Heiko W. Rupp
2018-Oct-11 07:08 UTC
macOS Mojave: setgroups(501) failed: Too many extra groups
On Thu, Oct 11, 2018 at 09:51:34AM +0300, Aki Tuomi wrote:> > Looking at the source, I see this is handled in > > src/lib/restrict-access.c::fix_groups_list(), > > where above the call to setgroups() a gid_list2 is constructed. I > > wonder if one could > > have a config option to prevent adding all those extra groups, which > > then make the > > call to setgroups() fail> Not trivially. We would need to know which groups to drop and which not.Looking at id output id uid=501(hwr) gid=20(staff) groups=20(staff),6(mail),12(everyone),61(localaccounts),80(admin),98(_lpadmin),500(users),701(com.apple.sharepoint.group.1),702(com.apple.sharepoint.group.2),30(_keytabusers),33(_appstore),100(_lpoperator),204(_developer),250(_analyticsusers),395(com.apple.access_ftp),103(com.apple.access_screensharing-disabled),104(com.apple.access_ssh-disabled) it seems that all the com.apple ones can easily be dropped. What about a config list, that the admin can set with a list of gids, that can be dropped/are not added to gid_list2 ? Heiko
Aki Tuomi
2018-Oct-11 07:55 UTC
macOS Mojave: setgroups(501) failed: Too many extra groups
On 11.10.2018 10:08, Heiko W. Rupp wrote:> On Thu, Oct 11, 2018 at 09:51:34AM +0300, Aki Tuomi wrote: >>> Looking at the source, I see this is handled in >>> src/lib/restrict-access.c::fix_groups_list(), >>> where above the call to setgroups() a gid_list2 is constructed. I >>> wonder if one could >>> have a config option to prevent adding all those extra groups, which >>> then make the >>> call to setgroups() fail > >> Not trivially. We would need to know which groups to drop and which not. > Looking at id output > > id > uid=501(hwr) gid=20(staff) groups=20(staff),6(mail),12(everyone),61(localaccounts),80(admin),98(_lpadmin),500(users),701(com.apple.sharepoint.group.1),702(com.apple.sharepoint.group.2),30(_keytabusers),33(_appstore),100(_lpoperator),204(_developer),250(_analyticsusers),395(com.apple.access_ftp),103(com.apple.access_screensharing-disabled),104(com.apple.access_ssh-disabled) > > it seems that all the com.apple ones can easily be dropped. > What about a config list, that the admin can set with a list of gids, that can be dropped/are not added to gid_list2 ? > > Heiko >Maybe. Have to see when we can implement it though. It could probably leverage the min/max_gid setting. Aki
Heiko W. Rupp
2018-Oct-11 08:35 UTC
macOS Mojave: setgroups(501) failed: Too many extra groups
On Thu, Oct 11, 2018 at 10:55:39AM +0300, Aki Tuomi wrote:> Maybe. Have to see when we can implement it though. It could probably > leverage the min/max_gid setting.Actually that was a great hint. Setting last_valid_gid = 100 in the config and restarting helped. Having a filter-list instead of fixed upper/lower bounds would be more flexible. I guess though that in reality most systems/setups have ranges for different kinds of groups, so that the first/last_valid_gid could be applied. Thanks Heiko
Seemingly Similar Threads
- macOS Mojave: setgroups(501) failed: Too many extra groups
- macOS Mojave: setgroups(501) failed: Too many extra groups
- macOS Mojave: setgroups(501) failed: Too many extra groups
- macOS Mojave: setgroups(501) failed: Too many extra groups
- [PATCH] klibc-utils: add minils