bugzilla-daemon at bugzilla.mindrot.org
2007-Dec-21 04:19 UTC
[Bug 1412] New: Support for users in more than 16 groups on Mac OS X.
https://bugzilla.mindrot.org/show_bug.cgi?id=1412
Summary: Support for users in more than 16 groups on Mac OS X.
Classification: Unclassified
Product: Portable OpenSSH
Version: 4.7p1
Platform: Other
OS/Version: Mac OS X
Status: NEW
Severity: normal
Priority: P2
Component: scp
AssignedTo: bitbucket at mindrot.org
ReportedBy: vgiffin at apple.com
Created an attachment (id=1407)
--> (http://bugzilla.mindrot.org/attachment.cgi?id=1407)
Fixes issue with users in more than 16 groups.
Attached is a patch for building OpenSSH 4.7p1 on Mac OS X.
This patch corrects functionality for users in more than 16 groups.
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2007-Dec-21 10:42 UTC
[Bug 1412] Support for users in more than 16 groups on Mac OS X.
https://bugzilla.mindrot.org/show_bug.cgi?id=1412 --- Comment #1 from Darren Tucker <dtucker at zip.com.au> 2007-12-21 21:42:33 --- (From update of attachment 1407)>+ if (initgroups(pw->pw_name, pw->pw_gid) < 0)Why is this necessary? There's an initgroups() call in session.c. (and yeah, I know that #ifdef hairball in session.c makes it hard to follow, but I have plans to tidy that up.) -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2007-Dec-21 21:54 UTC
[Bug 1412] Support for users in more than 16 groups on Mac OS X.
https://bugzilla.mindrot.org/show_bug.cgi?id=1412 --- Comment #2 from Disco Vince Giffin <vgiffin at apple.com> 2007-12-22 08:54:45 --- (In reply to comment #1)> Why is this necessary? There's an initgroups() call in session.c.Good question. I'll have to do a little more research to answer that. I did run a couple of tests and confirmed that this patch is required for scp to honor groups past the 16th (for a given user) for OpenSSH 4.7p1 on Leopard (Mac OS X 10.5.1). -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2008-Jan-19 19:49 UTC
[Bug 1412] Support for users in more than 16 groups on Mac OS X.
https://bugzilla.mindrot.org/show_bug.cgi?id=1412
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Attachment #1407| |ok?(dtucker at zip.com.au)
Flag| |
--- Comment #3 from Damien Miller <djm at mindrot.org> 2008-01-20
06:49:36 ---
(From update of attachment 1407)
Seems reasonable to me. Darren, can you see any problems with this?
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2008-Jan-19 22:42 UTC
[Bug 1412] Support for users in more than 16 groups on Mac OS X.
https://bugzilla.mindrot.org/show_bug.cgi?id=1412
Darren Tucker <dtucker at zip.com.au> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |dtucker at zip.com.au
--- Comment #4 from Darren Tucker <dtucker at zip.com.au> 2008-01-20
09:42:24 ---
(In reply to comment #3)> (From update of attachment 1407 [details])
> Seems reasonable to me. Darren, can you see any problems with this?
I'd like to understand why it's needed first, given that there's
already an initgroups() call in session.c.
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2008-Jan-22 02:19 UTC
[Bug 1412] Support for users in more than 16 groups on Mac OS X.
https://bugzilla.mindrot.org/show_bug.cgi?id=1412 --- Comment #5 from Disco Vince Giffin <vgiffin at apple.com> 2008-01-22 13:19:08 --- This patch should probably be within the #else portion of the above #ifdef and/or within an #ifdef __APPLE__. -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2008-Jan-22 02:24 UTC
[Bug 1412] Support for users in more than 16 groups on Mac OS X.
https://bugzilla.mindrot.org/show_bug.cgi?id=1412 --- Comment #6 from Disco Vince Giffin <vgiffin at apple.com> 2008-01-22 13:24:20 --- (In reply to comment #4)> (In reply to comment #3) > > (From update of attachment 1407 [details] [details]) > > Seems reasonable to me. Darren, can you see any problems with this? > > I'd like to understand why it's needed first, given that there's > already an initgroups() call in session.c.Our (Apple's) implementation of initgroups() opts you in to using memberd (which gives you the ability to be in more than 16 groups). For conformance and compatibility reasons, certain calls will opt you out of this behavior. The setgid() call just above this patch opts out of using more than 16 groups. The patch to call initgroups() again is required to opt back in. Basically, initgroups has to be called after any setgroups(), setgid(), etc., if you want to use more than 16 groups. -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2008-Jul-14 03:43 UTC
[Bug 1412] Support for users in more than 16 groups on Mac OS X.
https://bugzilla.mindrot.org/show_bug.cgi?id=1412
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Blocks| |1481
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2009-Jan-13 07:14 UTC
[Bug 1412] Support for users in more than 16 groups on Mac OS X.
https://bugzilla.mindrot.org/show_bug.cgi?id=1412
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |djm at mindrot.org
--- Comment #7 from Damien Miller <djm at mindrot.org> 2009-01-13
18:14:32 ---
Won't a similar call to initgroups() need to be in
permanently_drop_suid() and restore_uid() too?
