On 05/22/2013 11:02 AM, Eric Blake wrote:
+ /* Figure out what size list to expect */ + getgrouplist(pwd.pw_name, gid, groups, &ngroups);
Do we need to be concerned about the "BUGS" info in the manpage?
BUGS In glibc versions before 2.3.3, the implementation of this function contains a buffer-overrun bug: it returns the complete list of groups for user in the array groups, even when the number of groups exceeds *ngroups.
Is anyone running that vintage of glibc? It sounds *kind of* like it could hit that if ngroups is 0 (but doesn't specifically say that).
So I did some digging, and gnulib has an 'mgetgroups' module (unfortunately GPL, but maybe I could get it relaxed if we wanted to use that instead)
I'll do a v2 that either works around the bug, or which delegates to the gnulib module (depending on response on the gnulib list about a license relax request).
Gnulib just relaxed the license[1]; I'll be respinning this patch to pull in the gnulib module instead. [1] http://git.sv.gnu.org/gitweb/?p=gnulib.git;a=shortlog;h=612ef3f7 -- Eric Blake eblake redhat com +1-919-301-3266 Libvirt virtualization library http://libvirt.org