dovecot - Oct 2018 - macOS Mojave: setgroups(501) failed: Too many extra groups

Hello,

I have recently upgraded to macOS 10.14 (Mojave) and am running into an 
issue where one use can no longer log into dovecot via imap. Log shows

Oct 11 08:10:27 imap(hwr)<12659><YpC/0+133+EAAAAAAAAAAAAAAAAAAAAB>: 
Fatal: setgroups(501) failed: Too many extra groups

and indeed, the user is in 17 groups, which is more than NGROUPS_MAX 
(16).
Another user with << 16 groups can log in fine. Unfortunately it is not 
(easily) doable to reduce
the number of groups, as macOS seems to set them internally.

Is there a config option that I am missing to work around this?

Looking at the source, I see this is handled in 
src/lib/restrict-access.c::fix_groups_list(),
where above the call to setgroups() a gid_list2 is constructed. I wonder 
if one could
have a config option to prevent adding all those extra groups, which 
then make the
call to setgroups() fail

Any help appreciated
    Heiko

-- 
hwr at pilhuhn.de  m:0179/207 4919  b:http://pilhuhn.blogspot.com

On 11.10.2018 09:28, Heiko W. Rupp wrote:
> Hello,
>
> I have recently upgraded to macOS 10.14 (Mojave) and am running into
> an issue where one use can no longer log into dovecot via imap. Log shows
>
> Oct 11 08:10:27
imap(hwr)<12659><YpC/0+133+EAAAAAAAAAAAAAAAAAAAAB>:
> Fatal: setgroups(501) failed: Too many extra groups
>
> and indeed, the user is in 17 groups, which is more than NGROUPS_MAX
> (16).
> Another user with << 16 groups can log in fine. Unfortunately it is
> not (easily) doable to reduce
> the number of groups, as macOS seems to set them internally.
>
> Is there a config option that I am missing to work around this?
>
> Looking at the source, I see this is handled in
> src/lib/restrict-access.c::fix_groups_list(),
> where above the call to setgroups() a gid_list2 is constructed. I
> wonder if one could
> have a config option to prevent adding all those extra groups, which
> then make the
> call to setgroups() fail
>
> Any help appreciated
> ?? Heiko
>
Not trivially. We would need to know which groups to drop and which not.

Aki

On Thu, Oct 11, 2018 at 09:51:34AM +0300, Aki Tuomi
wrote:
> > Looking at the source, I see this is handled in
> > src/lib/restrict-access.c::fix_groups_list(),
> > where above the call to setgroups() a gid_list2 is constructed. I
> > wonder if one could
> > have a config option to prevent adding all those extra groups, which
> > then make the
> > call to setgroups() fail
 
> Not trivially. We would need to know which groups to drop and which not.
Looking at id output

 id
uid=501(hwr) gid=20(staff)
groups=20(staff),6(mail),12(everyone),61(localaccounts),80(admin),98(_lpadmin),500(users),701(com.apple.sharepoint.group.1),702(com.apple.sharepoint.group.2),30(_keytabusers),33(_appstore),100(_lpoperator),204(_developer),250(_analyticsusers),395(com.apple.access_ftp),103(com.apple.access_screensharing-disabled),104(com.apple.access_ssh-disabled)

it seems that all the com.apple ones can easily be dropped.
What about a config list, that the admin can set with a list of gids, that can
be dropped/are not added to gid_list2 ?

  Heiko

On 11 Oct 2018, at 5:28 pm, Heiko W. Rupp <hwr at pilhuhn.de <mailto:hwr
at pilhuhn.de>> wrote:
> 
> Hello,
> 
> I have recently upgraded to macOS 10.14 (Mojave) and am running into an
issue where one use can no longer log into dovecot via imap. Log shows
> 
> Oct 11 08:10:27
imap(hwr)<12659><YpC/0+133+EAAAAAAAAAAAAAAAAAAAAB>: Fatal:
setgroups(501) failed: Too many extra groups
> 
> ...
> Any help appreciated
>   Heiko
This came up on the list a few months ago. See thread with subject "dying
on osx? on 11 August and 4 September 2018.

The only way I managed to get it to work was by changing default_login_user and
default_internal_user to my username.

As you say, wasn?t an issue with earlier versions of macOS X.

Any solution would be most appreciated.

James.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<https://dovecot.org/pipermail/dovecot/attachments/20181024/6b3bced0/attachment.html>