* [musl] [PATCH] Increase NGROUPS_MAX from 32 to 1024 @ 2023-11-14 23:35 Kate Deplaix 2024-03-11 18:31 ` [musl] " Kate Deplaix 2024-04-11 1:07 ` [musl] " Rich Felker 0 siblings, 2 replies; 15+ messages in thread From: Kate Deplaix @ 2023-11-14 23:35 UTC (permalink / raw) To: musl Such a restrictive value for NGROUPS_MAX makes it impossible to have a musl-based system with a user belonging to more than 32 groups. If done on the root user, this will break your system. It also makes it impossible to use certain functions in binaries that have been compiled with musl. This new value is still very far from Linux's NGROUPS_MAX of 65536 that has been there since Linux 2.6.4 but this is at least one tiny step in the right direction while maintainers investigate how to match Linux's value. ref: https://www.openwall.com/lists/musl/2021/07/03/1 ref: https://www.openwall.com/lists/musl/2022/12/06/3 ref: https://github.com/ocaml/opam/pull/5383 --- include/limits.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/limits.h b/include/limits.h index 53a27b9d..501c3612 100644 --- a/include/limits.h +++ b/include/limits.h @@ -45,7 +45,7 @@ #define NAME_MAX 255 #endif #define PATH_MAX 4096 -#define NGROUPS_MAX 32 +#define NGROUPS_MAX 1024 #define ARG_MAX 131072 #define IOV_MAX 1024 #define SYMLOOP_MAX 40 -- 2.40.1 ^ permalink raw reply [flat|nested] 15+ messages in thread
* [musl] Re: [PATCH] Increase NGROUPS_MAX from 32 to 1024 2023-11-14 23:35 [musl] [PATCH] Increase NGROUPS_MAX from 32 to 1024 Kate Deplaix @ 2024-03-11 18:31 ` Kate Deplaix 2024-03-12 0:46 ` Rich Felker 2024-04-11 1:07 ` [musl] " Rich Felker 1 sibling, 1 reply; 15+ messages in thread From: Kate Deplaix @ 2024-03-11 18:31 UTC (permalink / raw) To: musl [-- Attachment #1: Type: text/plain, Size: 1361 bytes --] Hi, Any chance this patch could be looked at? Thanks, Kate ________________________________ From: Kate Deplaix Sent: 14 November 2023 23:35 To: musl@lists.openwall.com <musl@lists.openwall.com> Subject: [PATCH] Increase NGROUPS_MAX from 32 to 1024 Such a restrictive value for NGROUPS_MAX makes it impossible to have a musl-based system with a user belonging to more than 32 groups. If done on the root user, this will break your system. It also makes it impossible to use certain functions in binaries that have been compiled with musl. This new value is still very far from Linux's NGROUPS_MAX of 65536 that has been there since Linux 2.6.4 but this is at least one tiny step in the right direction while maintainers investigate how to match Linux's value. ref: https://www.openwall.com/lists/musl/2021/07/03/1 ref: https://www.openwall.com/lists/musl/2022/12/06/3 ref: https://github.com/ocaml/opam/pull/5383 --- include/limits.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/limits.h b/include/limits.h index 53a27b9d..501c3612 100644 --- a/include/limits.h +++ b/include/limits.h @@ -45,7 +45,7 @@ #define NAME_MAX 255 #endif #define PATH_MAX 4096 -#define NGROUPS_MAX 32 +#define NGROUPS_MAX 1024 #define ARG_MAX 131072 #define IOV_MAX 1024 #define SYMLOOP_MAX 40 -- 2.40.1 [-- Attachment #2: Type: text/html, Size: 2473 bytes --] ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [musl] Re: [PATCH] Increase NGROUPS_MAX from 32 to 1024 2024-03-11 18:31 ` [musl] " Kate Deplaix @ 2024-03-12 0:46 ` Rich Felker 2024-04-09 12:54 ` Kate Deplaix 0 siblings, 1 reply; 15+ messages in thread From: Rich Felker @ 2024-03-12 0:46 UTC (permalink / raw) To: Kate Deplaix; +Cc: musl On Mon, Mar 11, 2024 at 06:31:13PM +0000, Kate Deplaix wrote: > Hi, > > Any chance this patch could be looked at? Thanks for the ping. I'll take a look and see if we can open a discussion on either doing something like this, or a more complete fix, in this release cycle. Rich > ________________________________ > From: Kate Deplaix > Sent: 14 November 2023 23:35 > To: musl@lists.openwall.com <musl@lists.openwall.com> > Subject: [PATCH] Increase NGROUPS_MAX from 32 to 1024 > > Such a restrictive value for NGROUPS_MAX makes it impossible to have a musl-based system with a user belonging to more than 32 groups. If done on the root user, this will break your system. > It also makes it impossible to use certain functions in binaries that have been compiled with musl. > > This new value is still very far from Linux's NGROUPS_MAX of 65536 that has been there since Linux 2.6.4 but this is at least one tiny step in the right direction while maintainers investigate how to match Linux's value. > > ref: https://www.openwall.com/lists/musl/2021/07/03/1 > ref: https://www.openwall.com/lists/musl/2022/12/06/3 > ref: