'Re: kern.ngroups (non) setting ... new bounty ?'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       freebsd-hackers
Subject:    Re: kern.ngroups (non) setting ... new bounty ?
From:       Harti Brandt <hartmut.brandt () dlr ! de>
Date:       2007-09-27 14:58:21
Message-ID: 20070927165321.A63884 () knop-beagle ! kn ! op ! dlr ! de
[Download RAW message or body]

On Wed, 26 Sep 2007, rsync.net wrote:

r>
r>
r>On Wed, 26 Sep 2007, Julian Elischer wrote:
r>
r>> >> rsync.net wrote:
r>> >>> It has been impossible to change kern.ngroups - at least for several years
r>> >>> now.  It was not fixed in either 5.x or 6.x :
r>> >>>
r>> >>> http://lists.freebsd.org/pipermail/freebsd-bugs/2007-January/022140.html
r>> >>>
r>> >>> It is seemingly a difficult problem:
r>> >>>
r>> >>> http://www.atm.tut.fi/list-archive/freebsd-stable/msg09969.html   [1]
r>> >>>
r>> >>> However it should be solved - we can't be the only ones out there trying
r>> >>> to add a UID to more than 16 groups...
r>> >> the big question is what do you do for NFS?  remember something about
r>> >> it only having a fixed storage for groups.
r>> >
r>> >
r>> > (snip)
r>> >
r>> >
r>> >>> [1]  Is it indeed true that these programs are broken by not following
r>> >>>      NGROUPS_MAX from syslimits.h?
r>> >
r>> >
r>> > Assuming the answer to the above footnote is "yes", would it be reasonable
r>> > to fix the OS generally, but continue to hard code the limits in things
r>> > like NFS ?
r>> >
r>> > Are you saying that, unlike other items, NFS _does_ respect NGROUPS_MAX ?
r>>
r>> actually it doesn't
r>>
r>> see:
r>>
r>> nfs/rpcv2.h:#define     RPCAUTH_UNIXGIDS 16
r>>
r>> but what do we do if a user has > 16?
r>
r>
r>We have no idea.  All we know is, we need some UIDs to be members of more
r>than 16 groups, and that is currently impossible.
r>
r>We are happy to lend financial support to a solution ... however it sounds
r>like $500 and free rsync.net storage space isn't going to be sufficient ?
r>
r>Is it unexpected that someone has run into this limit ?

I have :-) There is an easy solution: Bump NGROUPS_MAX and recompile 
everything. Be aware that in some cases the group list is truncated: NFS 
and socket credentials (there may be more). I've done this over a year ago 
on my desktop because I'm in 50 groups that come from an active directory.

Making this changeable via sysctl involves more work (see for example 
struct kproc_info).

harti
_______________________________________________
freebsd-hackers@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
To unsubscribe, send any mail to "freebsd-hackers-unsubscribe@freebsd.org"
[prev in list] [next in list] [prev in thread] [next in thread] 