http://bugzilla.novell.com/show_bug.cgi?id=623098 http://bugzilla.novell.com/show_bug.cgi?id=623098#c0 Summary: glibc initgroups leaves out NIS groups on the second invocation Classification: openSUSE Product: openSUSE 11.3 Version: Final Platform: x86-64 OS/Version: openSUSE 11.3 Status: NEW Severity: Critical Priority: P5 - None Component: Basesystem AssignedTo: pbaudis@novell.com ReportedBy: dmueller@novell.com QAContact: qa@suse.de Found By: Development Blocker: --- +++ This bug was initially created as a clone of Bug #607064 +++ Created an attachment (id=363148) --> (http://bugzilla.novell.com/attachment.cgi?id=363148) test case in C initgroups leave out NIS groups on its second invocation. As a result users accessing a host with NIS authentication via SSH have incorrect group assignment (can be verified with 'id -G'). How to reproduce: 1) set up NIS authentication 2) _disable_ NSCD 3) SSH to the host and compare output of 'id -G' and 'id -G $USER' Actual result: groups assigned in NIS group directory are missing in the output of id -G (dump of getgroups(2)), while id -G $USER shows them (getgrouplist(3)) Expected result: output of id -G and id -G $USER are identical Workaround: start NSCD. Additional information: The attached test case illustrates the problem with getgrouplist(3). It behaves identically as initgroups(3), but does not require setgroups(2) privilege. After the first call the group from NIS is listed, after the second call it is missing. lpechacek@g233:~> sudo /usr/sbin/rcnscd stop lpechacek@g233:~> ./grouptest getgrouplist 1 50,499,497,10043 getgrouplist 2 50,499,497 lpechacek@g233:~> sudo /usr/sbin/rcnscd start lpechacek@g233:~> ./grouptest getgrouplist 1 499,497,10043,50 getgrouplist 2 499,497,10043,50 SSH daemon calls initgroups(3) twice - first at uidswap.c:106, then at session.c:1508. After the second call the process supplementary group IDs list is incomplete, which results in user's inability to access some files. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.