https://github.com/ocaml/opam/pull/5383 > --- > include/limits.h | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/include/limits.h b/include/limits.h > index 53a27b9d..501c3612 100644 > --- a/include/limits.h > +++ b/include/limits.h > @@ -45,7 +45,7 @@ > #define NAME_MAX 255 > #endif > #define PATH_MAX 4096 > -#define NGROUPS_MAX 32 > +#define NGROUPS_MAX 1024 > #define ARG_MAX 131072 > #define IOV_MAX 1024 > #define SYMLOOP_MAX 40 > -- > 2.40.1 ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [musl] Re: [PATCH] Increase NGROUPS_MAX from 32 to 1024 2024-03-12 0:46 ` Rich Felker @ 2024-04-09 12:54 ` Kate Deplaix 2024-04-09 15:46 ` Thorsten Glaser 0 siblings, 1 reply; 15+ messages in thread From: Kate Deplaix @ 2024-04-09 12:54 UTC (permalink / raw) To: Rich Felker; +Cc: musl [-- Attachment #1: Type: text/plain, Size: 1991 bytes --] Hi, Are there any updates on this by any chance? Many thanks, Kate ________________________________ From: Rich Felker <dalias@libc.org> Sent: 12 March 2024 00:46 To: Kate Deplaix <kit-ty-kate@outlook.com> Cc: musl@lists.openwall.com <musl@lists.openwall.com> Subject: Re: [musl] Re: [PATCH] Increase NGROUPS_MAX from 32 to 1024 On Mon, Mar 11, 2024 at 06:31:13PM +0000, Kate Deplaix wrote: > Hi, > > Any chance this patch could be looked at? Thanks for the ping. I'll take a look and see if we can open a discussion on either doing something like this, or a more complete fix, in this release cycle. Rich > ________________________________ > From: Kate Deplaix > Sent: 14 November 2023 23:35 > To: musl@lists.openwall.com <musl@lists.openwall.com> > Subject: [PATCH] Increase NGROUPS_MAX from 32 to 1024 > > Such a restrictive value for NGROUPS_MAX makes it impossible to have a musl-based system with a user belonging to more than 32 groups. If done on the root user, this will break your system. > It also makes it impossible to use certain functions in binaries that have been compiled with musl. > > This new value is still very far from Linux's NGROUPS_MAX of 65536 that has been there since Linux 2.6.4 but this is at least one tiny step in the right direction while maintainers investigate how to match Linux's value. > > ref: https://www.openwall.com/lists/musl/2021/07/03/1 > ref: https://www.openwall.com/lists/musl/2022/12/06/3 > ref: https://github.com/ocaml/opam/pull/5383 > --- > include/limits.h | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/include/limits.h b/include/limits.h > index 53a27b9d..501c3612 100644 > --- a/include/limits.h > +++ b/include/limits.h > @@ -45,7 +45,7 @@ > #define NAME_MAX 255 > #endif > #define PATH_MAX 4096 > -#define NGROUPS_MAX 32 > +#define NGROUPS_MAX 1024 > #define ARG_MAX 131072 > #define IOV_MAX 1024 > #define SYMLOOP_MAX 40 > -- > 2.40.1 [-- Attachment #2: Type: text/html, Size: 3313 bytes --] ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [musl] Re: [PATCH] Increase NGROUPS_MAX from 32 to 1024 2024-04-09 12:54 ` Kate Deplaix @ 2024-04-09 15:46 ` Thorsten Glaser 2024-04-09 16:26 ` Rich Felker 0 siblings, 1 reply; 15+ messages in thread From: Thorsten Glaser @ 2024-04-09 15:46 UTC (permalink / raw) To: musl Kate Deplaix dixit: >Are there any updates on this by any chance? This has the possibility of being a major ABI break (requiring soname bump) if not for musl then possibly for libraries built on musl systems. bye, //mirabilos -- 15:41⎜<Lo-lan-do:#fusionforge> Somebody write a testsuite for helloworld :-) ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [musl] Re: [PATCH] Increase NGROUPS_MAX from 32 to 1024 2024-04-09 15:46 ` Thorsten Glaser @ 2024-04-09 16:26 ` Rich Felker 0 siblings, 0 replies; 15+ messages in thread From: Rich Felker @ 2024-04-09 16:26 UTC (permalink / raw) To: Thorsten Glaser; +Cc: musl On Tue, Apr 09, 2024 at 03:46:16PM +0000, Thorsten Glaser wrote: > Kate Deplaix dixit: > > >Are there any updates on this by any chance? > > This has the possibility of being a major ABI break > (requiring soname bump) if not for musl then possibly > for libraries built on musl systems. I don't think it's the kind of "ABI break" we'd rule out. It would be if there were interfaces that didn't take a size argument and that were allowed to write up to NGROUPS_MAX into a caller-provided buffer, but that's not the case. I said I'd look at this before and just need to get around to it. Rich ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [musl] [PATCH] Increase NGROUPS_MAX from 32 to 1024 2023-11-14 23:35 [musl] [PATCH] Increase NGROUPS_MAX from 32 to 1024 Kate Deplaix 2024-03-11 18:31 ` [musl] " Kate Deplaix @ 2024-04-11 1:07 ` Rich Felker 