>
>About solution 1), I'm not sure. Any feedback? Does it interfers at
>some point?
>
>Solution 2) is impractical and is difficutly reproduceable to all
>services.
>
Solution 1. is a pain in the long run. It increase maintainance time. If you
have not very reliable/exhausted sysadmins in charge of doing kernel upgrades,
you are likely to end up with a system running for month with known security
holes.
Solution 2 seems worse. :D
I think ACL is the way to go. It was first suggested by Paul Fischer, but we
have no such case at Gna! and it's not relevant to Savannah CERN so I stopped
looking into that.
But all the drawbacks of ACL seems to exists with the usual unix group systems
anyway so... And in the past, it was described as unstable ; but nowadays, it
seems to work.
All the others workarounds I can think of would be even harder to implement, and
not cleaner.
For the record, what is the current limit, with a recent kernel?
