Limit on Secondary groups

I recall that in Solaris 8, there was a limit - 8 or 16 - on the number of Secondary groups in which a user ID could be listed.

1) Does such a limit exist in Linux (in general)?

2) If it does, what is it, specifically, for:

a) RHEL ES3
b) RHEL AS3
c) RHEL ES4
LVL 34
PsiCopAsked:
Who is Participating?
 
ravenplConnect With a Mentor Commented:
> I'm not finding that file in RHEL ES3U7.
Yes, it's only under kernel 2.6. For kernel 2.4 it's hardcoded, and seems to be 32 only.
0
 
ravenplCommented:
check the value from /proc/sys/kernel/ngroups_max - it's different for various archs.
defaults to 64K
0
 
pjedmondConnect With a Mentor Commented:
1.   A limit may exist in practice, but it looks as if the standard (POSIX) structure can accept any number of secondary groups.

2.a.  Tested on White Box Linux (RHEL 3 clone) - 20 works fine.....just keep adding to the /etc/group line relating to the user in question
b. Identical kernel (Unless you've configured it for huge_mem or smp), so the limit would be the same.
c. RHEL ES4U2 - Also managed 20, but can't see why there is any other limit other than mem/number of groups on the system!

Is there a genuine need to find a limit? I've got one RHEL ES4U2 box where I can try almost 100 groups if this is important. The bottom line is that there doesn't appear to be a specified limit that I can find.

HTH:)
0
Improved Protection from Phishing Attacks

WatchGuard DNSWatch reduces malware infections by detecting and blocking malicious DNS requests, improving your ability to protect employees from phishing attacks. Learn more about our newest service included in Total Security Suite today!

 
pjedmondCommented:
Another limit implication from the Solaris 8 documentation:
--------------8X----------------
There are some useful limitations of groupids. For example, each user account can be in no more than 16 groups, and a line in the group file cannot exceed 512 characters (including the newline character).

What happens if you need to add so many members to a group that you exceed the 512-character entry limit? You simply create another duplicate group entry—same name and group number—and list the additional members there.
--------------8X----------------

If there is a problem at 512 chars, then follow the above advice about a duplicate line.

HTH:)
0
 
pjedmondCommented:
On a redhat system (RHEL 3) , the max total number of groups that you can have on a system is 65535:

/proc/sys/kernel/overflowgid

This gives the max gid number, so obviously there can't be more groups than this, unless you decide to recompile your kernel to give a bigger number. As a result (obviously), you can't have more than 65533 secondary groups. (Obviously being part of root (0), makes the rest of the groups fairly pointless, and one of the groups would have to be a primary group for the user).


HTH:)
0
 
PsiCopAuthor Commented:
ravenpl,

I'm not finding that file in RHEL ES3U7.
0
 
ravenplCommented:
/proc/sys/kernel/overflowgid
is the maximum numbers of groups in the system - not per user / process.
0
 
PsiCopAuthor Commented:
pjedmond,

There's no need for the limit - I'm just trying to find out what it might be. I agree, POSIX says there's no limit, but in practice we do see limits - either ones imposed by a file parser (a la Solaris 8) or by the maximum # of groups the system supports (a la /proc/sys/kernel/overflowgid).

100 is quite sufficient, in any case.

I also wonder about breaking apps that pay attention to Secondary Groups, like sudo, or OpenSSH (specifically the AllowGroups/DenyGroups keywords in sshd_config).
0
 
pjedmondConnect With a Mentor Commented:
>/proc/sys/kernel/overflowgid
>is the maximum numbers of groups in the system - not per user / process.

Of course...that's what I said...and as such provides an upper limit on the number of groups that someone could be a member of.....Of course there may be a lower limit somewhere.

With respect to AllowGroups/DenyGroups, I tried:

test:x:504:admin,bin,admin,bin,admin,bin,admin,bin,admin,bin,admin,bin,admin,bin,admin,bin,admin,bin,admin,bin,admin,bin,admin,bin,admin,bin,admin,bin,admin,bin,admin,bin,admin,bin,admin,bin,admin,bin,admin,bin,admin,bin,admin,bin,admin,bin,admin,bin,admin,bin,admin,bin,admin,bin,admin,bin,admin,bin,admin,bin,admin,bin,admin,bin,admin,bin,admin,bin,admin,bin,admin,bin,admin,bin,admin,bin,admin,bin,admin,bin,test2

and I can correctly deny test2. Overall, I'd be fairly confident that it should work fine for you. Having said that, obviously try what you want to do, before implementing it on a live server as that's good practice to carry out anyway.





0
 
pjedmondCommented:
(67 groups)  :)
0
 
ravenplCommented:
Also to be clear here - the limit applies to the the process. You can put user in as many groups as You want, but when it executes an application, the process can be a member of ngroups secondary groups.
0
 
pjedmondCommented:
Good point.

Unfortunately, I can't find much in the way of specific documentation, and I guess that means that the best possible test would be to try it and see. Of course if PAM is used rather than the default authentication options, then it is more than probable that the limits will be different:)
0
 
ravenplCommented:
#include <stdio.h>
#include <sys/types.h>
#include <unistd.h>
#include <grp.h>
int main()
{
 int i = 1;
 gid_t li[100000];
 while(setgroups(i, li) == 0) ++i;
 printf("failed on %d\n", i);
 return 0;
}
//shows the limit(hence may get SIGSEGV if the limit is greater than 100000). I suppose it's end of topic.
0
 
ravenplCommented:
expect long execution on 2.6 kernel ;) the limit is 64K...
0
 
PsiCopAuthor Commented:
PAM is not in use.

Yes, the kernel is v2.4 for RHEL v3. So it sounds like the *practical* limit is 32.
0
 
pjedmondCommented:
Is that enough for your needs? If not, then you've still got the PAM option:)
0
 
PsiCopAuthor Commented:
Yeah, it's enuf. Actually, I'm glad it's lower in the 2.4 kernel - makes it easier to convince my fellow admins not to create a group in /etc/groups every time someone sneezes.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.