Date: Mon, 23 Feb 2009 08:10:59 +0000 From: n0g0013 <ttw+bsd@cobbled.net> To: Brooks Davis <brooks@freebsd.org> Cc: hackers@freebsd.org, Julian Elischer <julian@elischer.org> Subject: Re: removal of NGROUPS_MAX dependancy from base Message-ID: <20090223081059.GA11713@holyman.cobbled.net> In-Reply-To: <20090222222831.GA70072@lor.one-eyed-alien.net> References: <20090213115426.GA15211@holyman.cobbled.net> <49A0F57E.2030506@elischer.org> <20090222110719.GA16634@holyman.cobbled.net> <20090222222831.GA70072@lor.one-eyed-alien.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On 22.02-16:28, Brooks Davis wrote: > On Sun, Feb 22, 2009 at 11:07:19AM +0000, ttw+bsd@cobbled.net wrote: > > On 21.02-22:49, Julian Elischer wrote: > > [ ... ] > > > >this patch should remove the dependancy on the definition of > > > >NGROUPS_MAX as a static constant and implement it as a writable > > > >sysconf variable of the same. it should also make the necessary > > > >changes to the codebase to support those. > > [ ... ] > > > What do you do about NFS? > > > I seem to remember that NFWS had a maximum number of groups supported.. > > > > NFS will be supported by mapping 16 groups into the auth_unix structure > > dynamically. my intention is to try and make this transparent by > > allocating moving the 'most used' groups into that mapping as user > > processes check them, however, this is very conceptual at the moment > > and needs more thought as well as validation from others with more > > experience. > > I think this behavior will probably need to be configurable by the > administrator because some sites are probably using groups to supply > negative permissions. It's quite reasionable to argue that's a bad > idea, but we need to take some care since people do occationally use > that "feature". agree. i'm hoping to make the rpc group allocations dynamic and thus, mostly transparent, but would suggest the only consistent way administrators to set permissions (when NFS is required) is to restrict NGROUP_MAX to 16 or less. i intend this to be the default, changed by sysctl/sysconf. my current primary concern is with software that defines it static arrays with a length of NGROUPS_MAX and then forgets to sanitize 'ngroups' count against that maximum but no idea how to catch those except too say that is 'broken'.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20090223081059.GA11713>