On Thu, 2009-02-12 at 20:37 -0800, Chuck Swiger wrote:
> On Feb 12, 2009, at 8:17 PM, Da Rock wrote:
> > I've been following this thread with interest: are you saying FreeBSD
> > logins cannot handle more than 16 groups? If so, why? Is this  
> > mitigated
> > by using other authentication methods (ie kerberos, ldap, etc)?
> There's a compile-time limit of the relevant kernel data structures as  
> to how many groups a user can be in, described by "sysctl  
> kern.ngroups".  It's possible to recompile the kernel with a larger  
> number, but doing so will break NFS (and possibly other things).  It  
> doesn't matter whether you use Kerberos, LDAP, etc to set up the  
> groups; while those things do not have a 16-group limit, the FreeBSD  
> kernel [1] does.
> With reasonable organization, and appropriate use of sudo or setgid  
> binaries for things like people who use SVN or CVS, there generally  
> isn't reason or need for a user to be in so many groups.  For the  
> exceptional cases, switching to using a full ACL system rather than  
> the traditional Unix permission model is probably going to be a better  
> solution.

Interesting. What would you suggest for full ACL?

freebsd-questions@freebsd.org mailing list
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Reply via email to