Topic: Big danger by creating too many groups!

[Lasse Johansson]

I have run into a peculiar situation since I, by using the E-Smith-Manager, happened to create too many groups.

What happens is that the system exceeds the maximum number of 32 groups alloved by the kernel, and the administrator gets no hint of this from the E-Smith system.

After having created "one more than allowed" group, the admin find himself suddenly locked out from the system.

Root can still access the system but, according to /var/log/messages, the system has REMOVED the user "admin" from the group www, which results in no access for "admin" anymore....

I have even been able to recreate the situation on another testserver, here is a fragment from /var/log/messages, showing what happens:

**********************
usermod: too many groups specified (max 32).
delete admin' from group www'
add admin' to group group29'
**********************

(...In the case above, the group exeeding the alloved number of groups vas named "group29)

I have contacted Mitel support, and I'm still awaiting their answer on how root should proceed to solve the problem.

I decided, though, to go out with this information to all of you, since I feel this is a pretty undocumented "feature" which a "userfriendly system" like ESSG really shouldn't allow the admin to do without a hint of warning.

Best Regards:

Lasse Johansson

[Kelvin]

Many thanks for the heads-up Lasse ! I did not know about the max. group limitation. This is indeed an important note.

Thanks again.

Kelvin

[Garret]

My thanks also. I was not aware.

[Charlie Brady]

Lasse Johansson wrote:
 
> I have run into a peculiar situation since I, by using the
> E-Smith-Manager, happened to create too many groups.
...
> I decided, though, to go out with this information to all of
> you, since I feel this is a pretty undocumented "feature"
> which a "userfriendly system" like ESSG really shouldn't
> allow the admin to do without a hint of warning.

An update to the e-smith-base RPM was issued was released last July which addresses this problem, which only applies to version 4.1.2 and earlier. With that update applied, the manager will prevent you from adding more than 28 groups.

Please report any bugs (or suspected bugs) to bugs@e-smith.com.

Thanks

Charlie

[Lasse Johansson]

Since I started this thread, I might as well share my latest findings:

1. This ocurred on a ESSG 4.1.2, I haven't had any chance to confirm if it applies to 5.x yet. (If someone have tried it on 5.x, please share your findings)

2. Thanks to Paul Nesbit, I have got the following suggestion on how to remove the latest created group:

/sbin/e-smith/db accounts settype group-deleted
/sbin/e-smith/signal-event group-delete
/sbin/e-smith/db accounts delete

...and that WORKS!

3. The last step to re-enable admin to access the server-manager would be to add the account back into the group "www".
The easiest way to do this seems to be a simple editing of the file /etc/group , making sure there is a post "admin" in the line beginning with "www"

That worked for me, and I'm very thankful to Paul Nesbit for his kind help in this case.

Later on, I've been informed that this SHOULD NOT happen on a ESSG applied the e-smith-base update from

ftp://ftp.e-smith.org/pub/e-smith/updates/4.1.2/RPMS/noarch

This issue still remains to be confirmed.

I have, finally, re-created the same scenario on ESSG 4.1.1 as well.

The warning is still in place, I think.
Hopefully this will spare others the same headache I got yesterday....

___________________
Lasse Johansson, Sweden

[Pierluigi Miranda]

Charlie Brady wrote:

> An update to the e-smith-base RPM was issued was released
> last July which addresses this problem, which only applies to
> version 4.1.2 and earlier. With that update applied, the
> manager will prevent you from adding more than 28 groups.

Is this update ftp://ftp.e-smith.net/pub/e-smith/updates/4.1.2/RPMS/noarch/e-smith-base-4.4.0-26.noarch.rpm?

Does it support ESSG 4.0.1?

Does it have some dependencies?

Thanks

--

Pierluigi Miranda

[Pierluigi Miranda]

Charlie Brady wrote:

> An update to the e-smith-base RPM was issued was released
> last July which addresses this problem, which only applies to
> version 4.1.2 and earlier. With that update applied, the
> manager will prevent you from adding more than 28 groups.

Is this update ftp://ftp.e-smith.net/pub/e-smith/updates/4.1.2/RPMS/noarch/e-smith-base-4.4.0-26.noarch.rpm?

Does it support ESSG 4.0.1?

Does it have some dependencies?

Thanks

--

Pierluigi Miranda

[schwiers]

Has anyone found a way to have more than 28 groups?  This is a serious limitation to my use of E-Smith.  Thanks in advance, for your responses.  SLS

[Damien Curtain]

schwiers wrote:
>
> Has anyone found a way to have more than 28 groups?  This is
> a serious limitation to my use of E-Smith.  Thanks in
> advance, for your responses.  SLS

The easy fix is to limit e-smith from adding admin to every group created. I still cant understand why admin must be in every group created? Surely e-smith can just use some sort of wrapper to su to a valid user if the user manager requires access to a group writeable area.

Hopefully you all understand the problem is not the max groups on a system, but the max groups a single user can belong too.

Of course you can get around this, with repocussions of course. In your kernel you can change the limit in limits.h to be > 32. You then need to patch your c library to support this aswell. Then you need to ensure progs support this. You need to make sure you then stay away from nfs, nis implementations etc. (yes ive done this before as a favour to someone on lkml)

What Id ask is of the e-smith folk to give a very quick explanation of why admin is required to be added to every group on the system. Ill look it up if they dont respond, then we can try and work out some other way around the problem, perhaps as I said a wrapper of some sorts.

If a normal user on your system needs to be in more than 32 groups, then thats another story, and I wouldnt call that a unix limitation, but a planning decission gone wrong on the admins part.

Cheers
--
 Damien

[Greg O]

I find it odd that threads I'm interested in (am I only interested in these sorts of threads?) often just 'die', that is no-one responds to the last question. I actually started another, on a very slightly different tack, that is: is the same limitation evident in 5.5, which got no responses, so I'll post again here. I'd really like each department here to have their own group/iBay, which isn't possible at the moment.

I've been watching this thread for quite some time, not wanting to post a note that would waste space, but, well, here I am. To me it sounds like Damien has made a good point... but maybe he hasn't. I'm intrigued.

Cheers,
Greg.