[OpenAFS] strange group limits with openafs-1.3.81
Tue, 10 May 2005 14:29:52 +0200
Here is something really weird: I have a system with 31 normal user accounts.
The system is debian sarge with the 1.3.81 packages from experimental on
kernel-image-2.6.8-2-686. In /etc/group, I usually add all of these users to
the floppy, cdrom, video and audio group. I had some strange issues with cd
burning as non-root users which seem to be related to the openafs kernel
module. Here is what happens: When I add those 31 users _only_ to the audio
and cdrom group, the following thing will work just fine:
weissmies:~# cat /tmp/testsh
echo "Hello world!"
weissmies:~# ls -l /tmp/testsh
-rwxr-x--- 1 root cdrom 30 May 10 14:19 /tmp/testsh
weissmies:~# ls -ln /tmp/testsh
-rwxr-x--- 1 0 24 30 May 10 14:19 /tmp/testsh
Connection to weissmies closed.
christia@weissmies:~$ id -G
277 34050 41333 24 29
So the executable belongs to the cdrom group and is suid root. User christia
belongs to that group (numeric gid 24). The permissions are exactly those of
the cdrecord binary on my system - this is how I originally noticed there was
a problem. However, if I add those 31 users to one other group (say, the
floppy group), running the small script will fail with
bash: /tmp/testsh: Permission denied
If I do not load the openafs module at boot, I do not have these problems.
Only after the modules is loaded and the user logs out and in again, I start
seeing this issues. I also do not see this problem at all with the same
packages and kernel-image-2.4.27-2-686. So I assume this has to do with the
setgroups hook for PAGs in the 2.6 code. I also noticed that it does not seem
to matter how many users I put into one of these groups. For the problem to
occur, it is sufficient for that one user to be a member of more than two of
those additional groups. Maybe somebody can comment... Best regards,
PS: In fact, the group entries come from ldap, but I have verified that the
behaviour is exactly the same if I use local entries in /etc/group.