Jason Thorpe wrote:

> That's not quite the way it works.
> 
> The group list in the kauth_cred_t is consulted first.  If there is a 
> hit there, then owner of that credential is treated as a member of  that
> group.  This is how the traditional BSD group list works in OS X.
> 
> The kauth_cred_t also has a "group membership check UID".  If that 
> value is NOT set, then no consultation of the external group  membership
> resolver is performed.

Ah -- I understood it the other way round.

Either way, what's your call in the subject? I'm going to do the cleanup
I mentioned yesterday in that code, should I also remove the sort? (note
der Mouse mentions the ngroups max can be trimmed by a mount, in which
case it might be desired to revert back to original behavior)...

-e.

-- 
Elad Efrat