2024-04-11 1:51 ` Rich Felker 2024-04-11 2:58 ` Markus Wichmann 1 sibling, 2 replies; 15+ messages in thread From: Rich Felker @ 2024-04-11 1:07 UTC (permalink / raw) To: Kate Deplaix; +Cc: musl On Tue, Nov 14, 2023 at 11:35:14PM +0000, Kate Deplaix wrote: > Such a restrictive value for NGROUPS_MAX makes it impossible to have > a musl-based system with a user belonging to more than 32 groups. If > done on the root user, this will break your system. > It also makes it impossible to use certain functions in binaries > that have been compiled with musl. > > This new value is still very far from Linux's NGROUPS_MAX of 65536 > that has been there since Linux 2.6.4 but this is at least one tiny > step in the right direction while maintainers investigate how to > match Linux's value. > > ref: https://www.openwall.com/lists/musl/2021/07/03/1 > ref: https://www.openwall.com/lists/musl/2022/12/06/3 > ref: https://github.com/ocaml/opam/pull/5383 > --- > include/limits.h | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/include/limits.h b/include/limits.h > index 53a27b9d..501c3612 100644 > --- a/include/limits.h > +++ b/include/limits.h > @@ -45,7 +45,7 @@ > #define NAME_MAX 255 > #endif > #define PATH_MAX 4096 > -#define NGROUPS_MAX 32 > +#define NGROUPS_MAX 1024 > #define ARG_MAX 131072 > #define IOV_MAX 1024 > #define SYMLOOP_MAX 40 > -- > 2.40.1 I've gone and read the POSIX text on NGROUPS_MAX again: Runtime Increasable Values The magnitude limitations in the following list shall be fixed by specific implementations. An application should assume that the value of the symbolic constant defined by <limits.h> in a specific implementation is the minimum that pertains whenever the application is run under that implementation. A specific instance of a specific implementation may increase the value relative to that supplied by <limits.h> for that implementation. The actual value supported by a specific instance shall be provided by the sysconf() function. ... {NGROUPS_MAX} Maximum number of simultaneous supplementary group IDs per process. and for getgroups: If the effective group ID of the process is returned with the supplementary group IDs, the value returned shall always be greater than or equal to one and less than or equal to the value of {NGROUPS_MAX}+1. For the latter, this notation usually means not necessarily the macro value, but the sysconf value obtainable at runtime. Since there is no POSIX interface setgroups (this functionality is left to the implementation), NGROUPS_MAX does not impose a requirement to support setting that many groups. So increasing the value would not make things "wrong on old kernels". However POSIX also allows/encourages the macro to represent a "minimum that pertains", which could reasonably be the 32, as long as sysconf(_SG_NGROUPS_MAX) returns a value >= one less than the max value getgroups can return at runtime. I was worried using the procfs interface to make sysconf(_SG_NGROUPS_MAX) dynamic may not be correct, as it could be decreased after a process comes to have more supplemental groups than the old limit. However, it appears this is just a read-only sysctl. The ngroups_max variable was made const in commit f628867da46f8867e1854e43d7200e42ec22eee2, but even before that the file was read-only and did not seem to have any mechanism for changing the limit. So it seems usable. As for the macro, I think it's actually valid to define it as 65536, since even if we're running on an old kernel, there is no conformance distinction. I'm not sure if this is the nicest thing to do though. Apps may want to start with a buffer of size NGROUPS_MAX and increase it up to the sysconf value rather than allocating a giant amount of memory that will never in practice be used. This should be further discussed, particularly what impact it might have on application behavior and memory usage. Of course this still leaves us with what to do for initgroups. My leaning is to have it behave as now, using a small stack buffer, regardless of what we do with the macro, but with a change in the error condition: when getgrouplist returns -1 with *ngroups greater than the value passed-in, allocate a buffer this size with mmap (to avoid pulling in a malloc dep; in the worst case it's large enough malloc would use mmap anyway) and retry. This avoids ever having to look at the kernel's value of ngroups_max; setgroups will just fail (and initgroups will report the error) if it's too large. It does have a TOCTOU race if the groups db changes between the first call and the retry. If we care about that it could loop on retry, and