mirror of
https://git.FreeBSD.org/src.git
synced 2025-01-15 15:06:42 +00:00
Replace the static NGROUPS=NGROUPS_MAX+1=1024 with a dynamic
kern.ngroups+1. kern.ngroups can range from NGROUPS_MAX=1023 to INT_MAX-1. Given that the Windows group limit is 1024, this range should be sufficient for most applications. MFC after: 1 month
This commit is contained in:
parent
7bf27b2dde
commit
412f9500e2
Notes:
svn2git
2020-12-20 02:59:44 +00:00
svn path=/head/; revision=202143
@ -101,6 +101,7 @@ module_path="/boot/modules" # Set the module search path
|
||||
#kern.maxusers="32" # Set size of various static tables
|
||||
#kern.nbuf="" # Set the number of buffer headers
|
||||
#kern.ncallout="" # Set the maximum # of timer events
|
||||
#kern.ngroups="1023" # Set the maximum # of supplemental groups
|
||||
#kern.sgrowsiz="" # Set the amount to grow stack
|
||||
#kern.cam.scsi_delay="2000" # Delay (in ms) before probing SCSI
|
||||
#kern.ipc.maxsockets="" # Set the maximum number of sockets avaliable
|
||||
|
@ -1138,7 +1138,7 @@ linux_setgroups(struct thread *td, struct linux_setgroups_args *args)
|
||||
struct proc *p;
|
||||
|
||||
ngrp = args->gidsetsize;
|
||||
if (ngrp < 0 || ngrp >= NGROUPS)
|
||||
if (ngrp < 0 || ngrp > ngroups_max)
|
||||
return (EINVAL);
|
||||
linux_gidset = malloc(ngrp * sizeof(*linux_gidset), M_TEMP, M_WAITOK);
|
||||
error = copyin(args->grouplist, linux_gidset, ngrp * sizeof(l_gid_t));
|
||||
|
@ -109,7 +109,7 @@ linux_setgroups16(struct thread *td, struct linux_setgroups16_args *args)
|
||||
#endif
|
||||
|
||||
ngrp = args->gidsetsize;
|
||||
if (ngrp < 0 || ngrp >= NGROUPS)
|
||||
if (ngrp < 0 || ngrp > ngroups_max)
|
||||
return (EINVAL);
|
||||
linux_gidset = malloc(ngrp * sizeof(*linux_gidset), M_TEMP, M_WAITOK);
|
||||
error = copyin(args->gidset, linux_gidset, ngrp * sizeof(l_gid16_t));
|
||||
|
@ -708,7 +708,7 @@ svr4_sys_sysconfig(td, uap)
|
||||
|
||||
switch (uap->name) {
|
||||
case SVR4_CONFIG_NGROUPS:
|
||||
*retval = NGROUPS_MAX;
|
||||
*retval = ngroups_max;
|
||||
break;
|
||||
case SVR4_CONFIG_CHILD_MAX:
|
||||
*retval = maxproc;
|
||||
|
@ -665,7 +665,7 @@ ibcs2_getgroups(td, uap)
|
||||
|
||||
if (uap->gidsetsize < 0)
|
||||
return (EINVAL);
|
||||
ngrp = MIN(uap->gidsetsize, NGROUPS);
|
||||
ngrp = MIN(uap->gidsetsize, ngroups_max + 1);
|
||||
gp = malloc(ngrp * sizeof(*gp), M_TEMP, M_WAITOK);
|
||||
error = kern_getgroups(td, &ngrp, gp);
|
||||
if (error)
|
||||
@ -693,7 +693,7 @@ ibcs2_setgroups(td, uap)
|
||||
gid_t *gp;
|
||||
int error, i;
|
||||
|
||||
if (uap->gidsetsize < 0 || uap->gidsetsize > NGROUPS)
|
||||
if (uap->gidsetsize < 0 || uap->gidsetsize > ngroups_max + 1)
|
||||
return (EINVAL);
|
||||
if (uap->gidsetsize && uap->gidset == NULL)
|
||||
return (EINVAL);
|
||||
|
@ -125,7 +125,7 @@ SYSCTL_INT(_kern, KERN_POSIX1, posix1version, CTLFLAG_RD,
|
||||
0, _POSIX_VERSION, "Version of POSIX attempting to comply to");
|
||||
|
||||
SYSCTL_INT(_kern, KERN_NGROUPS, ngroups, CTLFLAG_RD,
|
||||
0, NGROUPS_MAX,
|
||||
&ngroups_max, 0,
|
||||
"Maximum number of supplemental groups a user can belong to");
|
||||
|
||||
SYSCTL_INT(_kern, KERN_JOB_CONTROL, job_control, CTLFLAG_RD,
|
||||
|
@ -283,7 +283,7 @@ getgroups(struct thread *td, register struct getgroups_args *uap)
|
||||
u_int ngrp;
|
||||
int error;
|
||||
|
||||
ngrp = MIN(uap->gidsetsize, NGROUPS);
|
||||
ngrp = MIN(uap->gidsetsize, ngroups_max + 1);
|
||||
groups = malloc(ngrp * sizeof(*groups), M_TEMP, M_WAITOK);
|
||||
error = kern_getgroups(td, &ngrp, groups);
|
||||
if (error)
|
||||
@ -796,7 +796,7 @@ setgroups(struct thread *td, struct setgroups_args *uap)
|
||||
gid_t *groups = NULL;
|
||||
int error;
|
||||
|
||||
if (uap->gidsetsize > NGROUPS)
|
||||
if (uap->gidsetsize > ngroups_max + 1)
|
||||
return (EINVAL);
|
||||
groups = malloc(uap->gidsetsize * sizeof(gid_t), M_TEMP, M_WAITOK);
|
||||
error = copyin(uap->gidset, groups, uap->gidsetsize * sizeof(gid_t));
|
||||
@ -815,7 +815,7 @@ kern_setgroups(struct thread *td, u_int ngrp, gid_t *groups)
|
||||
struct ucred *newcred, *oldcred;
|
||||
int error;
|
||||
|
||||
if (ngrp > NGROUPS)
|
||||
if (ngrp > ngroups_max + 1)
|
||||
return (EINVAL);
|
||||
AUDIT_ARG_GROUPSET(groups, ngrp);
|
||||
newcred = crget();
|
||||
@ -2022,14 +2022,14 @@ crsetgroups_locked(struct ucred *cr, int ngrp, gid_t *groups)
|
||||
|
||||
/*
|
||||
* Copy groups in to a credential after expanding it if required.
