teexand@ioe.lon.ac.uk (Andrew Dawson) (05/08/91)
We have a variety of RS6000 and PS/2 machines running AIX 3.1 and 1.2 respectively. We are using an RS6000 as an NIS (YP) master with the PS/2's as clients. The distributed /etc/group file on the RS6000 has root in the groups security, audit, cron, system, sys and bin. On the PS/2 root is in system, bin, sys, adm, uucp, mail, daemons and printq. We have a problem when root logs on to a PS/2. The combination of local and NIS group list means that root is in 10 groups. This is in excess of the 8 group limit imposed - for instance requests to NFS mount a remote file system are failing. Is it safe to remove root from some of these groups? I understand the purpose of most of them (eg group security users have access to files relating to user registration), but root should have the necessary permissions anyway. Does anyone know whether any commands specifically check internally whether the invoking user is in the appropriate group if the user is the superuser? Surely someone else must have had this problem, so any help would be much appreciated. Thanks in advance, Andrew. -- #include <std_disclaimer.h> /* My brain was swiss-cheesed when I wrote this */ JANET: andrew@uk.ac.ucl.sm.uxm UUCP/EARN/BITNET: andrew@uxm.sm.ucl.ac.uk INTERNET: andrew%uxm.sm.ucl.ac.uk@nsfnet-relay.ac.uk "Leapers do it with assistance from neurological holograms"
marc@ekhomeni.austin.ibm.com (Marc Wiz) (05/08/91)
While I don't know about the PS/2 there was a bug (it's been fixed) in AIX for the 6000 that matches this description. The list of groups that a process is "in" had duplicate members. This was due to using NIS (aka yp). This sounds like a PS/2 software problem so you might ask your IBM rep about it and mention that it was fixed on the 6000. Marc Wiz MaBell (512)823-4780 NFS/NIS debug team Yes that really is my last name. The views expressed are my own. marc@aixwiz.austin.ibm.com or uunet!cs.utexas.edu!ibmchs!auschs!ekhomeni.austin.ibm.com!marc
jfc@athena.mit.edu (John F Carr) (05/09/91)
This is a bug in the authkern_marhsal() function in the NFS client kernel
code. The code sends up to NGROUPS (32) groups in the RPC request instead
of 8 (what the protocol allows). To fix for the PS/2, extract auth_kern.o
from /usr/sys/386/nfslib.a and use /bin/dis to disassemble it. This block
of code near the beginning of authkern_marshal() has the bug:
%_label_1:
0x58: a1 b4 02 00 00 movl u + 0x2b4, %eax
0x5d: 05 80 00 00 00 addl $128, %eax
0x62: 3b c6 cmpl %esi, %eax
0x64: 72 0c jb %_label_0
0x66: 83 3e ff cmpl $-1, (%esi)
0x69: 74 07 jz %_label_0
0x6b: 83 c6 04 addl $4, %esi
0x6e: 8b c6 movl %esi, %eax
0x70: eb e6 jmp %_label_1
%_label_0:
128 is NGROUPS * sizeof (int). This should be 8 * sizeof (int) = 32. If
you change the addl instruction, assemble with the change, and put the
modified file back into nfslib.a the group problems should stop. I'm not
sure how to get dis to produce code that you can reassemble for this object
file; it might be easier to use emacs to patch the binary.
--
John Carr (jfc@athena.mit.edu)