always increase the buffer size by at least 50% each time so that it can't get stuck or consume more than a logarithmic number of retries. Thoughts? Does this sound reasonable? What to do with the macro? Rich ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [musl] [PATCH] Increase NGROUPS_MAX from 32 to 1024 2024-04-11 1:07 ` [musl] " Rich Felker @ 2024-04-11 1:51 ` Rich Felker 2024-04-11 2:58 ` Markus Wichmann 1 sibling, 0 replies; 15+ messages in thread From: Rich Felker @ 2024-04-11 1:51 UTC (permalink / raw) To: Kate Deplaix; +Cc: musl [-- Attachment #1: Type: text/plain, Size: 5504 bytes --] On Wed, Apr 10, 2024 at 09:07:38PM -0400, Rich Felker wrote: > On Tue, Nov 14, 2023 at 11:35:14PM +0000, Kate Deplaix wrote: > > Such a restrictive value for NGROUPS_MAX makes it impossible to have > > a musl-based system with a user belonging to more than 32 groups. If > > done on the root user, this will break your system. > > It also makes it impossible to use certain functions in binaries > > that have been compiled with musl. > > > > This new value is still very far from Linux's NGROUPS_MAX of 65536 > > that has been there since Linux 2.6.4 but this is at least one tiny > > step in the right direction while maintainers investigate how to > > match Linux's value. > > > > ref: https://www.openwall.com/lists/musl/2021/07/03/1 > > ref: https://www.openwall.com/lists/musl/2022/12/06/3 > > ref: https://github.com/ocaml/opam/pull/5383 > > --- > > include/limits.h | 2 +- > > 1 file changed, 1 insertion(+), 1 deletion(-) > > > > diff --git a/include/limits.h b/include/limits.h > > index 53a27b9d..501c3612 100644 > > --- a/include/limits.h > > +++ b/include/limits.h > > @@ -45,7 +45,7 @@ > > #define NAME_MAX 255 > > #endif > > #define PATH_MAX 4096 > > -#define NGROUPS_MAX 32 > > +#define NGROUPS_MAX 1024 > > #define ARG_MAX 131072 > > #define IOV_MAX 1024 > > #define SYMLOOP_MAX 40 > > -- > > 2.40.1 > > I've gone and read the POSIX text on NGROUPS_MAX again: > > Runtime Increasable Values > > The magnitude limitations in the following list shall be fixed by > specific implementations. An application should assume that the > value of the symbolic constant defined by <limits.h> in a specific > implementation is the minimum that pertains whenever the > application is run under that implementation. A specific instance > of a specific implementation may increase the value relative to > that supplied by <limits.h> for that implementation. The actual > value supported by a specific instance shall be provided by the > sysconf() function. > > ... > > {NGROUPS_MAX} > Maximum number of simultaneous supplementary group IDs per > process. > > and for getgroups: > > If the effective group ID of the process is returned with the > supplementary group IDs, the value returned shall always be > greater than or equal to one and less than or equal to the value > of {NGROUPS_MAX}+1. > > For the latter, this notation usually means not necessarily the macro > value, but the sysconf value obtainable at runtime. > > Since there is no POSIX interface setgroups (this functionality is > left to the implementation), NGROUPS_MAX does not impose a requirement > to support setting that many groups. So increasing the value would not > make things "wrong on old kernels". > > However POSIX also allows/encourages the macro to represent a "minimum > that pertains", which could reasonably be the 32, as long as > sysconf(_SG_NGROUPS_MAX) returns a value >= one less than the max > value getgroups can return at runtime. > > I was worried using the procfs interface to make > sysconf(_SG_NGROUPS_MAX) dynamic may not be correct, as it could be > decreased after a process comes to have more supplemental groups than > the old limit. However, it appears this is just a read-only sysctl. > The ngroups_max variable was made const in commit > f628867da46f8867e1854e43d7200e42ec22eee2, but even before that the > file was read-only and did not seem to have any mechanism for changing > the limit. So it seems usable. > > As for the macro, I think it's actually valid to define it as 65536, > since even if we're running on an old kernel, there is no conformance > distinction. I'm not sure if this is the nicest thing to do though. > Apps may want to start with a buffer of size NGROUPS_MAX and increase > it up to the sysconf value rather than allocating a giant amount of > memory that will never in practice be used. This should be further > discussed, particularly what impact it might have on application > behavior and memory usage. > > Of course this still leaves us with what to do