On Thu, 26 Apr 2007 05:02:11 +0200, Carlo Calica <[EMAIL PROTECTED]> wrote:
> On 4/25/07, Ricardo Nabinger Sanchez <[EMAIL PROTECTED]> wrote: >> On Wed, 25 Apr 2007 03:00:07 -0300 >> "Lucas C. Villa Real" <[EMAIL PROTECTED]> wrote: >> >> > Is that really needed, as we have the 'users' group common to >> > everyone? I would vote for removing it, but I'd just like to hear your >> > opinion first. >> >> It's not needed, and may even hurt manageability. IIRC a user may have >> be >> part of up to 16 groups, after that only ACL "works". >> > > A quick google turns up: > http://www.uwsg.iu.edu/hypermail/linux/kernel/0408.0/0535.html In a > nutshell, Andrew Morton says "2.6 kernels support up to 65536 groups > per user". There is a reply saying NFS has problems but I can't > imagine why. NFS should just report the group and the kernel should > handle group membership/access control. > > Why is it better. It allows users finer grained access control. They > can share with a subset of users versus all of them. See "man > gpasswd" on how users can manage /etc/groups without root. Right now, > users aren't administrators of their group so the advantages really > aren't there by default but that just needs to be added to AddUser. > As already stated, ACL can do that (almost). What's different? And besides, having a lot of small groups, one for each user, is the opposite on what was decided on the 'cdrecord', 'audio' etc vs 'console' groups. > From a practical standpoint it isn't that big of deal. Most GoboLinux > systems are small with few users and the primary user has root. The > admin overhead of creating special groups for fine access control is > small. For larger systems, individual user groups saves a lot of > admin work when needed. I tend to think towards larger system from my > university and consulting days. > > I still vote for keeping individual groups. All users accounts should > also be a member of users (which isn't happening). I'd also like > better distinction between user and system accounts and groups. > You got me convinced. I do believe in fine grained control (including 'cdrecord' and all) and iirc not all file system supports ACL (and they have to actively be selected in the kernel config). -- /Jonas Using Opera's revolutionary e-mail client: http://www.opera.com/mail/ _______________________________________________ gobolinux-devel mailing list gobolinux-devel@lists.gobolinux.org http://lists.gobolinux.org/mailman/listinfo/gobolinux-devel
