[olug] 32 groups per user limit

Vincent.Raffensberger at dtn.com Vincent.Raffensberger at dtn.com
Mon Nov 10 22:58:08 UTC 2003


Try an ftp server which supports virtual users and supplemental GIDs to 
eliminate the need for /etc/passwd, /etc/groups. 
I'm not familiar with vsftp, but ncftpd will let you create your own 
authentication files and specify supplemental groups for each virtual 
user.  These users/ groups do not need to exist in /etc/passwd or groups.

You _could_ also move some of your permissions off to virtual ftp servers, 
each with it's own mount point of the data and each mount using differing 
uid and gid options.





"Tim - DZ" <iceburn at dangerzone.com> 
Sent by: olug-bounces at olug.org
11/10/2003 04:27 PM
Please respond to
Omaha Linux User Group <olug at olug.org>


To
"'Omaha Linux User Group'" <olug at olug.org>
cc

Subject
[olug] 32 groups per user limit







 
Has anyone run into the 32 groups per user limit? 

Basically, depending on the distro, only the first 32 groups a user 
belongs
to are read (so for the 33+ groups permissions are ignored for that user) 
or
lines in /etc/group after the first line that contains more than 32 groups
are not read...obviously neither scenario is desired.

Seems that the limit is both hard-coded in the kernel and at the glibc
level, so doing things like changing the ngroups variable end up just 
making
the system unstable.

I've run across sites in my google and google-groups searches that point 
to
ACLs for linux, but I've run across just as many that say ACLs don't fix 
the
issue.

So I post the question to the all knowing OLUG membership.

Little FYI on why I actually need a solution:

I have an linux server (RH8) primarily doing ftp (vsftp).
In the ftp root I have directories that each serve as a 'root' directory 
for
a project
Inside each project directory there is a preset structure of files and
directories common to all projects
-three kinds of permission exist here Consultant, Contractor, 
ProjectManager
-various directories have various group owners and permissions such that
Consultants and Contracts can view some things, upload in certain areas, 
etc
etc
-ProjectManagers is a group of people that should basically have root 
access
to all projects (but nothing outside of the ftp root)

ProjectManagers then basically have to belong to all three groups for 
every
project (so 11 projects busts the 32 group limit)

Vsftp is setup fairly standard:  no anonymous access, passive mode 
enabled,
chroot_local...
All users are set to /sbin/nologin (all they need to access is ftp)
Server is hanging on the internet basically alone, no need for network
authentication / mirroring of userlists / etc

Anybody done this before, or have any insight?

-tim

_______________________________________________
OLUG mailing list
OLUG at olug.org
http://lists.olug.org/mailman/listinfo/olug



More information about the OLUG mailing list