Chinaunix

标题: [高难度] 问题请教!如何修改Linux的32个Secondary groups 限制？ [打印本页]

作者: MAXidea 时间: 2005-10-20 10:16
标题: [高难度] 问题请教!如何修改Linux的32个Secondary groups 限制？
OS: Whitebox Enterprise Linux 3.0 Respin 2 IA32e
Kernel: kernel 2.4.21-27.EL-AppleTalk
Question:
I create a admin user UID/GID is 501 and Secondary groups is 502 to 533.
The problem is admin user not able to change all file/folder owned by GID 533.
Cool! I found that was a limit of 32 secondary groups under linux!

But I don't know how to change it! Could you please ask me how to do?
Thanks in advance!!

###
Attach some things I found:

http://www.linuxdby.com/showthread.php?t=2833
请教如何改变用户组的个数限制？
我在redhat8中添加了一些用户组再添加组后，组就不好使了。
听说对组的个数是有限制且可更改的，不知在那里可改此数值。
谢谢

http://www.ussg.iu.edu/hypermail/linux/kernel/0203.0/0645.html
>; I have Slackware 7.1 with 2.4.16 kernel. And I have a user who is a member of
>; a number of groups. Linux can't grant access to the user if the group's
>; number he is member of is more than 32. For example if he is member of 32
>; groups - everything is O.K. , but when I make him a member of the 33-rd group
>; he will not be granted access to resource which is owned by that group.
>; Is there any limit in Linux for the number of groups to be member of?
>; And how can I solve that problem?
Unfortunately there is. Secondary group list is soteed in task_struct in an
array. IIRC it's called groups and declared with NGROUPS elements, which is in
turn #defined 32. You can try and change it in the source.

http://www.ussg.iu.edu/hypermail/linux/kernel/9907.3/0698.html
If you are talking about dynamic sizing of the number of maximum groups
per user what do you do if you resize it smaller but there are already
structures that contain more than your new size? IOW, say the existing
ngroups_max is 64 and you have a couple of users logged in that have
50, 10, and 27 groups in their groups_struct. What would happen if you
resized ngroups_max to 32?

http://lists.samba.org/archive/samba/2002-October/054886.html
Isn't there a limit of 32 secondary rgoups under linux 2.4 ?
Trying to remember exactly...

作者: MAXidea 时间: 2005-10-20 10:27
标题: [高难度] 问题请教!如何修改Linux的32个Secondary groups 限制？
4.2 Identifiers
和其他Unix一样，Linux使用用户和组标志符来检查对系统中文件和可执行映象的访问权限。Linux系统中所有的文件都有所有者和允许的权限，这些权限描叙了系统使用者对文件或者目录的使用权。基本的权限是读、写和可执行，这些权限被分配给三类用户：文件的所有者，属于相同组的进程以及系统中所有进程。每类用户具有不同的权限，例如一个文件允许其拥有者读写，但是同组的只能读而其他进程不允许访问。

Linux使用组将文件和目录的访问特权授予一组用户，而不是单个用户或者系统中所有进程。如可以为某个软件项目中的所有用户创建一个组，并将其权限设置成只有他们才允许读写项目中的源代码。一个进程可以同时属于多个组（最多为32个），这些组都被放在进程的task_struct中的group数组中。只要某组进程可以存取某个文件，则由此组派生出的进程对这个文件有相应的组访问权限。

task_struct结构中有四对进程和组标志符：

uid, gid
表示运行进程的用户标志符和组标志符。
effective uid and gid
有些程序可以在执行过程中将执行进程的uid和gid改成其程序自身的uid和gid（保存在描叙可执行映象的VFS inode属性中）。这些程序被称为setuid程序，常在严格控制对某些服务的访问时使用，特别是那些为别的进程而运行的进程，例如网络后台进程。有效uid和gid是那些setuid执行过程在执行时变化出的uid 和gid。当进程试图访问特权数据或代码时，核心将检查进程的有效gid和uid。
file system uid and gid
它们和有效uid和gid相似但用来检验进程的文件系统访问权限。如运行在用户模式下的NFS服务器存取文件时，NFS文件系统将使用这些标志符。此例中只有文件系统uid和gid发生了改变（而非有效uid和gid）。这样可以避免恶意用户向NFS服务器发送KILL信号。
saved uid and gid
POSIX标准中要求实现这两个标志符，它们被那些通过系统调用改变进程uid和gid的程序使用。当进程的原始uid和gid变化时，它们被用来保存真正的uid和gid。

欢迎光临 Chinaunix (http://bbs.chinaunix.net/)