7318 – set_unix_security_ctx is causing crashes on Solaris 10.

Bug 7318 - set_unix_security_ctx is causing crashes on Solaris 10.

Summary: set_unix_security_ctx is causing crashes on Solaris 10.

Status:	RESOLVED WONTFIX

Alias:	None

Product:	Samba 3.6
Classification:	Unclassified
Component:	File services (show other bugs)
Version:	unspecified
Hardware:	x64 Solaris

Importance:	P3 regression
Target Milestone:	---
Assignee:	Jeremy Allison
QA Contact:	Samba QA Contact

URL:
Keywords:

Depends on:
Blocks:

Reported:	2010-04-01 11:18 UTC by Ira Cooper
Modified:	2010-05-13 06:36 UTC (History)
CC List:	1 user (show)

See Also:

Attachments
Proposed patch to fix the issue. (517 bytes, patch) 2010-04-01 11:23 UTC, Ira Cooper	no flags	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Ira Cooper 2010-04-01 11:18:36 UTC

set_unix_security_ctx is causing crashes on Solaris 10, because it tries to pass in too many groups, causing a crash.

Comment 1 Ira Cooper 2010-04-01 11:23:46 UTC

Created attachment 5587 [details]
Proposed patch to fix the issue.

Comment 2 Volker Lendecke 2010-04-01 14:01:04 UTC

Sorry, we will not apply this patch. This is a Solaris problem that Oracle is about to fix in a future release. You might contact Oracle about this problem to get a preliminary patch.

Volker

Comment 3 Ira Cooper 2010-05-12 16:29:53 UTC

Volker:

I just built 3.6 on Nexenta (basically OpenSolaris b134), and the issue is not fixed.  That is what 2010.3 will be based on roughly.  Do you have the bug number for this issue?

Otherwise, my patch does obey the standards, as I understand them.  I only clamp to the number of groups that the system says we are allowed.

Comment 4 Volker Lendecke 2010-05-12 17:21:45 UTC

Re-assigning to Jeremy. I have already rejected this patch and Jeremy right now in very close cooperation with you anyway. Maybe he wants to comment on this patch and has a different view on me refusing to apply this patch.

Volker

Comment 5 Jeremy Allison 2010-05-12 17:34:15 UTC

This is a broken patch IMHO. It simply drops the groups that are over the system limit. I don't think we can do that. Solaris must fix the limited group list. This isn't something we can fix in Samba. The problem is if we simply truncate there is no way a user will know what groups they are in or not, depending on the sort order of the list of groups returned from nsswitch, thus getting random access denied errors that we get blamed for.

Jeremy.

Comment 6 Volker Lendecke 2010-05-12 17:36:27 UTC

BTW, I still think this patch is wrong, but I was not heard. Rejecting it a second time won't help, I'm not going to play REJECT/REOPEN pingpong.

Just for the reason why I've re-assigned it to Jeremy.

Also, with ZFS and negative ACLs you run into security problems by just dropping group memberships.

Volker

Comment 7 Volker Lendecke 2010-05-12 17:41:35 UTC

have to re-open to correctly close as WONTFIX

Comment 8 Volker Lendecke 2010-05-12 17:42:28 UTC

Closing again as WONTFIX. Lets see how long we can play this game :-)

Comment 9 Ira Cooper 2010-05-12 18:05:25 UTC

The real work around (at least on OpenSolaris, I'll see if I can test it on Solaris at some point also...)

in /etc/system:

set ngroups_max = 64

It may be worth documenting somewhere appropriate.  Leave the resolution alone.  The work around I have now is correct.

-Ira

Comment 10 Ira Cooper 2010-05-13 06:36:34 UTC

http://bugs.opensolaris.org/bugdatabase/view_bug.do?bug_id=4088757

is the bug with the needed data from Oracle, in case anyone wants to know if their version of OpenSolaris or Solaris has this fixed, or to talk to Oracle about patches.

Thanks,

-Ira