Solved

Limit on Secondary groups

Posted on 2006-06-15
17
2,547 Views
Last Modified: 2011-10-03
I recall that in Solaris 8, there was a limit - 8 or 16 - on the number of Secondary groups in which a user ID could be listed.

1) Does such a limit exist in Linux (in general)?

2) If it does, what is it, specifically, for:

a) RHEL ES3
b) RHEL AS3
c) RHEL ES4
0
Comment
Question by:PsiCop
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 6
  • 4
17 Comments
 
LVL 43

Expert Comment

by:ravenpl
ID: 16912987
check the value from /proc/sys/kernel/ngroups_max - it's different for various archs.
defaults to 64K
0
 
LVL 22

Assisted Solution

by:pjedmond
pjedmond earned 125 total points
ID: 16912996
1.   A limit may exist in practice, but it looks as if the standard (POSIX) structure can accept any number of secondary groups.

2.a.  Tested on White Box Linux (RHEL 3 clone) - 20 works fine.....just keep adding to the /etc/group line relating to the user in question
b. Identical kernel (Unless you've configured it for huge_mem or smp), so the limit would be the same.
c. RHEL ES4U2 - Also managed 20, but can't see why there is any other limit other than mem/number of groups on the system!

Is there a genuine need to find a limit? I've got one RHEL ES4U2 box where I can try almost 100 groups if this is important. The bottom line is that there doesn't appear to be a specified limit that I can find.

HTH:)
0
 
LVL 22

Expert Comment

by:pjedmond
ID: 16913031
Another limit implication from the Solaris 8 documentation:
--------------8X----------------
There are some useful limitations of groupids. For example, each user account can be in no more than 16 groups, and a line in the group file cannot exceed 512 characters (including the newline character).

What happens if you need to add so many members to a group that you exceed the 512-character entry limit? You simply create another duplicate group entry—same name and group number—and list the additional members there.
--------------8X----------------

If there is a problem at 512 chars, then follow the above advice about a duplicate line.

HTH:)
0
Back Up Your Microsoft Windows Server®

Back up all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

 
LVL 22

Expert Comment

by:pjedmond
ID: 16913076
On a redhat system (RHEL 3) , the max total number of groups that you can have on a system is 65535:

/proc/sys/kernel/overflowgid

This gives the max gid number, so obviously there can't be more groups than this, unless you decide to recompile your kernel to give a bigger number. As a result (obviously), you can't have more than 65533 secondary groups. (Obviously being part of root (0), makes the rest of the groups fairly pointless, and one of the groups would have to be a primary group for the user).


HTH:)
0
 
LVL 34

Author Comment

by:PsiCop
ID: 16913346
ravenpl,

I'm not finding that file in RHEL ES3U7.
0
 
LVL 43

Expert Comment

by:ravenpl
ID: 16913355
/proc/sys/kernel/overflowgid
is the maximum numbers of groups in the system - not per user / process.
0
 
LVL 34

Author Comment

by:PsiCop
ID: 16913383
pjedmond,

There's no need for the limit - I'm just trying to find out what it might be. I agree, POSIX says there's no limit, but in practice we do see limits - either ones imposed by a file parser (a la Solaris 8) or by the maximum # of groups the system supports (a la /proc/sys/kernel/overflowgid).

100 is quite sufficient, in any case.

I also wonder about breaking apps that pay attention to Secondary Groups, like sudo, or OpenSSH (specifically the AllowGroups/DenyGroups keywords in sshd_config).
0
 
LVL 22

Assisted Solution

by:pjedmond
pjedmond earned 125 total points
ID: 16913787
>/proc/sys/kernel/overflowgid
>is the maximum numbers of groups in the system - not per user / process.

Of course...that's what I said...and as such provides an upper limit on the number of groups that someone could be a member of.....Of course there may be a lower limit somewhere.

With respect to AllowGroups/DenyGroups, I tried:

test:x:504:admin,bin,admin,bin,admin,bin,admin,bin,admin,bin,admin,bin,admin,bin,admin,bin,admin,bin,admin,bin,admin,bin,admin,bin,admin,bin,admin,bin,admin,bin,admin,bin,admin,bin,admin,bin,admin,bin,admin,bin,admin,bin,admin,bin,admin,bin,admin,bin,admin,bin,admin,bin,admin,bin,admin,bin,admin,bin,admin,bin,admin,bin,admin,bin,admin,bin,admin,bin,admin,bin,admin,bin,admin,bin,admin,bin,admin,bin,admin,bin,test2

and I can correctly deny test2. Overall, I'd be fairly confident that it should work fine for you. Having said that, obviously try what you want to do, before implementing it on a live server as that's good practice to carry out anyway.





0
 
LVL 22

Expert Comment

by:pjedmond
ID: 16913798
(67 groups)  :)
0
 
LVL 43

Accepted Solution

by:
ravenpl earned 125 total points
ID: 16913822
> I'm not finding that file in RHEL ES3U7.
Yes, it's only under kernel 2.6. For kernel 2.4 it's hardcoded, and seems to be 32 only.
0
 
LVL 43

Expert Comment

by:ravenpl
ID: 16913840
Also to be clear here - the limit applies to the the process. You can put user in as many groups as You want, but when it executes an application, the process can be a member of ngroups secondary groups.
0
 
LVL 22

Expert Comment

by:pjedmond
ID: 16914297
Good point.

Unfortunately, I can't find much in the way of specific documentation, and I guess that means that the best possible test would be to try it and see. Of course if PAM is used rather than the default authentication options, then it is more than probable that the limits will be different:)
0
 
LVL 43

Expert Comment

by:ravenpl
ID: 16914500
#include <stdio.h>
#include <sys/types.h>
#include <unistd.h>
#include <grp.h>
int main()
{
 int i = 1;
 gid_t li[100000];
 while(setgroups(i, li) == 0) ++i;
 printf("failed on %d\n", i);
 return 0;
}
//shows the limit(hence may get SIGSEGV if the limit is greater than 100000). I suppose it's end of topic.
0
 
LVL 43

Expert Comment

by:ravenpl
ID: 16914543
expect long execution on 2.6 kernel ;) the limit is 64K...
0
 
LVL 34

Author Comment

by:PsiCop
ID: 16915164
PAM is not in use.

Yes, the kernel is v2.4 for RHEL v3. So it sounds like the *practical* limit is 32.
0
 
LVL 22

Expert Comment

by:pjedmond
ID: 16915684
Is that enough for your needs? If not, then you've still got the PAM option:)
0
 
LVL 34

Author Comment

by:PsiCop
ID: 16917132
Yeah, it's enuf. Actually, I'm glad it's lower in the 2.4 kernel - makes it easier to convince my fellow admins not to create a group in /etc/groups every time someone sneezes.
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

​Being a Managed Services Provider (MSP) has presented you  with challenges in the past— and by meeting those challenges you’ve reaped the rewards of success.  In 2014, challenges and rewards remain; but as the Internet and business environment evol…
Fine Tune your automatic Updates for Ubuntu / Debian
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question