From owner-freebsd-security Sun Mar 18 15:39:37 2001 Delivered-To: freebsd-security@freebsd.org Received: from smtp10.phx.gblx.net (smtp10.phx.gblx.net [206.165.6.140]) by hub.freebsd.org (Postfix) with ESMTP id 92FD937B71A; Sun, 18 Mar 2001 15:39:32 -0800 (PST) (envelope-from tlambert@usr05.primenet.com) Received: (from daemon@localhost) by smtp10.phx.gblx.net (8.9.3/8.9.3) id QAA15412; Sun, 18 Mar 2001 16:39:14 -0700 Received: from usr05.primenet.com(206.165.6.205) via SMTP by smtp10.phx.gblx.net, id smtpd7updia; Sun Mar 18 16:39:12 2001 Received: (from tlambert@localhost) by usr05.primenet.com (8.8.5/8.8.5) id QAA18696; Sun, 18 Mar 2001 16:39:21 -0700 (MST) From: Terry Lambert Message-Id: <200103182339.QAA18696@usr05.primenet.com> Subject: Re: about common group & user ID space (PR kern/14584) To: brett@lariat.org (Brett Glass) Date: Sun, 18 Mar 2001 23:39:21 +0000 (GMT) Cc: tlambert@primenet.com (Terry Lambert), babkin@bellatlantic.net (Sergey Babkin), security@FreeBSD.ORG, wes@softweyr.com (Wes Peters), rwatson@FreeBSD.ORG (Robert Watson), fs@FreeBSD.ORG In-Reply-To: <4.3.2.7.2.20010318123759.00d9dd10@localhost> from "Brett Glass" at Mar 18, 2001 12:42:17 PM X-Mailer: ELM [version 2.5 PL2] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > At the same time, it'd be nice to eliminate the arbitrary limitations > on (a) the number of groups of which a user can be a member and (b) the > number of members in a group. Both of these limitations often bite > administrators who, for example, want most users of a system to be > members of a particular group or want to implement group-based access > control schemes with a moderate degree of granularity. Classes won't > cut it for this purpose, alas, because they're not built into file > system security. I think that you will run into the limitations inherent in the quota record storage format and NFSv2 UID/GID, well before you face that limit. I think that trying to make a user a member of 50,000 groups is probably a mistake, and it's not "arbitrary" to prevent this. There is really no limit on the number of members permitted in a group, I believe. If you are talking about line length, I'd say you should consider getting rid of "pico" and using a real editor. I think there are patches floating around to allow repeats of group lines in order to set up larger lists of members, in any case (they may already be integrated into FreeBSD; they aren't in BSDI, from looking at the BSDI system I have access to). I think the workaround for the "I want groups to be more than groups and act more like classes, but I'm too lazy to implement classes properly" problem is pretty simple: write an SGID program that gets you a shell. Alternately, write a program that lets you add a group (and spawn a subshell) that's SUID root, and does a check against the group password field. Give the password to the users you want to have access to the group. Terry Lambert terry@lambert.org --- Any opinions in this posting are my own and not those of my present or previous employers. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message