While working on the security enhancements, I stumbled upon a few fundamental UNIX limitations with groups. These limitations similarly apply to GNU/Linux.
1. Group name length limits
A group name (e.g.
dialout) has a length limit, usually hardcoded in the operating system. This limit varies across different UNIX systems and implementations.
- NIS: 8 characters (source)
- HPUX: 8 characters, 16 starting from HPUX 10 (source, source)
- AIX: 8 characters, 255 for AIX 5.3 and above (source)
- Debian: 16 characters (source, defined in shadow at compile-time)
- Redhat: 16 characters, 32 starting from 2005 (source, source, source)
- Solaris: 8 characters? (source)
- Active Directory: 11 or 64 characters (source unclear)
In general, we can probably assume that 16 characters is a safe limit, and that's what's being used in hosting_client_sanitize.
2. Group membership limits
A UNIX user has a primary group, defined in the
passwd database, but can also be a member of many other groups, defined in the
groups database. UNIX has a hardcoded limit of 16 groups a user can be a member of (source). This means that if we translate Aegir clients into UNIX groups and you have access to multiple Aegir clients, you'll be able to access only 16 of those clients at a time. Rather annoying.
The problem is related with NFS, or rather
AUTH_SYS (source), which has an in-kernel data structure where the groups a user has access to is hardcoded as an array of 16 identifiers (
gids to be more precise, see this post for details). Even though Linux now supports 65536 groups, it is still not possible to operate on more than 16 from userland, through NFS - on a regular ext3 filesystem, it works without problems (tested in Debian Squeeze).
Solutions for this are not obvious. The blog post on sun.com proposes a technical enhancement to OpenSolaris. It's unclear whether that fix was implemented. This SAGE post explains that using
GSS_API (used in NFSv4) should (should!) resolve the issue.
This more thorough analysis of the problem is more direct, to shamelessly quote it:
- Use NFSv4
- Use RPCSEC_GSS authentication
- Use ACLs
As mentionned above, this only applies to NFS mounts. NFSv4 should (should!) be simple enough and available on Linux. It is also unclear exactly how to use
RPCSEC_GSS (is that Kerberos?). As for ACLs, we are fully supporting this now with the provision ACL extension, so that shouldn't be an issue.