[Bug 787] Minor security problem due to use of deprecated NGROUPS_MAX in uidswap.c (sshd)

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Tue Feb 24 12:28:32 EST 2004


http://bugzilla.mindrot.org/show_bug.cgi?id=787





------- Additional Comments From openssh_bugzilla at hockin.org  2004-02-24 12:28 -------
Darren: getgroups() works properly, but yeah setgrent() is probably correct.

Damien: Linux 2.6.3 will change NGROUPS_MAX to 64k.  You *really* do not care
what _SC_NGROUPS_MAX says - it is the MAXIMUM (actually, it's the minimum
maximum, says POSIX.  The actual maximum may be higher than sysconf() reports,
if I recall correctly).  All you care about is the ACTUAL count.  You can get
the actual count from a getgrent loop or from a proper getgrouplist() (which
work on all systems, and not just HAVE_SYSCONF systems).

I am pretty sure that either version will work (with a call to setgrent() to be
pedantic in the get_ngroups() version) properly on the systems we care about. 
sysconf() will probably work but is sub-optimal and (to be pedantic) potentially
wrong.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.




More information about the openssh-bugs mailing list