[Bug 787] Minor security problem due to use of deprecated NGROUPS_MAX in uidswap.c (sshd)

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Tue Feb 24 13:05:49 EST 2004


------- Additional Comments From openssh_bugzilla at hockin.org  2004-02-24 13:05 -------
Well, there are very few bits of code that need hacking to work with 64k groups,
so I have to discount the bit about extra complexity.

Speaking of optimizing for the common case: this is called ONCE (unless I
misread) per process.  The real optimization is to use only as much memory as is
strictly needed, though neither you nor I are actually optimizing anything at
all.  The runtime of this code is so far away from the fast path of anything
that it's dumb to be arguing about.

I should also mention that sooner or later _SC_NGROUPS_MAX may end up as an
actual tunable in Linux.  Again, you don't care what the maximum is, just what
the actual number is.  Further, since the patch(es) I proposed are VERY simple
and work reliably, why would you opt AGAINST them, for something that is less
precise AND might not be available on a platform (thereby falling back on
today's buggy behavior).  I can't see the reason for arguing that as a win.

But, in the end, it's not my project, right?

------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

More information about the openssh-bugs mailing list