• 1
Looks like the customer in question was also quite serious about what they should get in the errata package and did security review of it in advance. ;)

Can you post some notes how did the customer came to the conclusion that the problem is in small amount of allocated memory? How did he (and you too) debug the problem, understood its roots and created a working solution?

From Bug Report:

"On Customer's network (sssd with two domain mappings, one ldap one active
directory), moving from 67 members in a particular group to 68 members in that group breaks mapping for all members.

Fortunately this is easy to reproduce in a much simpler environment, it is visible on a standalone machine using nothing but /etc/passwd and /etc/group.
The tipping point on the number of members in a group is not consistent, it seems to be dependent on the size of the username. Larger usernames cause groups to fail out with fewer members.

The bug report does not go in to detail on how they figured the problem was in libselinux versus sshd/pam_selinux. But they did. They also wrote some test programs to figure out where the tipping point was. There test programs were returning ERANGE as errno and they figured out what was happening.

  • 1

Log in