, not the size of
grouplist.  Typically the kernel will then reject the request
even though man initgroups says:
	"If the groups database lists more than NGROUPS groups for name
	(including one for basegid), the later groups are ignored."
Worse still, if someone has compiled a kernel with a larger NGROUPS_MAX
then random groups will be assigned to the process - this has to be
a security problem...

	David

-- 
David Laight: david@l8s.co.uk