|
||||
* Truncate the list to NGROUPS if it is too large.
|
||||
* Truncate the list to (ngroups_max + 1) if it is too large.
|
||||
*/
|
||||
void
|
||||
crsetgroups(struct ucred *cr, int ngrp, gid_t *groups)
|
||||
{
|
||||
|
||||
if (ngrp > NGROUPS)
|
||||
ngrp = NGROUPS;
|
||||
if (ngrp > ngroups_max + 1)
|
||||
ngrp = ngroups_max + 1;
|
||||
|
||||
crextend(cr, ngrp);
|
||||
crsetgroups_locked(cr, ngrp, groups);
|
||||
|
@ -40,6 +40,7 @@ __FBSDID("$FreeBSD$");
|
||||
#include "opt_param.h"
|
||||
#include "opt_maxusers.h"
|
||||
|
||||
#include <sys/limits.h>
|
||||
#include <sys/param.h>
|
||||
#include <sys/systm.h>
|
||||
#include <sys/kernel.h>
|
||||
@ -88,6 +89,7 @@ int maxfiles; /* sys. wide open files limit */
|
||||
int maxfilesperproc; /* per-proc open files limit */
|
||||
int ncallout; /* maximum # of timer events */
|
||||
int nbuf;
|
||||
int ngroups_max; /* max # groups per process */
|
||||
int nswbuf;
|
||||
long maxswzone; /* max swmeta KVA storage */
|
||||
long maxbcache; /* max buffer cache KVA storage */
|
||||
@ -228,6 +230,18 @@ init_param1(void)
|
||||
TUNABLE_ULONG_FETCH("kern.maxssiz", &maxssiz);
|
||||
sgrowsiz = SGROWSIZ;
|
||||
TUNABLE_ULONG_FETCH("kern.sgrowsiz", &sgrowsiz);
|
||||
|
||||
/*
|
||||
* Let the administrator set {NGROUPS_MAX}, but disallow values
|
||||
* less than NGROUPS_MAX which would violate POSIX.1-2008 or
|
||||
* greater than INT_MAX-1 which would result in overflow.
|
||||
*/
|
||||
ngroups_max = NGROUPS_MAX;
|
||||
TUNABLE_INT_FETCH("kern.ngroups", &ngroups_max);
|
||||
if (ngroups_max < NGROUPS_MAX)
|
||||
ngroups_max = NGROUPS_MAX;
|
||||
if (ngroups_max > INT_MAX - 1)
|
||||
ngroups_max = INT_MAX - 1;
|
||||
}
|
||||
|
||||
/*
|
||||
|
@ -110,7 +110,7 @@ xdr_authunix_parms(XDR *xdrs, uint32_t *time, struct xucred *cred)
|
||||
if (!xdr_uint32_t(xdrs, &ngroups))
|
||||
return (FALSE);
|
||||
for (i = 0; i < ngroups; i++) {
|
||||
if (i + 1 < NGROUPS) {
|
||||
if (i + 1 < ngroups_max + 1) {
|
||||
if (!xdr_uint32_t(xdrs, &cred->cr_groups[i + 1]))
|
||||
return (FALSE);
|
||||
} else {
|
||||
@ -120,8 +120,8 @@ xdr_authunix_parms(XDR *xdrs, uint32_t *time, struct xucred *cred)
|
||||
}
|
||||
|
||||
if (xdrs->x_op == XDR_DECODE) {
|
||||
if (ngroups + 1 > NGROUPS)
|
||||
cred->cr_ngroups = NGROUPS;
|
||||
if (ngroups + 1 > ngroups_max + 1)
|
||||
cred->cr_ngroups = ngroups_max + 1;
|
||||
else
|
||||
cred->cr_ngroups = ngroups + 1;
|
||||
}
|
||||
|
@ -262,8 +262,8 @@ audit_arg_groupset(gid_t *gidset, u_int gidset_size)
|
||||
u_int i;
|
||||
struct kaudit_record *ar;
|
||||
|
||||
KASSERT(gidset_size <= NGROUPS,
|
||||
("audit_arg_groupset: gidset_size > NGROUPS"));
|
||||
KASSERT(gidset_size <= ngroups_max + 1,
|
||||
("audit_arg_groupset: gidset_size > (kern.ngroups + 1)"));
|
||||
|
||||
ar = currecord();
|
||||
if (ar == NULL)
|
||||
|
@ -64,6 +64,7 @@ extern int boothowto; /* reboot flags, from console subsystem */
|
||||
extern int bootverbose; /* nonzero to print verbose messages */
|
||||
|
||||
extern int maxusers; /* system tune hint */
|
||||
extern int ngroups_max; /* max # of supplemental groups */
|
||||
|
||||
#ifdef INVARIANTS /* The option is always available */
|
||||
#define KASSERT(exp,msg) do { \
|
||||
|
Loading…
Reference in New Issue
Block a user