#66: PWD_ABSURD_PWD_LENGTH too low for large groups (> 20000 users)
-------------------------+------------------------------
Reporter: periegetes | Owner: pam-developers@…
Type: defect | Status: new
Priority: trivial | Component: library
Version: | Keywords:
Blocked By: | Blocking:
-------------------------+------------------------------
Hi,
I recently encountered a problem with pam_limits where a given limit
wasn't applied to the members of a large group (all our users have the
same default group, and special permissions are awarded to additional
secondary groups, which makes the default group somewhat large).
A bit of digging shows that pam_modutil_getgrname returns NULL when the
given group gets larger than 262kB (probably as a security measure), which
in turns makes the function pam_modutil_ingroup_common return a false
negative for the membership of any user to such a group.
Here is a trivial patch to increase the maximum group size to 4M (which
seems reasonable enoough) :
{{{
--- pam-1.1.8/libpam/pam_modutil_private.h 2016-10-18
15:09:07.795224582 +0200
+++ pam-1.1.8.ori/libpam/pam_modutil_private.h 2013-06-18
16:11:21.000000000 +0200
@@ -14,7 +14,7 @@
#include <security/pam_modutil.h>
#define PWD_INITIAL_LENGTH 0x400
-#define PWD_ABSURD_PWD_LENGTH 0x400001
+#define PWD_ABSURD_PWD_LENGTH 0x40001
#define PWD_LENGTH_SHIFT 4 /* 2^4 == 16 */
extern void
}}}
Thank you for your efforts,
--
Ticket URL: <
https://fedorahosted.org/linux-pam/ticket/66>
linux-pam <
http://fedorahosted.org/linux-pam>
The Linux-PAM (Pluggable Authentication Modules) project