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2009-Jan-13 22:05 UTC
[Bug 1412] Support for users in more than 16 groups on Mac OS X.
https://bugzilla.mindrot.org/show_bug.cgi?id=1412 --- Comment #8 from Disco Vince Giffin <vgiffin at apple.com> 2009-01-14 09:05:23 --- (In reply to comment #7)> Won't a similar call to initgroups() need to be in > permanently_drop_suid() and restore_uid() too?No, because setgid() isn't called from permanently_drop_suid() and restore_uid() is restoring the original (privileged) uid. -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2009-Jan-14 02:31 UTC
[Bug 1412] Support for users in more than 16 groups on Mac OS X.
https://bugzilla.mindrot.org/show_bug.cgi?id=1412 --- Comment #9 from Damien Miller <djm at mindrot.org> 2009-01-14 13:31:30 --- Sorry, I meant temporarily_use_uid(), not permanently_drop_suid() temporarily_use_uid() calls setgroups(), does that opt out of memberd? -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2009-Jan-14 21:09 UTC
[Bug 1412] Support for users in more than 16 groups on Mac OS X.
https://bugzilla.mindrot.org/show_bug.cgi?id=1412 --- Comment #10 from Disco Vince Giffin <vgiffin at apple.com> 2009-01-15 08:09:08 --- (In reply to comment #9)> Sorry, I meant temporarily_use_uid(), not permanently_drop_suid() > > temporarily_use_uid() calls setgroups(), does that opt out of memberd?No. The call to setgroups() in temporarily_use_uid() should be fine. -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2009-Jan-15 00:12 UTC
[Bug 1412] Support for users in more than 16 groups on Mac OS X.
https://bugzilla.mindrot.org/show_bug.cgi?id=1412
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Attachment #1407|0 |1
is obsolete| |
Attachment #1407|ok?(dtucker at zip.com.au) |
Flag| |
Attachment #1592| |ok?(dtucker at zip.com.au)
Flag| |
--- Comment #11 from Damien Miller <djm at mindrot.org> 2009-01-15
11:12:26 ---
Created an attachment (id=1592)
--> (http://bugzilla.mindrot.org/attachment.cgi?id=1592)
wrap in __APPLE__ and comment
This is the diff I'd like to commit then.
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2009-Jan-18 10:54 UTC
[Bug 1412] Support for users in more than 16 groups on Mac OS X.
https://bugzilla.mindrot.org/show_bug.cgi?id=1412
Darren Tucker <dtucker at zip.com.au> changed:
What |Removed |Added
----------------------------------------------------------------------------
Attachment #1592| |ok+
Flag| |
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2009-Jan-18 10:55 UTC
[Bug 1412] Support for users in more than 16 groups on Mac OS X.
https://bugzilla.mindrot.org/show_bug.cgi?id=1412
Darren Tucker <dtucker at zip.com.au> changed:
What |Removed |Added
----------------------------------------------------------------------------
Attachment #1592|ok?(dtucker at zip.com.au) |ok+
Flag| |
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2009-Jan-18 10:55 UTC
[Bug 1412] Support for users in more than 16 groups on Mac OS X.
https://bugzilla.mindrot.org/show_bug.cgi?id=1412
Darren Tucker <dtucker at zip.com.au> changed:
What |Removed |Added
----------------------------------------------------------------------------
Component|scp |sshd
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2009-Jan-21 05:08 UTC
[Bug 1412] Support for users in more than 16 groups on Mac OS X.
https://bugzilla.mindrot.org/show_bug.cgi?id=1412
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution| |FIXED
--- Comment #12 from Damien Miller <djm at mindrot.org> 2009-01-21
16:08:21 ---
fix applied - will be in openssh-5.2. Thanks!
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2009-Feb-23 02:35 UTC
[Bug 1412] Support for users in more than 16 groups on Mac OS X.
https://bugzilla.mindrot.org/show_bug.cgi?id=1412
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|RESOLVED |CLOSED
--- Comment #13 from Damien Miller <djm at mindrot.org> 2009-02-23
13:35:37 ---
Close bugs fixed/reviewed for openssh-5.2 release
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
Possibly Parallel Threads
- [Bug 1416] New: Enable GSSAPI by default on Mac OS X
- [Bug 1423] New: Service ACL support for ssh on Mac OS X.
- [Bug 1419] New: Fix PTY handling on Mac OS X
- [Bug 1420] New: BSM support on Mac OS X
- [Bug 1415] New: Mac OS X has some changes to the default PAM settings.