[OpenAFS-devel] OpenAFS and glibc-2.2

Thomas Mueller thomas.mueller@hrz.tu-chemnitz.de
Fri, 23 Mar 2001 12:53:53 +0100 (MET) 

Hi all,

playing with Redhat Linux 7.0.91 (wolverine) and OpenAFS 1.0.3 I found a
difference in the behavior of initgroups() in glibc-2.1 and
glibc-2.2.
initgroups() in glibc-2.2 discards the group ids used to
identify a PAG in OpenAFS from the process supplementary groups while
initgroups() in glibc-2.1 keeps them.

A little program illustrates what I mean:

#include <limits.h>
#include <sys/types.h>

void printgroups()
{
  int ng,i;
  gid_t groups[NGROUPS_MAX];

  ng = getgroups(NGROUPS_MAX, groups);
  for (i=0; i<ng; i++) printf("gid %d = %d\n",i,groups[i]);
}

main(int argc, char* argv[])
{
   if (argc < 2) {
      printf("usage: %s <username>\n", argv[0]); exit(1);
   }
   printf("*** before initgroups\n");
   printgroups();
   initgroups(argv[1], 1000);
   printf("*** after initgroups\n");
   printgroups();
}

Running this program on a glibc-2.1 based system (such as RedHat
Linux 7.0) you will see:

# ./initgrouptest thm
*** before initgroups
grouplist[0]=34279
grouplist[1]=34629
grouplist[2]=0
grouplist[3]=1
grouplist[4]=2
grouplist[5]=3
grouplist[6]=4
grouplist[7]=6
grouplist[8]=10
*** after initgroups
grouplist[0]=34279
grouplist[1]=34629
grouplist[2]=1000
grouplist[3]=5000

Please note: the first two gid's were kept by initgroups()

On a glibc-2.2 based system (such as Redhat Linux 7.0.91 (Wolverine)) you
see:

# ./initgrouptest thm
*** before initgroups
grouplist[0]=34279
grouplist[1]=38713
grouplist[2]=0
grouplist[3]=1
grouplist[4]=2
grouplist[5]=3
grouplist[6]=4
grouplist[7]=6
grouplist[8]=10
*** after initgroups
grouplist[0]=1000
grouplist[1]=5000

The first two gids were discarded. The calling process lost the PAG and
consequently the AFS token.

This will break applications which are configured to use the PAM
module from OpenAFS and which are calling pam_authenticate() *and*
pam_setcred() before initgroups().
sshd from openssh-2.5 is such an application.

Regards,
	Thomas.

-- 
----------------------------------------------------------
Thomas Mller, TU Chemnitz, URZ, D-09107 Chemnitz, Germany
----------------------------------------------------------