- user to a single group
- Posted by Wizumwalt@gmail.com on February 13th, 2006
Hey all,
Am I correct in seeing that a user can only be added to anyone group at
a time? Anyone know of a really good indepth source for this?
- Posted by Lew Pitcher on February 13th, 2006
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Wizumwalt@gmail.com wrote:
A user can belong to many groups simultaneously.
On some Unix systems, a user can only be /active/ in one group at a time, and
can switch groups on the fly using commands. Of course, the user can only switch
between groups that s/he already belongs to.
On other Unix systems (I believe, most every recent Unix since BSD) a user can
both belong to many groups simultaneously, and be active in many groups
simultaneously.
The Posix/Single Unix Specification standards? http://www.opengroup.org/
- --
Lew Pitcher
IT Specialist, Enterprise Data Systems,
Enterprise Technology Solutions, TD Bank Financial Group
(Opinions expressed are my own, not my employers')
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)
iD8DBQFD8MmjagVFX4UWr64RAjT/AJ0f7tfaYBOYnyu5oJ/2D0mdVqYNagCeINHl
lx3WgRlyTg7paH6+MHj5ohE=
=2olP
-----END PGP SIGNATURE-----
- Posted by Dave Hinz on February 13th, 2006
On 13 Feb 2006 09:35:34 -0800, Wizumwalt@gmail.com <Wizumwalt@gmail.com> wrote:
Nope. They can have only one primary GID (the one in their passwd file
entry) but they can be in as many groups as you want them to.
See above. It's wrong, so while you may be able to find plenty of
sources, they'd be wrong too.
- Posted by Doug Freyburger on February 13th, 2006
Wizumwalt@gmail.com wrote:
No. It is trivial to add a user to many groups at the same time.
man 4 group
- Posted by Stephane CHAZELAS on February 13th, 2006
2006-02-13, 18:42(+00), Dave Hinz:
Well, most systems have a limit on this. And NFS might impose a
strickter one. I've encountered 16, 32 and 65536 so far.
--
Stéphane
- Posted by Dave Hinz on February 13th, 2006
On Mon, 13 Feb 2006 19:19:05 +0000, Stephane CHAZELAS <this.address@is.invalid> wrote:
OK, I'll modify my statement to say that they can be in as many groups
as it is logical to need them in. If you exceed your OS's limitation,
you're over-fragmenting your permissions structure.
Where did you see a 16 or 32 group limit, by the way?
- Posted by Stephane CHAZELAS on February 13th, 2006
2006-02-13, 19:38(+00), Dave Hinz:
16 on Solaris 7. 32 is returned by glibc 2.3.2 getconf
NGROUPS_MAX on one Linux system, here, but it doesn't match the
kernel limit (65536 as per /proc/sys/kernel/ngroups_max).
I don't know what is the NFS limit, but I would expect it
do be rather low given that the group list must be passed in
most requests.
--
Stéphane
- Posted by Logan Shaw on February 14th, 2006
Dave Hinz wrote:
Not necessarily. For example, you might have a large organization with
lots of groups (maybe one for each project) and an employee who has been
at the company 10 or 20 years and has been involved in hundreds of
projects over that time.
- Logan
- Posted by Doug Freyburger on February 14th, 2006
Logan Shaw wrote:
This has always been a design flaw in UNIX. While overflowing the
allowed
number of groups is *usually* the result of poor permissions design and
a
sign that you need to rethink your strategy, there are those occasional
times when it makes perfect sense to have someone in a ton of groups.
So which should it be - Have UNIX enforce the usual and beat exceptions
into submission with ACLs, or fix the design flaw in the first place,
end up
supporting tons of groups, and open yourself to crappy permission
designs? It's a religious question not a really technical one. UNIX
already
picked one side by virtue of existing so long ago 32 groups seemed
infinite.
ACLs beat groups for this issue anyways. Sure enough, ACLs
originated in the various mainframe worlds (I first encountered them
with the file ACCESS.USR on TOPS-10), filtered through other
operating systems over the years, and have become a late addition
to UNIX.
