From a093b41dafbd7defb7612a20d5672d938b8a54ed Mon Sep 17 00:00:00 2001 From: brooks Date: Tue, 12 Jan 2010 07:49:34 +0000 Subject: Replace the static NGROUPS=NGROUPS_MAX+1=1024 with a dynamic kern.ngroups+1. kern.ngroups can range from NGROUPS_MAX=1023 to INT_MAX-1. Given that the Windows group limit is 1024, this range should be sufficient for most applications. MFC after: 1 month --- sys/kern/kern_mib.c | 2 +- sys/kern/kern_prot.c | 12 ++++++------ sys/kern/subr_param.c | 14 ++++++++++++++ 3 files changed, 21 insertions(+), 7 deletions(-) (limited to 'sys/kern') diff --git a/sys/kern/kern_mib.c b/sys/kern/kern_mib.c index 78382c7..e2d061a 100644 --- a/sys/kern/kern_mib.c +++ b/sys/kern/kern_mib.c @@ -125,7 +125,7 @@ SYSCTL_INT(_kern, KERN_POSIX1, posix1version, CTLFLAG_RD, 0, _POSIX_VERSION, "Version of POSIX attempting to comply to"); SYSCTL_INT(_kern, KERN_NGROUPS, ngroups, CTLFLAG_RD, - 0, NGROUPS_MAX, + &ngroups_max, 0, "Maximum number of supplemental groups a user can belong to"); SYSCTL_INT(_kern, KERN_JOB_CONTROL, job_control, CTLFLAG_RD, diff --git a/sys/kern/kern_prot.c b/sys/kern/kern_prot.c index 709bcb0..5a5c24c 100644 --- a/sys/kern/kern_prot.c +++ b/sys/kern/kern_prot.c @@ -283,7 +283,7 @@ getgroups(struct thread *td, register struct getgroups_args *uap) u_int ngrp; int error; - ngrp = MIN(uap->gidsetsize, NGROUPS); + ngrp = MIN(uap->gidsetsize, ngroups_max + 1); groups = malloc(ngrp * sizeof(*groups), M_TEMP, M_WAITOK); error = kern_getgroups(td, &ngrp, groups); if (error) @@ -796,7 +796,7 @@ setgroups(struct thread *td, struct setgroups_args *uap) gid_t *groups = NULL; int error; - if (uap->gidsetsize > NGROUPS) + if (uap->gidsetsize > ngroups_max + 1) return (EINVAL); groups = malloc(uap->gidsetsize * sizeof(gid_t), M_TEMP, M_WAITOK); error = copyin(uap->gidset, groups, uap->gidsetsize * sizeof(gid_t)); @@ -815,7 +815,7 @@ kern_setgroups(struct thread *td, u_int ngrp, gid_t *groups) struct ucred *newcred, *oldcred; int error; - if (ngrp > NGROUPS) + if (ngrp > ngroups_max + 1) return (EINVAL); AUDIT_ARG_GROUPSET(groups, ngrp); newcred = crget(); @@ -2022,14 +2022,14 @@ crsetgroups_locked(struct ucred *cr, int ngrp, gid_t *groups) /* * Copy groups in to a credential after expanding it if required. - * Truncate the list to NGROUPS if it is too large. + * Truncate the list to (ngroups_max + 1) if it is too large. */ void crsetgroups(struct ucred *cr, int ngrp, gid_t *groups) { - if (ngrp > NGROUPS) - ngrp = NGROUPS; + if (ngrp > ngroups_max + 1) + ngrp = ngroups_max + 1; crextend(cr, ngrp); crsetgroups_locked(cr, ngrp, groups); diff --git a/sys/kern/subr_param.c b/sys/kern/subr_param.c index 6113b63..fcd8131 100644 --- a/sys/kern/subr_param.c +++ b/sys/kern/subr_param.c @@ -40,6 +40,7 @@ __FBSDID("$FreeBSD$"); #include "opt_param.h" #include "opt_maxusers.h" +#include #include #include #include @@ -88,6 +89,7 @@ int maxfiles; /* sys. wide open files limit */ int maxfilesperproc; /* per-proc open files limit */ int ncallout; /* maximum # of timer events */ int nbuf; +int ngroups_max; /* max # groups per process */ int nswbuf; long maxswzone; /* max swmeta KVA storage */ long maxbcache; /* max buffer cache KVA storage */ @@ -228,6 +230,18 @@ init_param1(void) TUNABLE_ULONG_FETCH("kern.maxssiz", &maxssiz); sgrowsiz = SGROWSIZ; TUNABLE_ULONG_FETCH("kern.sgrowsiz", &sgrowsiz); + + /* + * Let the administrator set {NGROUPS_MAX}, but disallow values + * less than NGROUPS_MAX which would violate POSIX.1-2008 or + * greater than INT_MAX-1 which would result in overflow. + */ + ngroups_max = NGROUPS_MAX; + TUNABLE_INT_FETCH("kern.ngroups", &ngroups_max); + if (ngroups_max < NGROUPS_MAX) + ngroups_max = NGROUPS_MAX; + if (ngroups_max > INT_MAX - 1) + ngroups_max = INT_MAX - 1; } /* -- cgit v1.1