Bug 7318 - set_unix_security_ctx is causing crashes on Solaris 10.
set_unix_security_ctx is causing crashes on Solaris 10.
Product: Samba 3.6
Classification: Unclassified
Component: File services
x64 Solaris
: P3 regression
: ---
Assigned To: Jeremy Allison
Samba QA Contact
Depends on:
  Show dependency treegraph
Reported: 2010-04-01 11:18 UTC by Ira Cooper
Modified: 2010-05-13 06:36 UTC (History)
1 user (show)

See Also:

Proposed patch to fix the issue. (517 bytes, patch)
2010-04-01 11:23 UTC, Ira Cooper
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Ira Cooper 2010-04-01 11:18:36 UTC
set_unix_security_ctx is causing crashes on Solaris 10, because it tries to pass in too many groups, causing a crash.
Comment 1 Ira Cooper 2010-04-01 11:23:46 UTC
Created attachment 5587 [details]
Proposed patch to fix the issue.
Comment 2 Volker Lendecke 2010-04-01 14:01:04 UTC
Sorry, we will not apply this patch. This is a Solaris problem that Oracle is about to fix in a future release. You might contact Oracle about this problem to get a preliminary patch.

Comment 3 Ira Cooper 2010-05-12 16:29:53 UTC

I just built 3.6 on Nexenta (basically OpenSolaris b134), and the issue is not fixed.  That is what 2010.3 will be based on roughly.  Do you have the bug number for this issue?

Otherwise, my patch does obey the standards, as I understand them.  I only clamp to the number of groups that the system says we are allowed.
Comment 4 Volker Lendecke 2010-05-12 17:21:45 UTC
Re-assigning to Jeremy. I have already rejected this patch and Jeremy right now in very close cooperation with you anyway. Maybe he wants to comment on this patch and has a different view on me refusing to apply this patch.

Comment 5 Jeremy Allison 2010-05-12 17:34:15 UTC
This is a broken patch IMHO. It simply drops the groups that are over the system limit. I don't think we can do that. Solaris must fix the limited group list. This isn't something we can fix in Samba. The problem is if we simply truncate there is no way a user will know what groups they are in or not, depending on the sort order of the list of groups returned from nsswitch, thus getting random access denied errors that we get blamed for.

Comment 6 Volker Lendecke 2010-05-12 17:36:27 UTC
BTW, I still think this patch is wrong, but I was not heard. Rejecting it a second time won't help, I'm not going to play REJECT/REOPEN pingpong.

Just for the reason why I've re-assigned it to Jeremy.

Also, with ZFS and negative ACLs you run into security problems by just dropping group memberships.

Comment 7 Volker Lendecke 2010-05-12 17:41:35 UTC
have to re-open to correctly close as WONTFIX
Comment 8 Volker Lendecke 2010-05-12 17:42:28 UTC
Closing again as WONTFIX. Lets see how long we can play this game :-)
Comment 9 Ira Cooper 2010-05-12 18:05:25 UTC
The real work around (at least on OpenSolaris, I'll see if I can test it on Solaris at some point also...)

in /etc/system:

set ngroups_max = 64

It may be worth documenting somewhere appropriate.  Leave the resolution alone.  The work around I have now is correct.

Comment 10 Ira Cooper 2010-05-13 06:36:34 UTC

is the bug with the needed data from Oracle, in case anyone wants to know if their version of OpenSolaris or Solaris has this fixed, or to talk to Oracle about patches.