On Tue, Aug 23, 2005 at 07:16:54PM +0200, [EMAIL PROTECTED] wrote: > Solution 1 [NGROUPS_MAX]. is a pain in the long run. It increase > maintainance time. If you have not very reliable/exhausted sysadmins > in charge of doing kernel upgrades, you are likely to end up with a > system running for month with known security holes.
Currently we're lucky enough to have a responsive sysadmin :) I'm concerned though about program that may need to be recompiled, or will not work properly, and about performance issues. > I think ACL is the way to go. It was first suggested by Paul > Fischer, but we have no such case at Gna! and it's not relevant to > Savannah CERN so I stopped looking into that. > > But all the drawbacks of ACL seems to exists with the usual unix > group systems anyway so... And in the past, it was described as > unstable ; but nowadays, it seems to work. > > All the others workarounds I can think of would be even harder to > implement, and not cleaner. > > For the record, what is the current limit, with a recent kernel? Excellent question.. :/ I couldn't not add more than 28 users in a file ACL, on Savannah and my Debian testing box. That's really bad news. http://www.suse.de/~agruen/acl/linux-acls/online/ : ===== Most UNIX-like systems that support ACLs limit the number of ACL entries allowed to some reasonable number. Table 3 shows the limits on Linux. Table: Maximum Number of Supported ACL Entries File system | Max. entries ---------------------------- XFS | 25 Ext2, Ext3 | 32 ReiserFS, JFS | 8191 [Note: my 28 is 32 - (user + group + other + mask] ACLs with a high number of ACL entries tend to become more difficult to manage. More than a handful of ACL entries are usually an indication of bad application design. In most such cases, it makes more sense to make better use of groups instead of bloating ACLs. The ReiserFS and JFS implementations define no limit on the number of ACL entries, so a limit is only imposed by the maximum size of EA values. The current EA size limit is 64 KiB, or 8191 ACL entries, which is too high for ACLs in practice: besides being impractical to work with, the time it would take to check access in such huge ACLs may be prohibitive. ===== Well we're doomed :[ I guess the only remaining solution is recompiling the kernel? -- Sylvain _______________________________________________ Savane-dev mailing list [email protected] https://mail.gna.org/listinfo/savane-dev
