Forgive my naivety but what is wrong with the following:

try to open/create the file/directory
foreach group in longlist {
addgroup to groups list
try to open/create the file/directory
if success break
if failure return EACCESS

The OS is responsible for the permission checking as always,
the typical case has no additional overhead, and if the groups
list isn't stupidly long the extra time is minimal. The only
thing I'm not sure about is whether to restore the original
group to the end of the list or not. I would tend to think

Sun _should_ fix the problem but since it's been around for a long
time and is broken in lots of places I suspect there's a good
reason so I'm not optimistic.


-----Original Message-----
From: org
org]On Behalf Of Volker Lendecke
Sent: Dienstag, 8. M=E4rz 2005 08:40
To: David Collier-Brown
Subject: Re: Dynamic groups (was Samba and groups > 16)

On Mon, Mar 07, 2005 at 12:54:55PM -0500, David Collier-Brown wrote:
> I try to read /tmp/foo via samba, but the open fails with EACCES.
> A stat of the file returns
> -rw-r--r-- 1 n1sps n1sps 0 Mar 7 12:45 /tmp/foo
> Samba looks in my long list of (AD) groups, finds n1sps, sees
> it is NOT in my active groups list and substitutes it for pwrtl.
> It then retries, and if it's a read request succeeds. If it's
> a write request it gets EACCESS again, but this time I'm already
> in the right group, so samba returns -1, errno=3DEACCESS.

Fine. This might work in the simple case without ACLs. Or worse: =
currently not in group n1sps, but the mode is 707. According to AD you
be denied access as AD says you're in group n1sps, but you are granted
now, as the mask for "others" applies. Ouch. So it ends up as a =
user-space implementation of access controls which is racy at best. =
ACLs which are necessary in all but the simplest environments this only =
worse. It's not only a stat() call per file system access but a =
reading of the ACL.

Sorry, but jerry is right: Fix your OS.=20

> Which means that only Linux can be used for large sites!
> Which is cool for Linuxians, but a bummer for anyone using
> BSD!

No, this is *not* limited to Linux. This is limited to all operating =
that have removed this silly and unnecessary limit.