[OpenAFS] strange group limits with openafs-1.3.81

Christian Ospelkaus christian@core-coutainville.org
Tue, 10 May 2005 14:29:52 +0200 

Here is something really weird: I have a system with 31 normal user accounts. 
The system is debian sarge with the 1.3.81 packages from experimental on 
kernel-image-2.6.8-2-686. In /etc/group, I usually add all of these users to 
the floppy, cdrom, video and audio group. I had some strange issues with cd 
burning as non-root users which seem to be related to the openafs kernel 
module. Here is what happens: When I add those 31 users _only_ to the audio 
and cdrom group, the following thing will work just fine:

weissmies:~# cat /tmp/testsh
#!/bin/sh
echo "Hello world!"
weissmies:~# ls -l /tmp/testsh
-rwxr-x---  1 root cdrom 30 May 10 14:19 /tmp/testsh
weissmies:~# ls -ln /tmp/testsh
-rwxr-x---  1 0 24 30 May 10 14:19 /tmp/testsh
weissmies:~# /tmp/testsh
Hello world!
weissmies:~# logout
Connection to weissmies closed.
christia@weissmies:~$ id -G
277 34050 41333 24 29
christia@weissmies:~$ /tmp/testsh
Hello world!

So the executable belongs to the cdrom group and is suid root. User christia 
belongs to that group (numeric gid 24). The permissions are exactly those of 
the cdrecord binary on my system - this is how I originally noticed there was 
a problem. However, if I add those 31 users to one other group (say, the 
floppy group), running the small script will fail with 

christia@weissmies:~$ /tmp/testsh
bash: /tmp/testsh: Permission denied

If I do not load the openafs module at boot, I do not have these problems. 
Only after the modules is loaded and the user logs out and in again, I start 
seeing this issues. I also do not see this problem at all with the same 
packages and kernel-image-2.4.27-2-686. So I assume this has to do with the 
setgroups hook for PAGs in the 2.6 code. I also noticed that it does not seem 
to matter how many users I put into one of these groups. For the problem to 
occur, it is sufficient for that one user to be a member of more than two of 
those additional groups. Maybe somebody can comment... Best regards,

Christian 

PS: In fact, the group entries come from ldap, but I have verified that the 
behaviour is exactly the same if I use local entries in /etc/group.