Solved

Limit on Secondary groups

Posted on 2006-06-15
17
2,496 Views
Last Modified: 2011-10-03
I recall that in Solaris 8, there was a limit - 8 or 16 - on the number of Secondary groups in which a user ID could be listed.

1) Does such a limit exist in Linux (in general)?

2) If it does, what is it, specifically, for:

a) RHEL ES3
b) RHEL AS3
c) RHEL ES4
0
Comment
Question by:PsiCop
  • 7
  • 6
  • 4
17 Comments
 
LVL 43

Expert Comment

by:ravenpl
ID: 16912987
check the value from /proc/sys/kernel/ngroups_max - it's different for various archs.
defaults to 64K
0
 
LVL 22

Assisted Solution

by:pjedmond
pjedmond earned 125 total points
ID: 16912996
1.   A limit may exist in practice, but it looks as if the standard (POSIX) structure can accept any number of secondary groups.

2.a.  Tested on White Box Linux (RHEL 3 clone) - 20 works fine.....just keep adding to the /etc/group line relating to the user in question
b. Identical kernel (Unless you've configured it for huge_mem or smp), so the limit would be the same.
c. RHEL ES4U2 - Also managed 20, but can't see why there is any other limit other than mem/number of groups on the system!

Is there a genuine need to find a limit? I've got one RHEL ES4U2 box where I can try almost 100 groups if this is important. The bottom line is that there doesn't appear to be a specified limit that I can find.

HTH:)
0
 
LVL 22

Expert Comment

by:pjedmond
ID: 16913031
Another limit implication from the Solaris 8 documentation:
--------------8X----------------
There are some useful limitations of groupids. For example, each user account can be in no more than 16 groups, and a line in the group file cannot exceed 512 characters (including the newline character).

What happens if you need to add so many members to a group that you exceed the 512-character entry limit? You simply create another duplicate group entry—same name and group number—and list the additional members there.
--------------8X----------------

If there is a problem at 512 chars, then follow the above advice about a duplicate line.

HTH:)
0
 
LVL 22

Expert Comment

by:pjedmond
ID: 16913076
On a redhat system (RHEL 3) , the max total number of groups that you can have on a system is 65535:

/proc/sys/kernel/overflowgid

This gives the max gid number, so obviously there can't be more groups than this, unless you decide to recompile your kernel to give a bigger number. As a result (obviously), you can't have more than 65533 secondary groups. (Obviously being part of root (0), makes the rest of the groups fairly pointless, and one of the groups would have to be a primary group for the user).


HTH:)
0
 
LVL 34

Author Comment

by:PsiCop
ID: 16913346
ravenpl,

I'm not finding that file in RHEL ES3U7.
0
 
LVL 43

Expert Comment

by:ravenpl
ID: 16913355
/proc/sys/kernel/overflowgid
is the maximum numbers of groups in the system - not per user / process.
0
 
LVL 34

Author Comment

by:PsiCop
ID: 16913383
pjedmond,

There's no need for the limit - I'm just trying to find out what it might be. I agree, POSIX says there's no limit, but in practice we do see limits - either ones imposed by a file parser (a la Solaris 8) or by the maximum # of groups the system supports (a la /proc/sys/kernel/overflowgid).

100 is quite sufficient, in any case.

I also wonder about breaking apps that pay attention to Secondary Groups, like sudo, or OpenSSH (specifically the AllowGroups/DenyGroups keywords in sshd_config).
0
 
LVL 22

Assisted Solution

by:pjedmond
pjedmond earned 125 total points
ID: 16913787
>/proc/sys/kernel/overflowgid
>is the maximum numbers of groups in the system - not per user / process.

Of course...that's what I said...and as such provides an upper limit on the number of groups that someone could be a member of.....Of course there may be a lower limit somewhere.

With respect to AllowGroups/DenyGroups, I tried:

test:x:504:admin,bin,admin,bin,admin,bin,admin,bin,admin,bin,admin,bin,admin,bin,admin,bin,admin,bin,admin,bin,admin,bin,admin,bin,admin,bin,admin,bin,admin,bin,admin,bin,admin,bin,admin,bin,admin,bin,admin,bin,admin,bin,admin,bin,admin,bin,admin,bin,admin,bin,admin,bin,admin,bin,admin,bin,admin,bin,admin,bin,admin,bin,admin,bin,admin,bin,admin,bin,admin,bin,admin,bin,admin,bin,admin,bin,admin,bin,admin,bin,test2

and I can correctly deny test2. Overall, I'd be fairly confident that it should work fine for you. Having said that, obviously try what you want to do, before implementing it on a live server as that's good practice to carry out anyway.





0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 
LVL 22

Expert Comment

by:pjedmond
ID: 16913798
(67 groups)  :)
0
 
LVL 43

Accepted Solution

by:
ravenpl earned 125 total points
ID: 16913822
> I'm not finding that file in RHEL ES3U7.
Yes, it's only under kernel 2.6. For kernel 2.4 it's hardcoded, and seems to be 32 only.
0
 
LVL 43

Expert Comment

by:ravenpl
ID: 16913840
Also to be clear here - the limit applies to the the process. You can put user in as many groups as You want, but when it executes an application, the process can be a member of ngroups secondary groups.
0
 
LVL 22

Expert Comment

by:pjedmond
ID: 16914297
Good point.

Unfortunately, I can't find much in the way of specific documentation, and I guess that means that the best possible test would be to try it and see. Of course if PAM is used rather than the default authentication options, then it is more than probable that the limits will be different:)
0
 
LVL 43

Expert Comment

by:ravenpl
ID: 16914500
#include <stdio.h>
#include <sys/types.h>
#include <unistd.h>
#include <grp.h>
int main()
{
 int i = 1;
 gid_t li[100000];
 while(setgroups(i, li) == 0) ++i;
 printf("failed on %d\n", i);
 return 0;
}
//shows the limit(hence may get SIGSEGV if the limit is greater than 100000). I suppose it's end of topic.
0
 
LVL 43

Expert Comment

by:ravenpl
ID: 16914543
expect long execution on 2.6 kernel ;) the limit is 64K...
0
 
LVL 34

Author Comment

by:PsiCop
ID: 16915164
PAM is not in use.

Yes, the kernel is v2.4 for RHEL v3. So it sounds like the *practical* limit is 32.
0
 
LVL 22

Expert Comment

by:pjedmond
ID: 16915684
Is that enough for your needs? If not, then you've still got the PAM option:)
0
 
LVL 34

Author Comment

by:PsiCop
ID: 16917132
Yeah, it's enuf. Actually, I'm glad it's lower in the 2.4 kernel - makes it easier to convince my fellow admins not to create a group in /etc/groups every time someone sneezes.
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

Hello EE, Today we will learn how to send all your network traffic through Tor which is useful to get around censorship and being tracked all together to a certain degree. This article assumes you will be using Linux, have a minimal knowledge of …
BIND is the most widely used Name Server. A Name Server is the one that translates a site name to it's IP address. There is a new bug in BIND (https://kb.isc.org/article/AA-01272), affecting all versions of BIND 9 from BIND 9.1.0 (inclusive) thro…
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now