Bug 985475
Summary: | newgrp contains NIS related patches introducing full group scan in LDAP | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 5 | Reporter: | Ron van der Wees <rvdwees> | ||||||||
Component: | shadow-utils | Assignee: | Tomas Mraz <tmraz> | ||||||||
Status: | CLOSED ERRATA | QA Contact: | Dalibor Pospíšil <dapospis> | ||||||||
Severity: | high | Docs Contact: | |||||||||
Priority: | high | ||||||||||
Version: | 5.9 | CC: | dapospis, ksrot, pvrabec, rvdwees, tmraz | ||||||||
Target Milestone: | rc | ||||||||||
Target Release: | --- | ||||||||||
Hardware: | All | ||||||||||
OS: | Linux | ||||||||||
Whiteboard: | |||||||||||
Fixed In Version: | shadow-utils-4.0.17-22.el5 | Doc Type: | Bug Fix | ||||||||
Doc Text: |
Due to the previously added support for the split groups, the newgrp command searched all groups on the system for a given GID. This behavior could cause high network traffic on systems pulling user and group information from a Lightweight Directory Access Protocol (LDAP) server. The underlying source code has been modified, so that this exhaustive search is not performed if the user is a member of a group whose name is specified with newgrp.
|
Story Points: | --- | ||||||||
Clone Of: | |||||||||||
: | 993049 1096275 (view as bug list) | Environment: | |||||||||
Last Closed: | 2014-09-16 00:25:06 UTC | Type: | Bug | ||||||||
Regression: | --- | Mount Type: | --- | ||||||||
Documentation: | --- | CRM: | |||||||||
Verified Versions: | Category: | --- | |||||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||||
Embargoed: | |||||||||||
Bug Depends On: | |||||||||||
Bug Blocks: | 993049, 1049888, 1096275 | ||||||||||
Attachments: |
|
Description
Ron van der Wees
2013-07-17 15:05:33 UTC
Created attachment 774818 [details]
tcpdump showing the actual behavour
I'm attaching a tcpdump showing the actual behavour of newgrp retreiving all groups from LDAP. See frame 59.
Created attachment 774820 [details] tcpdump showing the expected behaviour I'm attaching a tcpdump showing the expected behavour of newgrp retreiving only the specific group. See frame 23. (capture collected after rebuilding shadow-utils packages reverting the patch from http://comments.gmane.org/gmane.linux.pld.shadow.general/96) Created attachment 774824 [details] Customer provided patch reverting change The tcpdump created in comment #2 was collected after applying this patch. Unfortunately we cannot just simply revert the patch as this would break the splitted group feature. We could skip the full group list retrieval if the user is found as a member of the group in the group returned by getgrnam. Would the solution above be sufficient? This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux release for currently deployed products. This request is not yet committed for inclusion in a release. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2014-1217.html |