Re: [RC1] Login not possible

From: Adam C. Migus <adam_at_migus.org>
Date: Sat, 13 Dec 2003 17:45:49 -0500
Klaus-J. Wolf wrote:

> Excuse me, but the limit of a maximum of 16 group memberships per user 
> has not been known to me. It would be a good idea to document it 
> somewhere.
>
> I know a number of persons who will run into problems because their 
> idea of proper system architecture requires certain persons to be a 
> member of a higher amount of user groups. Until now, it might not have 
> worked, but the day it finally crashes and nobody can log in anymore, 
> will not make them happy.
>
> There should be an option, somehow.
>
> Robert Watson wrote:
>
>> FWIW, I think that failing here is the right thing to do (since 
>> otherwise
>> the kernel silently changes the access control rights of processes), but
>> that the failure error is a bit obscure.  That said, the 
>> setusercontext() API isn't really set up to provide more detailed 
>> error information, so
>> we'll need to expand the API.  I wonder if it would make sense to modify
>> the pw/etc commands to generate warnings if they discover a user in too
>> many groups...
>>  
>>
>
Klaus,
I think you'll find this documented in several UNIX books such as "The 
Design and Implementation of the 4.4BSD Operating System," for example.  
I believe it's regarded as "common knowledge" among UNIX folk.  Whether 
it's right or wrong to regard it as such, document it per implementation 
or even have it as a limitation is debatable I suppose but it's there.

I'm not sure who'd think that proper system architecture required more 
than 16 groups given UNIX has never offered it.  Moreover I myself can't 
envision any security model in which such a constraint would be a core 
requirement which, would not cause more headaches than overall system 
security and integrity; but that's just me.

For what it's worth the person who just replied to you (Robert Watson) 
works on a framework in the FreeBSD 5.x series that implements Mandatory 
Access Control (MAC) extensions.  If you're interested in implementing a 
security policy complex enough to warrant more than 16 groups I think 
you'd  be more successful in implementing an effective policy using 
something like MAC rather than Discretionary Access Controls (DAC).

In summary it might be nice if UNIX had no limits but at least it 
provides options.  :-)

Adam
Received on Sat Dec 13 2003 - 13:45:51 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:37:34 UTC