macOS Mojave: setgroups(501) failed: Too many extra groups

Aki Tuomi aki.tuomi at open-xchange.com
Thu Oct 11 10:55:39 EEST 2018



On 11.10.2018 10:08, Heiko W. Rupp wrote:
> On Thu, Oct 11, 2018 at 09:51:34AM +0300, Aki Tuomi wrote:
>>> Looking at the source, I see this is handled in
>>> src/lib/restrict-access.c::fix_groups_list(),
>>> where above the call to setgroups() a gid_list2 is constructed. I
>>> wonder if one could
>>> have a config option to prevent adding all those extra groups, which
>>> then make the
>>> call to setgroups() fail
>  
>> Not trivially. We would need to know which groups to drop and which not.
> Looking at id output
>
>  id
> uid=501(hwr) gid=20(staff) groups=20(staff),6(mail),12(everyone),61(localaccounts),80(admin),98(_lpadmin),500(users),701(com.apple.sharepoint.group.1),702(com.apple.sharepoint.group.2),30(_keytabusers),33(_appstore),100(_lpoperator),204(_developer),250(_analyticsusers),395(com.apple.access_ftp),103(com.apple.access_screensharing-disabled),104(com.apple.access_ssh-disabled)
>
> it seems that all the com.apple ones can easily be dropped.
> What about a config list, that the admin can set with a list of gids, that can be dropped/are not added to gid_list2 ?
>
>   Heiko
>

Maybe. Have to see when we can implement it though. It could probably
leverage the min/max_gid setting.

Aki


More information about the dovecot mailing list