[olug] 32 groups per user limit

Daniel Linder dlinder at iprevolution.net
Tue Nov 11 15:00:58 UTC 2003 

You're already using the chroot-jail feature of VSFtpd, but can you put
teach instance of the VSFtp daemon master in it's own chroot jail, and
have each of those have their own copy of /etc/group and /etc/passwd so
they each have their own copy...  I don't know how the "real" root
system (glibc, etc) will handle this though...

Dan

-----Original Message-----
From: Tim - DZ [mailto:iceburn at dangerzone.com] 
Sent: Monday, November 10, 2003 4:28 PM
To: 'Omaha Linux User Group'
Subject: [olug] 32 groups per user limit

 
Has anyone run into the 32 groups per user limit?  

Basically, depending on the distro, only the first 32 groups a user
belongs
to are read (so for the 33+ groups permissions are ignored for that
user) or
lines in /etc/group after the first line that contains more than 32
groups
are not read...obviously neither scenario is desired.

Seems that the limit is both hard-coded in the kernel and at the glibc
level, so doing things like changing the ngroups variable end up just
making
the system unstable.

I've run across sites in my google and google-groups searches that point
to
ACLs for linux, but I've run across just as many that say ACLs don't fix
the
issue.

So I post the question to the all knowing OLUG membership.

Little FYI on why I actually need a solution:

I have an linux server (RH8) primarily doing ftp (vsftp).
In the ftp root I have directories that each serve as a 'root' directory
for
a project
Inside each project directory there is a preset structure of files and
directories common to all projects
-three kinds of permission exist here Consultant, Contractor,
ProjectManager
-various directories have various group owners and permissions such that
Consultants and Contracts can view some things, upload in certain areas,
etc
etc
-ProjectManagers is a group of people that should basically have root
access
to all projects (but nothing outside of the ftp root)

ProjectManagers then basically have to belong to all three groups for
every
project (so 11 projects busts the 32 group limit)

Vsftp is setup fairly standard:  no anonymous access, passive mode
enabled,
chroot_local...
All users are set to /sbin/nologin (all they need to access is ftp)
Server is hanging on the internet basically alone, no need for network
authentication / mirroring of userlists / etc

Anybody done this before, or have any insight?

-tim

More information about the OLUG mailing list