From owner-freebsd-hackers@FreeBSD.ORG Mon Feb 23 08:11:05 2009 Return-Path: Delivered-To: hackers@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id BCCF4106566B for ; Mon, 23 Feb 2009 08:11:05 +0000 (UTC) (envelope-from fergus@cobbled.net) Received: from mail1.slb.deg.dub.stisp.net (mail1.slb.deg.dub.stisp.net [84.203.253.98]) by mx1.freebsd.org (Postfix) with SMTP id 2C3398FC13 for ; Mon, 23 Feb 2009 08:11:04 +0000 (UTC) (envelope-from fergus@cobbled.net) Received: (qmail 18101 invoked from network); 23 Feb 2009 08:10:59 -0000 Received: from unknown (HELO holyman.cobbled.net) (84.203.180.117) by mail1.slb.deg.dub.stisp.net with SMTP; 23 Feb 2009 08:11:03 -0000 Received: by holyman.cobbled.net (Postfix, from userid 16385) id 3A4BC1031D; Mon, 23 Feb 2009 08:10:59 +0000 (UTC) Date: Mon, 23 Feb 2009 08:10:59 +0000 From: n0g0013 To: Brooks Davis Message-ID: <20090223081059.GA11713@holyman.cobbled.net> Mail-Followup-To: Brooks Davis , Julian Elischer , hackers@freebsd.org References: <20090213115426.GA15211@holyman.cobbled.net> <49A0F57E.2030506@elischer.org> <20090222110719.GA16634@holyman.cobbled.net> <20090222222831.GA70072@lor.one-eyed-alien.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20090222222831.GA70072@lor.one-eyed-alien.net> Cc: hackers@freebsd.org, Julian Elischer Subject: Re: removal of NGROUPS_MAX dependancy from base X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 23 Feb 2009 08:11:06 -0000 On 22.02-16:28, Brooks Davis wrote: > On Sun, Feb 22, 2009 at 11:07:19AM +0000, ttw+bsd@cobbled.net wrote: > > On 21.02-22:49, Julian Elischer wrote: > > [ ... ] > > > >this patch should remove the dependancy on the definition of > > > >NGROUPS_MAX as a static constant and implement it as a writable > > > >sysconf variable of the same. it should also make the necessary > > > >changes to the codebase to support those. > > [ ... ] > > > What do you do about NFS? > > > I seem to remember that NFWS had a maximum number of groups supported.. > > > > NFS will be supported by mapping 16 groups into the auth_unix structure > > dynamically. my intention is to try and make this transparent by > > allocating moving the 'most used' groups into that mapping as user > > processes check them, however, this is very conceptual at the moment > > and needs more thought as well as validation from others with more > > experience. > > I think this behavior will probably need to be configurable by the > administrator because some sites are probably using groups to supply > negative permissions. It's quite reasionable to argue that's a bad > idea, but we need to take some care since people do occationally use > that "feature". agree. i'm hoping to make the rpc group allocations dynamic and thus, mostly transparent, but would suggest the only consistent way administrators to set permissions (when NFS is required) is to restrict NGROUP_MAX to 16 or less. i intend this to be the default, changed by sysctl/sysconf. my current primary concern is with software that defines it static arrays with a length of NGROUPS_MAX and then forgets to sanitize 'ngroups' count against that maximum but no idea how to catch those except too say that is 'broken'.