for initgroups. My > leaning is to have it behave as now, using a small stack buffer, > regardless of what we do with the macro, but with a change in the > error condition: when getgrouplist returns -1 with *ngroups greater > than the value passed-in, allocate a buffer this size with mmap (to > avoid pulling in a malloc dep; in the worst case it's large enough > malloc would use mmap anyway) and retry. > > This avoids ever having to look at the kernel's value of ngroups_max; > setgroups will just fail (and initgroups will report the error) if > it's too large. It does have a TOCTOU race if the groups db changes > between the first call and the retry. If we care about that it could > loop on retry, and always increase the buffer size by at least 50% > each time so that it can't get stuck or consume more than a > logarithmic number of retries. > > Thoughts? Does this sound reasonable? What to do with the macro? Here's a draft of how initgroups could work. I dropped direct use of mmap since all this code already depends on malloc, and using malloc simplifies it. This versions undefined NGROUPS_MAX and replaces it with 2 so that the fallback path will get triggered to test it. That should be removed (and probably macros to use internal malloc added) before it's merged. This change is independent of any potential changes we make to the macro or to sysconf. Rich [-- Attachment #2: initgroups_draft.diff --] [-- Type: text/plain, Size: 1188 bytes --] diff --git a/src/misc/initgroups.c b/src/misc/initgroups.c index 922a9581..d7138976 100644 --- a/src/misc/initgroups.c +++ b/src/misc/initgroups.c @@ -1,11 +1,34 @@ #define _GNU_SOURCE #include <grp.h> #include <limits.h> +#include <errno.h> +#include <stdint.h> +#include <stdlib.h> + +#undef NGROUPS_MAX +#define NGROUPS_MAX 2 int initgroups(const char *user, gid_t gid) { - gid_t groups[NGROUPS_MAX]; - int count = NGROUPS_MAX; - if (getgrouplist(user, gid, groups, &count) < 0) return -1; - return setgroups(count, groups); + gid_t buf[NGROUPS_MAX], *groups = buf; + int count = NGROUPS_MAX, prev_count = count; + while (getgrouplist(user, gid, groups, &count) < 0) { + if (groups != buf) free(groups); + + /* Return if failure isn't buffer size */ + if (count <= prev_count) + return -1; + + /* Always increase by at least 50% to limit to + * logarithmically many retries on TOCTOU races. */ + if (count < prev_count + (prev_count>>1)) + count = prev_count + (prev_count>>1); + + groups = calloc(count, sizeof *groups); + if (!groups) return -1; + prev_count = count; + } + int ret = setgroups(count, groups); + if (groups != buf) free(groups); + return ret; } ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [musl] [PATCH] Increase NGROUPS_MAX from 32 to 1024 2024-04-11 1:07 ` [musl] " Rich Felker 2024-04-11 1:51 ` Rich Felker @ 2024-04-11 2:58 ` Markus Wichmann 2024-04-11 11:44 ` Laurent Bercot 1 sibling, 1 reply; 15+ messages in thread From: Markus Wichmann @ 2024-04-11 2:58 UTC (permalink / raw) To: musl; +Cc: Kate Deplaix Am Wed, Apr 10, 2024 at 09:07:38PM -0400 schrieb Rich Felker: > As for the macro, I think it's actually valid to define it as 65536, > since even if we're running on an old kernel, there is no conformance > distinction. I'm not sure if this is the nicest thing to do though. > Apps may want to start with a buffer of size NGROUPS_MAX and increase > it up to the sysconf value rather than allocating a giant amount of > memory that will never in practice be used. This should be further > discussed, particularly what impact it might have on application > behavior and memory usage. > I had a look at Debian Codesearch for NGROUPS_MAX, to see what applications are actually doing with the macro. And I found no instance of anyone using it as an array size. That's what had me most worried, because obviously increasing an array size by a few orders of magnitude can cause a stack overrun. A lot of applications use it or the sysconf() equivalent as upper bounds for allocations, or even for setgroups(). So they should be fine with an increase. > It does have a TOCTOU race if the groups db changes > between the first call and the retry. Well, a lot of the login process has races if the user db changes during the process. I think that is reasonable. As long as the race is resolved in a safe way (as in, setting either the complete old list or the complete new list), I think this is sensible. Although, now that I think about it, the worst that could happen is someone being added to a group and getting a truncated group list. And then they just have to re-login. Which they already have to