Project

General

Profile

Actions

Bug #3691

closed

setgroups() needs a sorted GID list for more than 16 groups

Added by Andrew Bartlett about 8 years ago. Updated over 5 years ago.

Status:
Closed
Priority:
High
Assignee:
Category:
kernel
Start date:
2013-04-04
Due date:
% Done:

100%

Estimated time:
Difficulty:
Bite-size
Tags:
Gerrit CR:

Description

I create two users and 20 groups. I put one user in 10 groups, the other in 20 groups (passwd/group files attached). I then run the attached C program to set ZFS acls, allowing those groups to access the files.

The GID values matter - this issue didn't reproduce on my first attempt with a base of 2000, but did when I exactly matched the failing values given by Samba's winbindd on the failing system. I was then able to reproduce the exact situation on OpenIndiana Build 151a7 Desktop DVD (32/64-bit x86).

I tried to have a single testing binary demonstrate the issue by becoming a normal user with a large number of grops, but I only see this when I use examine left-behind files (in test/) using su testuser2.

Steps to reproduce.

Attached are group2 and passwd2. Concatonate these onto /etc/passwd and /etc/group:
sudo sh -c 'cat passwd2 >>/etc/passwd '
sudo sh -c 'cat group2 >>/etc/group '

In particular, note that both users are in groups:
65548 65549 65550

/share is on a ZFS volume:

/ on rpool/ROOT/openindiana read/write/setuid/devices/dev=2c10002 on Thu Jan 1 10:00:00 1970

User with 20 groups (failure):

root@openindiana:/share# rm -rf test && ~abartlet/./testgroups-match-samba-acl
20
Got 20 groups
65536 65537 65538 65539 65540 65541 65542 65543 65544 65545 65546 65547 65548
65549 65550 65551 65552 65553 65554 65555 
root@openindiana:/share# su testuser2
bash: /root/.bashrc: Permission denied
bash-4.0$ ls -la test
ls: cannot access test/65543: Permission denied
ls: cannot access test/65549: Permission denied
ls: cannot access test/65550: Permission denied
ls: cannot access test/65544: Permission denied
ls: cannot access test/65539: Permission denied
ls: cannot access test/65540: Permission denied
ls: cannot access test/65554: Permission denied
ls: cannot access test/65547: Permission denied
ls: cannot access test/65538: Permission denied
ls: cannot access test/65545: Permission denied
ls: cannot access test/65551: Permission denied
ls: cannot access test/65548: Permission denied
ls: cannot access test/65542: Permission denied
ls: cannot access test/65546: Permission denied
ls: cannot access test/65555: Permission denied
ls: cannot access test/65536: Permission denied
ls: cannot access test/65541: Permission denied
total 8
drwxrwxr-x  22 root root 22 2013-04-04 12:11 .
drwxr-xr-x  13 root root 13 2013-04-04 12:11 ..
???????????  ? ?    ?     ?                ? 65536
drwx------+  3 root root  3 2013-04-04 12:11 65537
???????????  ? ?    ?     ?                ? 65538
???????????  ? ?    ?     ?                ? 65539
???????????  ? ?    ?     ?                ? 65540
???????????  ? ?    ?     ?                ? 65541
???????????  ? ?    ?     ?                ? 65542
???????????  ? ?    ?     ?                ? 65543
???????????  ? ?    ?     ?                ? 65544
???????????  ? ?    ?     ?                ? 65545
???????????  ? ?    ?     ?                ? 65546
???????????  ? ?    ?     ?                ? 65547
???????????  ? ?    ?     ?                ? 65548
???????????  ? ?    ?     ?                ? 65549
???????????  ? ?    ?     ?                ? 65550
???????????  ? ?    ?     ?                ? 65551
drwx------+  3 root root  3 2013-04-04 12:11 65552
drwx------+  3 root root  3 2013-04-04 12:11 65553
???????????  ? ?    ?     ?                ? 65554
???????????  ? ?    ?     ?                ? 65555
bash-4.0$ id -G
65537 65552 65561 65560 65559 65558 65557 65556 65555 65554 65553 65551 65548
65549 65550 65567 65566 65565 65564 65563 65562

Notice how they are in 65548,65549,65550 but cannot access/see those folders?

