[Twisted-Python] t.i.process uid/gid suckiness

Phil Mayers p.mayers at imperial.ac.uk
Tue Apr 22 13:28:26 EDT 2003


On Wed, Mar 12, 2003 at 01:17:55AM +1100, Anthony Baxter wrote:
> 
> >>> Tommi Virtanen wrote
> > 	0) make the t.i.process setuid/setgid code actually work (see
> > 	   patch; BTW is the initgroups part really needed? I feel my
> > 	   pure-python 6-liner does the same thing.)
> 
> > +        def initgroups(username, dummy):
> > +            l=[]
> > +            for groupname, password, gid, userlist in grp.getgrall():
> > +                if username in userlist:
> > +                    l.append(gid)
> > +            os.setgroups(l)
> 
> Certainly on the operating systems that I can recall, your initgroups()
> is doing the same thing as the C level initgroups. But if the C level

No no no no. getgrall could theoretically return a *huge* number of
groups, and/or individual groups could have *huge* numbers of members.
For a system with /etc/passwd and /etc/group only, this doesn't matter,
but think about a system with an LDAP (RFC2307) nameservice backend - I
just tested it on my machine, and getgrall results in over 48Mb of
LDAP queries based on our ActiveDirectory groups. Many tens of seconds.

However, calling initgroups results in a single query:

memberUid=foo

...and only returns the groupname and gid, so is efficient every time.
The "right" way to do this is the getgrouplist() call (see
http://www.openbsd.org/cgi-bin/man.cgi?query=getgrouplist) and if you
look at the NSS code in e.g. glibc the NSS modules can provide
"efficient" hooks which initgroups() and getgrouplist() can implement.
initgroups() in glibc basically calls getgrouplist() on the NSS plugin
and so whilst the *result* is the same, you're taking the slow path.

This is important - don't use the sucky getgrent (in fact, I'm an
advocate of making the gr_mem member of the "struct group" always be
null. Just because other apps do it is no exscuse either :o)

-- 

Regards,
Phil

+------------------------------------------+
| Phil Mayers                              |
| Network & Infrastructure Group           |
| Information & Communication Technologies |
| Imperial College                         |
+------------------------------------------+




More information about the Twisted-Python mailing list