[gobolinux-devel] /etc/group

Ricardo Nabinger Sanchez rnsanchez at wait4.org
Thu Apr 26 14:31:10 UTC 2007 

On Wed, 25 Apr 2007 20:02:11 -0700
"Carlo Calica" <carlo at calica.com> wrote:

> A quick google turns up:
> http://www.uwsg.iu.edu/hypermail/linux/kernel/0408.0/0535.html  In a
> nutshell, Andrew Morton says "2.6 kernels support up to 65536 groups
> per user".  There is a reply saying NFS has problems but I can't
> imagine why.  NFS should just report the group and the kernel should
> handle group membership/access control.

Yes, but that also assumes NFS over Linux kernels.  Which isn't always true,
at least in my house.  :)

> 
> Why is it better.  It allows users finer grained access control.  They
> can share with a subset of users versus all of them.  See "man
> gpasswd" on how users can manage /etc/groups without root.  Right now,
> users aren't administrators of their group so the advantages really
> aren't there by default but that just needs to be added to AddUser.

But adding groups per-user is almost what you get by using ACLs.

> 
> >From a practical standpoint it isn't that big of deal.  Most GoboLinux
> systems are small with few users and the primary user has root.  The
> admin overhead of creating special groups for fine access control is
> small.  For larger systems, individual user groups saves a lot of
> admin work when needed.  I tend to think towards larger system from my
> university and consulting days.
> 
> I still vote for keeping individual groups.  All users accounts should
> also be a member of users (which isn't happening).  I'd also like
> better distinction between user and system accounts and groups.

That's an interesting point, which could be further discussed (it's a
everybody-wins discussion).

Like you, I tend to think about large system, often much larger than
practically acceptable, and also very heterogeneous (very means not only
Gobo, and even not only Linux).

Even so, I still don't see a point to have per-user groups, instead of
well-defined (and fine-grained) groups, like cdrom, video, mount, sudo (or
wheel), and so on.  My list hardly goes over 30 groups.

Isn't it possible to the 2 options co-exist?  It may be harder, but I think
it's worth it.

-- 
Ricardo Nabinger Sanchez     <rnsanchez@{gmail.com,wait4.org}>
Powered by FreeBSD

  "Left to themselves, things tend to go from bad to worse."

More information about the gobolinux-devel mailing list