[Savannah-hackers-public] Savannah and groups limitations

[Sylvain Beucler]

Hello Justin,


We would need a kernel compiled with NGROUPS_MAX set to a high value
(say 65536). Could you do this?


Explanation:

We have several members who are part of lots of different projects (eg
"bkuhn" with 33 projects and 67 system groups), more than the default
maximum number of groups per users in the Linux kernel (32).

How to reproduce:
---
mkdir /tmp/mytest
chown usenet /tmp/mytest
getent group | grep bkuhn | grep usenet # He's in it
su - bkuhn -s /bin/bash
cd /tmp/mytest # Access denied...
---
It works with 'gvc' or any of the first 32 groups.

The current workaround is performed by the CVS proxy, that setgid(2)
appropriately (hence only 1 group referenced in each CVS processes, no
limit breaking). However this can be done on all the services we
intend to offer (namely, GNU Arch / sftp).

I investigated using ACLs instead, but ACLs are limited to 32 entries
in ext2&3, so that's not interesting either ('www' has more than 100
members...).


The solution used by the previous Savannah hackers was also to
recompile the kernel as well as several packages with
NGROUPS_MAX=512. Apparently this brings severals issues with it:
http://savannah.gnu.org/savannah.html#NGROUPS_MAX


NOTE: I saw that the current Debian testing and unstable kernel uses
65536 (check /usr/include/linux/limits.h), and in my system (testing)
I made a successful test with 100 groups. Unfortunately we use stable
which still uses 32, so we may need to patch/recompile some packages
as well. Darn :( Anyway we need a kernel with NGROUPS_MAX=65536 to
start working around this limitation.


Any idea on how to fix the issue anyone?

-- 
Sylvain