do anyway after being added to a group; they were just too fast. Ciao, Markus ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [musl] [PATCH] Increase NGROUPS_MAX from 32 to 1024 2024-04-11 2:58 ` Markus Wichmann @ 2024-04-11 11:44 ` Laurent Bercot 2024-09-13 11:45 ` Kate Deplaix 0 siblings, 1 reply; 15+ messages in thread From: Laurent Bercot @ 2024-04-11 11:44 UTC (permalink / raw) To: musl >I had a look at Debian Codesearch for NGROUPS_MAX, to see what >applications are actually doing with the macro. And I found no instance >of anyone using it as an array size. I do. e.g. https://git.skarnet.org/cgi-bin/cgit.cgi/s6/tree/src/daemontools-extras/s6-applyuidgid.c#n22 It's in small short-lived utilities that don't allocate anything, so I'm not too worried about overflowing the stack, but the change would not be friendly to resource-constrained environments. My code runs on not-so-conformant systems such as Solaris or MacOS, where I'm not sure that sysconf() and _SC_NGROUPS_MAX are even defined and correct. I can test, but that's more work, and convoluted heuristics to make things support every case are a strong decrease in readability and reliability, an additional portability nightmare I don't want to deal with. Whereas NGROUPS_MAX works everywhere. I'm not sure what the best course of action is. I think it still probably is eating the ephemeral 256kB stack penalty if NGROUPS_MAX is increased to 65536. -- Laurent ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [musl] [PATCH] Increase NGROUPS_MAX from 32 to 1024 2024-04-11 11:44 ` Laurent Bercot @ 2024-09-13 11:45 ` Kate Deplaix 2024-09-13 14:47 ` Rich Felker 0 siblings, 1 reply; 15+ messages in thread From: Kate Deplaix @ 2024-09-13 11:45 UTC (permalink / raw) To: musl [-- Attachment #1: Type: text/plain, Size: 1406 bytes --] Hi, Is there anything i can do to make a fix for this go forward? Cheers, Kate ________________________________ From: Laurent Bercot <ska-dietlibc@skarnet.org> Sent: 11 April 2024 12:44 To: musl@lists.openwall.com <musl@lists.openwall.com> Subject: Re: [musl] [PATCH] Increase NGROUPS_MAX from 32 to 1024 >I had a look at Debian Codesearch for NGROUPS_MAX, to see what >applications are actually doing with the macro. And I found no instance >of anyone using it as an array size. I do. e.g. https://git.skarnet.org/cgi-bin/cgit.cgi/s6/tree/src/daemontools-extras/s6-applyuidgid.c#n22 It's in small short-lived utilities that don't allocate anything, so I'm not too worried about overflowing the stack, but the change would not be friendly to resource-constrained environments. My code runs on not-so-conformant systems such as Solaris or MacOS, where I'm not sure that sysconf() and _SC_NGROUPS_MAX are even defined and correct. I can test, but that's more work, and convoluted heuristics to make things support every case are a strong decrease in readability and reliability, an additional portability nightmare I don't want to deal with. Whereas NGROUPS_MAX works everywhere. I'm not sure what the best course of action is. I think it still probably is eating the ephemeral 256kB stack penalty if NGROUPS_MAX is increased to 65536. -- Laurent [-- Attachment #2: Type: text/html, Size: 2463 bytes --] ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [musl] [PATCH] Increase NGROUPS_MAX from 32 to 1024 2024-09-13 11:45 ` Kate Deplaix @ 2024-09-13 14:47 ` Rich Felker 2024-09-13 16:00 ` Kate Deplaix 0 siblings, 1 reply; 15+ messages in thread From: Rich Felker @ 2024-09-13 14:47 UTC (permalink / raw) To: Kate Deplaix; +Cc: musl On Fri, Sep 13, 2024 at 11:45:13AM +0000, Kate Deplaix wrote: > Hi, > > Is there anything i can do to make a fix for this go forward? What requirements are you still trying to satisfy? 3f49203c55cc made it so initgroups accepts arbitrarily many groups independent of NGROUPS_MAX. My reading of POSIX is that the macro NGROUPS_MAX is a "minimum maximum" that any instance of the implementation might impose, which for us I think is the 32 imposed by old Linux. sysconf(_SC_NGROUPS_MAX) does not yet expose a larger runtime max; is that what you'd like to see happen? Source I'm going on: https://pubs.opengroup.org/onlinepubs/9799919799/basedefs/limits.h.html under the heading "Runtime Increasable Values". Rich ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [musl] [PATCH] Increase NGROUPS_MAX from 32 to 1024 2024-09-13 14:47 ` Rich Felker @ 2024-09-13 16:00 ` Kate Deplaix 2024-09-13 16:12 ` Rich Felker 0 siblings, 1 reply; 15+ messages in thread From: Kate Deplaix @ 2024-09-13 16:00 UTC (permalink / raw) To: Rich Felker; +Cc: musl [-- Attachment #1: Type: text/plain, Size: 1944 bytes --] The problem is that NGROUPS_MAX is used in downstream projects, not sysconf(_SC_NGROUPS_MAX). Notoriously one of the main user of musl (Alpine Linux) does not modify this value which makes the whole system break completely if a user happens to be added to more than 32 groups. Changing every opensource projects that use NGROUPS_MAX to use sysconf(_SC_NGROUPS_MAX) instead doesn't seem like a reasonable answer to me, even if it might be the correct one in theory. I also really don't understand why you want to support 20+ years old kernel versions (pre 2.6.4) which aren't even POSIX conformant according to your own page: https://wiki.musl-libc.org/supported-platforms. I also don't think it would also break anything on those platforms anyway if a higher value was used. Most uses i've seen use this value to allocate a static array, so aside from a couple more bytes of memory used there isn't much to lose. Cheers, Kate ________________________________ From: Rich Felker <dalias@libc.org> Sent: 13 September 2024 15:47 To: Kate Deplaix <kit-ty-kate@outlook.com> Cc: musl@lists.openwall.com <musl@lists.openwall.com> Subject: Re: [musl] [PATCH] Increase NGROUPS_MAX from 32 to 1024 On Fri, Sep 13, 2024 at 11:45:13AM +0000, Kate Deplaix wrote: > Hi, > > Is there anything i can do to make a fix for this go forward? What requirements are you still trying to satisfy? 3f49203c55cc made it so initgroups accepts arbitrarily many groups independent of NGROUPS_MAX. My reading of POSIX is that the macro NGROUPS_MAX is a "minimum maximum" that any instance of the implementation might impose, which for us I think is the 32 imposed by old Linux. sysconf(_SC_NGROUPS_MAX) does not yet expose a larger runtime max; is that what you'd like to see happen? Source I'm going on: https://pubs.opengroup.org/onlinepubs/9799919799/basedefs/limits.h.html under the heading "Runtime Increasable Values". Rich [-- Attachment #2: Type: text/html, Size: 3794 bytes --] ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [musl] [PATCH] Increase NGROUPS_MAX from 32 to 1024 2024-09-13 16:00 ` Kate Deplaix @ 2024-09-13 16:12 ` Rich Felker 2024-09-13 18:34 ` Kate Deplaix 0 siblings, 1 reply; 15+ messages in thread From: Rich Felker @ 2024-09-13 16:12 UTC (permalink / raw) To: Kate Deplaix; +Cc: musl On Fri, Sep 13, 2024 at 04:00:52PM +0000, Kate Deplaix wrote: > The problem is that NGROUPS_MAX is used in downstream projects, not > sysconf(_SC_NGROUPS_MAX). Notoriously one of the main user of musl > (Alpine Linux) does not modify this value which makes the whole > system break completely if a user happens to be added to more than > 32 groups. Can you clarify how the whole system is breaking as a result of the macro value? > Changing every opensource projects that use NGROUPS_MAX to use > sysconf(_SC_NGROUPS_MAX) instead doesn't seem like a reasonable > answer to me, even if it might be the correct one in theory. > > I also really don't understand why you want to support 20+ years old > kernel versions (pre 2.6.4) which aren't even POSIX conformant > according to your own page: > https://wiki.musl-libc.org/supported-platforms. I also don't think > it would also break anything on those platforms anyway if a higher > value was used. Most uses i've seen use this value to allocate a > static array, so aside from a couple more bytes of memory used there > isn't much to lose. What was established so far is that applications are using NGROUPS_MAX as an array dimension for an automatic-storage array, which will immediately blow up with stack overflow if we increased the value to the kernel value. I'm aware that you proposed just using an arbitrary lower value like 1024, which might work in practice, but I suspect there are actually only like 3 or 4 programs that are having any problem, and they could just be fixed to fallback to allocated storage if a small constant-size buffer doesn't work. This is normally the way we work through this kind of problem -- getting to the root cause and eliminating the technical debt behind it rather than making new technical debt to work around it. But in order to evaluate whether this is a good option, and what the impact of different options would be, we actually need to know what these programs are. Rich ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [musl] [PATCH] Increase NGROUPS_MAX from 32 to 1024 2024-09-13 16:12 ` Rich Felker @ 2024-09-13 18:34 ` Kate Deplaix 0 siblings, 0 replies; 15+ messages in thread From: Kate Deplaix @ 2024-09-13 18:34 UTC (permalink / raw) To: Rich Felker; +Cc: musl [-- Attachment #1: Type: text/plain, Size: 3673 bytes --] > Can you clarify how the whole system is breaking as a result of the macro value? i just tried again and the issue seems to come from initgroups (https://git.busybox.net/busybox/tree/libbb/change_identity.c?h=1_36_stable) so your commit might have fixed this particular issue. Would it be possible to have a release of musl? Or alternatively is there a simple way to install musl master on Alpine to test if it fixed that problem? The way to reproduce this issue is to simply: # su - user $ exit # addgroup user kvm # echo $? 