[5411] in Moira
Re: Patch to fix Hesiod grplist truncation
daemon@ATHENA.MIT.EDU (Evan Broder)
Fri Jan 23 04:43:54 2009
Message-ID: <49799121.4040308@mit.edu>
Date: Fri, 23 Jan 2009 04:42:57 -0500
From: Evan Broder <broder@MIT.EDU>
MIME-Version: 1.0
To: moiradev@mit.edu
In-Reply-To: <49797BA9.4020609@mit.edu>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
*sigh* Well, marc contacted me over zephyr and was absolutely right: the
over-255 character case isn't the interesting one; it's actually the
over-1024 (or thereabouts). libhesiod appears to artificially impose a
limitation on the maximum length of a single Hesiod lookup result.
(Upping MAX_HESRESP in hesiod_p.h does actually seem to allow me to
increase the maximum size of a return record).
Anyway, having convinced myself that I don't actually know enough about
DNS and BIND to fix this, I withdraw my patch for the time being. Sorry
for the inconvenience.
- Evan
Evan Broder wrote:
> Hello again -
> I've come up with a patch to the Hesiod DCM that I think will solve
> the issue where people's grplists get cut off if they're on too many NFS
> groups. This is an issue for Athena 10, since we currently use this as a
> way to restrict logins per group (several SIPB members get bumped off of
> gsipb, and therefore can't remotely log into our Athena 10 office heads).
>
> This patch should create a single RR that contains multiple string
> entries. I've tested this using my personal domain, ebroder.net, to
> verify that libhesiod does concatenate multiple string entries in a
> single RR.
>
> From the zone file:
>
>
>> mitchb.grplist.ns TXT "sipb-door:68108:lsc-ec-only:1206:lsc-locker-a\
>> dmin:14514:dcns-rcc:961:tetazoo-mach-login-acl:68748:lsc-sysadmin:20\
>> 224:lsc:5127:lsc-projection:7521:tetazoo-mach-acl:26008:apo-printsho\
>> p:16863:lsc-treasury:7526:lsc-slides:17199:axaa-acl:24117:apo-acl:24\
>> 667:" "gsipb:15001"
>>
>
> And then querying with libhesiod
>
>> dhcp-18-111-4-73:~ evan$ hesinfo mitchb@ebroder.net grplist
>> sipb-door:68108:lsc-ec-only:1206:lsc-locker-admin:14514:dcns-rcc:961:t\
>> etazoo-mach-login-acl:68748:lsc-sysadmin:20224:lsc:5127:lsc-projection\
>> :7521:tetazoo-mach-acl:26008:apo-printshop:16863:lsc-treasury:7526:lsc\
>> -slides:17199:axaa-acl:24117:apo-acl:24667:gsipb:15001
>>
>
> I (obviously) haven't had an opportunity to test this code, and C is not
> my best language, so I certainly wouldn't run this on production
> hardware without testing, but I believe it does the right thing.
>
> - Evan
>
