Project

General

Profile

Bug #8105

libnsl(3nsl): NGRPS_LOOPBACK should be increased

Added by Marcel Telka about 3 years ago.

Status:
In Progress
Priority:
Normal
Assignee:
Category:
lib - userland libraries
Start date:
2017-04-25
Due date:
% Done:

0%

Estimated time:
Difficulty:
Medium
Tags:
needs-triage
Gerrit CR:

Description

The AUTH_LOOPBACK flavor is basically the same as AUTH_SYS with the exception that the gids array length is not limited. See Appendix A in RFC 5531 for details about the AUTH_SYS flavor. We can describe the opaque data constituting the AUTH_LOOPBACK credential using the following XDR syntax:

struct authloopback_parms {
        unsigned int stamp;
        string machinename<255>;
        unsigned int uid;
        unsigned int gid;
        unsigned int gids<>;
};

The encoded authloopback_parms structure (so as all auth data structures for other flavors, including the authsys_parms structure) are stored in the opaque body of the opaque_auth structure. The size of the opaque body is up to 400 bytes (see Section 8.2 in RFC 5531).

When the authloopback_parms is encoded it will consume the following number of bytes in the XDR stream (including the possible padding, if needed):

stamp 4 bytes
strlen(machinename) 4 bytes
machinename 0 to 256 bytes
uid 4 bytes
gid 4 bytes
number of gids 4 bytes
gids 0 to ? (4 bytes per gid)

In the worst case scenario (the machinename is longest possible) we can encode: (400 - 5 * 4 - 256) / 4 = 31 gids
In the best case scenarion (the machinename is shortest possible) we can encode: (400 - 5 * 4 - 0) / 4 = 95 gids

Effectively, in the libnsl(3nsl) sources we limit the number of gids to NGRPS_LOOPBACK, which is currently set to 92. This is apparently too restrictive and we should increase it to (at least) 95.


Related issues

Related to illumos gate - Bug #8085: Handle RPC groups betterClosed2017-04-19

Actions
Related to illumos gate - Bug #8106: authloopback_marshal() can violate the RPC specificationClosed2017-04-25

Actions

History

#1

Updated by Marcel Telka about 3 years ago

  • Related to Bug #8085: Handle RPC groups better added
#2

Updated by Marcel Telka about 3 years ago

  • Related to Bug #8106: authloopback_marshal() can violate the RPC specification added

Also available in: Atom PDF