0 # groups user | wc -w 33 # su - user su: can't set groups If you do that to root you can't login anymore and you've locked yourself out of your system. From what i remember on reboot you can't login to other users either. > getting to the root cause and eliminating the technical debt behind it rather than making new technical debt to work around it. Sure, i do agree that's the ideal thing to do. However this only works if someone (or a group of people) is actively working on fixing it everywhere. I personally don't have time to do that outside of OCaml. > but I suspect there are actually only like 3 or 4 programs that are having any problem I disagree. Just glancing through https://codesearch.debian.net/ the issue can be seen in Pulseaudio, Sendmail, libcap2, OCaml, lynx, openafs, thunar, nemo, nautilus, opendoas, … ________________________________ From: Rich Felker <dalias@libc.org> Sent: 13 September 2024 17:12 To: Kate Deplaix <kit-ty-kate@outlook.com> Cc: musl@lists.openwall.com <musl@lists.openwall.com> Subject: Re: [musl] [PATCH] Increase NGROUPS_MAX from 32 to 1024 On Fri, Sep 13, 2024 at 04:00:52PM +0000, Kate Deplaix wrote: > The problem is that NGROUPS_MAX is used in downstream projects, not > sysconf(_SC_NGROUPS_MAX). Notoriously one of the main user of musl > (Alpine Linux) does not modify this value which makes the whole > system break completely if a user happens to be added to more than > 32 groups. Can you clarify how the whole system is breaking as a result of the macro value? > Changing every opensource projects that use NGROUPS_MAX to use > sysconf(_SC_NGROUPS_MAX) instead doesn't seem like a reasonable > answer to me, even if it might be the correct one in theory. > > I also really don't understand why you want to support 20+ years old > kernel versions (pre 2.6.4) which aren't even POSIX conformant > according to your own page: > https://wiki.musl-libc.org/supported-platforms. I also don't think > it would also break anything on those platforms anyway if a higher > value was used. Most uses i've seen use this value to allocate a > static array, so aside from a couple more bytes of memory used there > isn't much to lose. What was established so far is that applications are using NGROUPS_MAX as an array dimension for an automatic-storage array, which will immediately blow up with stack overflow if we increased the value to the kernel value. I'm aware that you proposed just using an arbitrary lower value like 1024, which might work in practice, but I suspect there are actually only like 3 or 4 programs that are having any problem, and they could just be fixed to fallback to allocated storage if a small constant-size buffer doesn't work. This is normally the way we work through this kind of problem -- getting to the root cause and eliminating the technical debt behind it rather than making new technical debt to work around it. But in order to evaluate whether this is a good option, and what the impact of different options would be, we actually need to know what these programs are. Rich [-- Attachment #2: Type: text/html, Size: 6357 bytes --] ^ permalink raw reply [flat|nested] 15+ messages in thread
end of thread, other threads:[~2024-09-13 18:34 UTC | newest] Thread overview: 15+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2023-11-14 23:35 [musl] [PATCH] Increase NGROUPS_MAX from 32 to 1024 Kate Deplaix 2024-03-11 18:31 ` [musl] " Kate Deplaix 2024-03-12 0:46 ` Rich Felker 2024-04-09 12:54 ` Kate Deplaix 2024-04-09 15:46 ` Thorsten Glaser 2024-04-09 16:26 ` Rich Felker 2024-04-11 1:07 ` [musl] " Rich Felker 2024-04-11 1:51 ` Rich Felker 2024-04-11 2:58 ` Markus Wichmann 2024-04-11 11:44 ` Laurent Bercot 2024-09-13 11:45 ` Kate Deplaix 2024-09-13 14:47 ` Rich Felker 2024-09-13 16:00 ` Kate Deplaix 2024-09-13 16:12 ` Rich Felker 2024-09-13 18:34 ` Kate Deplaix
Code repositories for project(s) associated with this public inbox https://git.vuxu.org/mirror/musl/ This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).