User with less groups (success):

root@openindiana:/share# su testuser
bash: /root/.bashrc: Permission denied
bash-4.0$ ls -la test
ls: cannot access test/65543: Permission denied
ls: cannot access test/65544: Permission denied
ls: cannot access test/65539: Permission denied
ls: cannot access test/65540: Permission denied
ls: cannot access test/65553: Permission denied
ls: cannot access test/65554: Permission denied
ls: cannot access test/65547: Permission denied
ls: cannot access test/65538: Permission denied
ls: cannot access test/65545: Permission denied
ls: cannot access test/65551: Permission denied
ls: cannot access test/65542: Permission denied
ls: cannot access test/65546: Permission denied
ls: cannot access test/65555: Permission denied
ls: cannot access test/65552: Permission denied
ls: cannot access test/65536: Permission denied
ls: cannot access test/65541: Permission denied
total 9
drwxrwxr-x  22 root root 22 2013-04-04 12:11 .
drwxr-xr-x  13 root root 13 2013-04-04 12:11 ..
???????????  ? ?    ?     ?                ? 65536
drwx------+  3 root root  3 2013-04-04 12:11 65537
???????????  ? ?    ?     ?                ? 65538
???????????  ? ?    ?     ?                ? 65539
???????????  ? ?    ?     ?                ? 65540
???????????  ? ?    ?     ?                ? 65541
???????????  ? ?    ?     ?                ? 65542
???????????  ? ?    ?     ?                ? 65543
???????????  ? ?    ?     ?                ? 65544
???????????  ? ?    ?     ?                ? 65545
???????????  ? ?    ?     ?                ? 65546
???????????  ? ?    ?     ?                ? 65547
drwx------+  3 root root  3 2013-04-04 12:11 65548
drwx------+  3 root root  3 2013-04-04 12:11 65549
drwx------+  3 root root  3 2013-04-04 12:11 65550
???????????  ? ?    ?     ?                ? 65551
???????????  ? ?    ?     ?                ? 65552
???????????  ? ?    ?     ?                ? 65553
???????????  ? ?    ?     ?                ? 65554
???????????  ? ?    ?     ?                ? 65555
bash-4.0$ id -G
65537 65548 65549 65550 65567 65566 65565 65564 65563 65562

This user can get to 65548,65549,65550 but is correctly denied access to other
folders that are not in it's shorter GID list.

The GID lists are as provided by idmap and winbindd on the NAS, so are not
nicely consecutive.

Sadly I still can't reproduce this without going back to the shell and using
su, as a self-contained testing binary would be much easier to work with.


Files

testgroups-match-samba-acl.c (3.88 KB) testgroups-match-samba-acl.c acl setting binary Andrew Bartlett, 2013-04-04 02:02 AM
group2 (672 Bytes) group2 group file Andrew Bartlett, 2013-04-04 02:02 AM
passwd2 (145 Bytes) passwd2 passwd file Andrew Bartlett, 2013-04-04 02:02 AM
testgroups.c (3.12 KB) testgroups.c Demonstration of sorted GID values (works) Andrew Bartlett, 2013-04-09 06:06 AM
testgroups4.c (3.14 KB) testgroups4.c Demonstration of reverse sorted GID values (fails on OpenIndiana, but not our NAS) Andrew Bartlett, 2013-04-09 06:06 AM
testgroups-match-samba-acl.c (4.05 KB) testgroups-match-samba-acl.c Demonstration of sorted GID values using ACLs (works) Andrew Bartlett, 2013-04-09 06:06 AM
testgroups-match-samba-acl4.c (4.05 KB) testgroups-match-samba-acl4.c Demonstration of reverse sorted GID values (fails on both OpenIndiana and our NAS) Andrew Bartlett, 2013-04-09 06:06 AM

Related issues

Has duplicate illumos gate - Bug #3577: Problem handling groups with WinbindClosed2013-02-19

Actions
Actions

Also available in: Atom PDF