Date: Sun, 18 Mar 2001 23:39:21 +0000 (GMT) From: Terry Lambert <tlambert@primenet.com> To: brett@lariat.org (Brett Glass) Cc: tlambert@primenet.com (Terry Lambert), babkin@bellatlantic.net (Sergey Babkin), security@FreeBSD.ORG, wes@softweyr.com (Wes Peters), rwatson@FreeBSD.ORG (Robert Watson), fs@FreeBSD.ORG Subject: Re: about common group & user ID space (PR kern/14584) Message-ID: <200103182339.QAA18696@usr05.primenet.com> In-Reply-To: <4.3.2.7.2.20010318123759.00d9dd10@localhost> from "Brett Glass" at Mar 18, 2001 12:42:17 PM
next in thread | previous in thread | raw e-mail | index | archive | help
> At the same time, it'd be nice to eliminate the arbitrary limitations > on (a) the number of groups of which a user can be a member and (b) the > number of members in a group. Both of these limitations often bite > administrators who, for example, want most users of a system to be > members of a particular group or want to implement group-based access > control schemes with a moderate degree of granularity. Classes won't > cut it for this purpose, alas, because they're not built into file > system security. I think that you will run into the limitations inherent in the quota record storage format and NFSv2 UID/GID, well before you face that limit. I think that trying to make a user a member of 50,000 groups is probably a mistake, and it's not "arbitrary" to prevent this. There is really no limit on the number of members permitted in a group, I believe. If you are talking about line length, I'd say you should consider getting rid of "pico" and using a real editor. I think there are patches floating around to allow repeats of group lines in order to set up larger lists of members, in any case (they may already be integrated into FreeBSD; they aren't in BSDI, from looking at the BSDI system I have access to). I think the workaround for the "I want groups to be more than groups and act more like classes, but I'm too lazy to implement classes properly" problem is pretty simple: write an SGID program that gets you a shell. Alternately, write a program that lets you add a group (and spawn a subshell) that's SUID root, and does a check against the group password field. Give the password to the users you want to have access to the group. Terry Lambert terry@lambert.org --- Any opinions in this posting are my own and not those of my present or previous employers. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200103182339.QAA18696>