From: Jesse Pollard <pollard@admin.navo.hpc.mil>
To: Tim Hockin <thockin@sun.com>
Cc: Linux Kernel Mailing List <linux-kernel@vger.kernel.org>
Subject: Re: [BK PATCH 1/4] fix NGROUPS hard limit (resend)
Date: Tue, 22 Oct 2002 14:12:59 -0500 [thread overview]
Message-ID: <200210221412.59933.pollard@admin.navo.hpc.mil> (raw)
In-Reply-To: <3DB59722.2090701@sun.com>
On Tuesday 22 October 2002 01:21 pm, Tim Hockin wrote:
> Jesse Pollard wrote:
> > Does it actually work with NFS???? or any networked file system?
> > Most of them limit ngroups to 16 to 32, and cannot send any data
> > if there is an overflow, since that overflow would replace all of the
> > data you try to send/recieve...
>
> NFS has a smaller limit, that is correct. An unfortunate limitation.
>
> > And I really doubt that anybody has 10000 unique groups (or even
> > close to that) running under any system. The center I'm at has
> > some of the largest UNIX systems ever made, and there are only
> > about 600 unique groups over the entire center. The largest number
> > of groups a user can be in is 32. And nobody even comes close.
>
> I'm glad it doesn't affect you. If it was a more common problem, it
> would have been solved a long time ago. It does affect some people,
> though. Maybe they can redesign their group structures, but why not
> remove this arbitrary limit, since we can?
Think about a while - if a file write (say 1K in length) must include 10000
groups (at 16 bits/group? 32bits?) then the resulting transaction becomes
1K + 2*10K -> 21K (or 1K+4*10K -> 41K). This is over 20 times the overhead.
No I don't expect the structures to be changed that much.
I am in favor of being able to change the limits, but lets be reasonable.
I can see a use for 64 groups, but not much over. Even that introduces
a practical security problem (leakage of data from one authorized group
to unauthorized groups).
By the time you get one or more people with that many groups you
may as well put everybody in one group and be done with it.
ACLs would be much more usefull, and controllable than 10000 groups
anyway. At least the owner of the file would be able to specify exactly
what access is being granted, and to whom.
BTW, a bsearch algorithm is slow compaired to a radix search in
sparse trees...
--
-------------------------------------------------------------------------
Jesse I Pollard, II
Email: pollard@navo.hpc.mil
Any opinions expressed are solely my own.
next prev parent reply other threads:[~2002-10-22 19:07 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2002-10-22 0:36 [BK PATCH 1/4] fix NGROUPS hard limit (resend) Timothy Hockin
2002-10-22 1:39 ` Aaron Lehmann
2002-10-22 17:44 ` Tim Hockin
2002-10-22 9:51 ` Alan Cox
2002-10-22 17:26 ` Tim Hockin
2002-10-22 17:45 ` Alan Cox
2002-10-22 17:37 ` Tim Hockin
2002-10-22 18:03 ` Jesse Pollard
2002-10-22 18:21 ` Tim Hockin
2002-10-22 18:54 ` Rik van Riel
2002-10-22 19:12 ` Jesse Pollard [this message]
2002-10-22 19:39 ` Rik van Riel
2002-10-25 9:34 ` Panu Matilainen
2002-10-25 12:49 ` jw schultz
2002-10-25 18:17 ` Tim Hockin
2002-10-22 19:45 ` Mike Touloumtzis
2002-10-22 20:13 ` Jesse Pollard
2002-10-22 20:30 ` Mike Touloumtzis
2002-10-23 14:17 ` Jesse Pollard
2002-10-22 20:18 ` Hildo.Biersma
2002-10-23 2:41 ` Simon Kirby
[not found] <354127220@toto.iv>
2002-10-23 0:09 ` Peter Chubb
-- strict thread matches above, loose matches on Subject: below --
2002-10-23 10:16 Randal, Phil
2002-10-29 19:32 Timothy Hockin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200210221412.59933.pollard@admin.navo.hpc.mil \
--to=pollard@admin.navo.hpc.mil \
--cc=linux-kernel@vger.kernel.org \
--cc=thockin@sun.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.