LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Server (https://www.linuxquestions.org/questions/linux-server-73/)
-   -   Maximum setting for ID group membership (https://www.linuxquestions.org/questions/linux-server-73/maximum-setting-for-id-group-membership-616291/)

polar_bear 01-25-2008 10:59 AM
Maximum setting for ID group membership
 
I am using RHEL 4 and have a situation where an ID belonging to multiple groups does not take on the permissions of more than 16 groups.

-Is there a setting for an ID's group membership limit
(I have heard it is 32 in RHEL 3 (with a default of 16) and 65536 in RHEL 4)

-What is the maximum this can be set?

-Are there any side-effects to setting this higher than the default?
(I read that setting it will cause NFS to malfunction)

The research I have performed suggests this is NGROUPS_MAX

here is some output from my system
# getconf NGROUPS_MAX
65536

Any ideas?

jschiwal 01-25-2008 01:20 PM
I wonder if it might be a glibc limit if the library was compiled with XOPEN2k defined:
Code:
grep -n NGROUPS_MAX -A3 -B3 /usr/include/bits/posix1_lim.h
75-
76-/* Number of simultaneous supplementary group IDs per process.  */
77-#ifdef __USE_XOPEN2K
78:# define _POSIX_NGROUPS_MAX  8
79-#else
80:# define _POSIX_NGROUPS_MAX  0
81-#endif
82-
83-/* Number of files one process can have open at once.  */
--
161-/* This value is a guaranteed minimum maximum.
162-  The current maximum can be got from `sysconf'.  */
163-
164:#ifndef    NGROUPS_MAX
165:# define NGROUPS_MAX        8
166-#endif
167-
168-#endif      /* bits/posix1_lim.h  */
According to this mailing list response a side effect of increasing the value could eat up limited memory in the kernel. The message deals with NGROUPS_MAX in the kernel's limits.h header.
http://www.ussg.iu.edu/hypermail/lin...10.0/0465.html

These limits of course are in the source which would mean recompiling.

What is the value of /proc/sys/ngroups_max?

Something in the back of my mind is telling me that using a different kernel version available might help, such as a 2.6 instead of 2.4 version kernel, or the memory page size the kernel uses. However, looking around on my laptop (64bit suse) everything points to 65536 max groups that can be assigned to a process. A search in a mailing list for rhel4 might reveal the answer.

polar_bear 01-25-2008 01:54 PM
Quote:
Originally Posted by jschiwal (Post 3035295)
What is the value of /proc/sys/ngroups_max?
#cat /proc/sys/kernel/ngroups_max
65536

Thanks for the reply

jschiwal 01-25-2008 02:14 PM
What architecture are you using? Some seem to have lower limits in the kernel source. Particularly KERN_NGROUPS_MAX.

What does "sudo /sbin/sysctl kernel.ngroups_max" return. I think it will be the same as /proc/sys/ngroups_max. If it had been 8, you may be able to use sysctl to increase it.

polar_bear 01-25-2008 03:25 PM
Quote:
Originally Posted by jschiwal (Post 3035357)
What architecture are you using? Some seem to have lower limits in the kernel source. Particularly KERN_NGROUPS_MAX.

What does "sudo /sbin/sysctl kernel.ngroups_max" return. I think it will be the same as /proc/sys/ngroups_max. If it had been 8, you may be able to use sysctl to increase it.
65536

The architecture is AMD 64, Red Hat Enterprise Linux Advanced Server 4.04

jschiwal 01-26-2008 11:04 AM
Everything seems to indicate that you should have 65536 max groups associated with a process. Maybe the problem is somewhere else.


All times are GMT -5. The time now is 02:55 AM.