Hello FUSE has no way to send the calling process secondary groups to the filesystem. A filesystem that wants this operation currently has to open a /proc file, read and parse the string represnetation of the groups, and close the file.
This is not very good performance-wise, as the filesystem needs to open/read/close in /proc for each file operation that require access control. Moreover, this can lead to deadlocks because of root vnode locking. A first approach for improving this would be to fetch the secondary groups using sysctl. Manuel Bouyer noted that this interface was never meant to be fast, and therefore it would not address the performance issue. In a second attempt, I submitted a patch for libfuse, which would extend the FUSE protocol so that secondary groups could be optionnly appended to FUSE headers, should the filsystem request it. That did not meet consensus, because on one hand, having a fixed-length header is desirable for optimizing performances. On the other hand, having a fixed-length header with an array of NGROUPS_MAX slots for secondary groups is just impossible on Linux, where NGROUPS_MAX is 65536. A third way was suggested on the fuse-devel mailing list: adding a system call to retreive a process' secondary groups. The prototype would be moddled on getgroups(2): int getgroups2(int gidsetlen, gid_t *gidset, pid_t pid); Il this is preferred, it could also be named getgroupspid(2) Opinions? -- Emmanuel Dreyfus m...@netbsd.org