Re: NGROUPS/NGROUPS_MAX

To: Mouse <mouse%Rodents-Montreal.ORG@localhost>
Subject: Re: NGROUPS/NGROUPS_MAX
From: "Matt W. Benjamin" <matt%linuxbox.com@localhost>
Date: Wed, 9 Oct 2013 10:28:56 -0400 (EDT)

The higher versions of the protocol prefer sites to avoid AUTH_SYS.
For discussion, see here

http://nfsworld.blogspot.com/2005/03/whats-deal-on-16-group-id-limitation.html

Independent of the auth type, an NFS server could use ordinary methods to 
associate groups whatever user is selected for a given operation.  Ganesha is
moving in this direction.

The newest work in the NFS protocol in this area is about embedding 
authorization
in the protocol through GSS extension, and multiple authentication domains 
(Adamson).
That's not very far along, I don't think.

Matt

----- "Mouse" <mouse%Rodents-Montreal.ORG@localhost> wrote:

> >> Of course.  But will it do what you want?
> > I don't understand your concerns.
> 
> Well, I'm just not sure that simply recompiling with a higher
> NGROUPS/NGROUPS_MAX will actually have the effect you want.
> 
> > My intention was to let the NFS client run the modified kernel with
> a
> > raised group limit.  Then, the process in question will be a member
> > of more than 16 secondary groups which will enable it to access
> files
> > readable for these groups, be it on NFS or not.  Where is the NFS
> > server involved?  Enforcing access limits is the client's business,
> > isn't it?
> 
> Not entirely, I think.  I haven't looked at recent versions of NFS,
> so
> perhaps this is out of date, but, back when I was mucking about with
> the NFS wire protocol, an NFS client process's secondary group list
> appeared on the wire, and there was a relatively small hard maximum
> on
> it - 16 sounds about right.
> 
> Perhaps I'm misremembering, though I don't think so.  Or perhaps this
> has been fixed in recent versions of the protocol, or perhaps it
> applies only to certain operations you don't care about or something.
> But it's something I'd suggest you be prepared to see trouble from,
> even if perhaps not _expect_ trouble from.
> 
> /~\ The ASCII                           Mouse
> \ / Ribbon Campaign
>  X  Against HTML              mouse%rodents-montreal.org@localhost
> / \ Email!         7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B

-- 
Matt Benjamin
The Linux Box
206 South Fifth Ave. Suite 150
Ann Arbor, MI  48104

http://linuxbox.com

tel.  734-761-4689 
fax.  734-769-8938 
cel.  734-216-5309

References:
- Re: NGROUPS/NGROUPS_MAX
  - From: Mouse

Prev by Date: Re: NGROUPS/NGROUPS_MAX
Next by Date: Re: Moving Lua source codes
Previous by Thread: Re: NGROUPS/NGROUPS_MAX
Next by Thread: Re: NGROUPS/NGROUPS_MAX
Indexes:

Home | Main Index | Thread Index | Old Index