[Bug 787] Minor security problem due to use of deprecated NGROUPS_MAX in uidswap.c (sshd)
bugzilla-daemon at mindrot.org
bugzilla-daemon at mindrot.org
Tue Feb 24 12:28:32 EST 2004
http://bugzilla.mindrot.org/show_bug.cgi?id=787
------- Additional Comments From openssh_bugzilla at hockin.org 2004-02-24 12:28 -------
Darren: getgroups() works properly, but yeah setgrent() is probably correct.
Damien: Linux 2.6.3 will change NGROUPS_MAX to 64k. You *really* do not care
what _SC_NGROUPS_MAX says - it is the MAXIMUM (actually, it's the minimum
maximum, says POSIX. The actual maximum may be higher than sysconf() reports,
if I recall correctly). All you care about is the ACTUAL count. You can get
the actual count from a getgrent loop or from a proper getgrouplist() (which
work on all systems, and not just HAVE_SYSCONF systems).
I am pretty sure that either version will work (with a call to setgrent() to be
pedantic in the get_ngroups() version) properly on the systems we care about.
sysconf() will probably work but is sub-optimal and (to be pedantic) potentially
wrong.
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
More information about the openssh-bugs
mailing list