On Thu, Nov 03, 2016 at 04:22:50AM +0100, Holger Jakob wrote:
Hi Arvin,
thanks for the fix.
I meanwhile did some more analysis and think that this might have more scope than just the fix to snapper. It seems that the order of the groups AND the number of members in the group file matters too. If getgrnam_r runs across an entry with too many members then any subsequent entry is answered with an ERANGE error. So even if the group that is added to ALLOW_GROUPS does not have that many members but is listed after one that does the error would still occur. I don't think working around this with MAX_MEMBERS_PER_GROUP in /etc/login.defs is any better. It is not supported by yast anyway.
So I take away from this that something in getgrnam_r is buggy (or not documented) when it has to deal with overfull group files. The getgrnam_r call appears to be using the buffer not just for the returned members but also for parsing earlier lines. If one is too full it will fail.
In that case please make a bug report against glibc, either at
SUSE or upstream, with steps how the reproduce the issue with
getgrnam_r.
Regards,
Arvin
--
Arvin Schnell,