Manualshelf

Group Membership Expansion: Guidelines for Deployment

ManualsBrandsHP ManualsSoftwareHP-UX 11i v3 Enterprise OE
1234567
2
Executive summary
The maximum number of supplementary groups that can be associated with a user or process has
been made a tunable parameter in Update 3 to HP-UX 11i v3. Previously, the maximum limit was
fixed by the constant NGROUPS, whose value is 20. The system administrator can adjust the limit to
values higher than the previous maximum by invoking the kctune command to increase the tunable
ngroups_max. This enhancement allows usersand processes running on their behalfto gain
access permissions based on their membership in an expanded number of groups.
Groups background
Every HP-UX user belongs to one primary group and a variable number of supplementary groups.
Group membership can be established by the useradd, usermod, and groupmod commands, and
is reflected in the files /etc/passwd and /etc/group. A users login process and its child
processes have the same group membership as the user.
Every HP-UX file is owned by a group and has group-level permissions associated with it. Users and
processes running on behalf of users can be granted access to files based on their membership in the
various groups.
The HP-UX kernel makes information about group membership available to applications, which can
then use that information in a variety of waysfor example, to implement their own security and
access policies.
Group membership expansion
While the number of groups listed for a user in /etc/group is limited only by the size of that file,
the HP-UX kernel has a maximum limit on the number of those groups that are actually used to
determine effective group membership. Historically, the maximum limit on effective group membership
has been determined by the constant NGROUPS (for BSD) or NGROUPS_MAX (for POSIX). On HP-UX,
both constants have a value of 20, and that has not been changed by this enhancement. The POSIX
standard permits the limit to be increased at run time, so the group membership expansion
enhancement created the tunable ngroups_max to establish the maximum limit on the effective group
membership for a user or process.
The effective group list is used to determine file access permissions and is made available to
applications through the groups APIs getgroups and setgroups.
ngroups_max tunable
The default value of the ngroups_max tunable is 20. The group membership expansion
enhancement has absolutely no effect as long as ngroups_max remains at its default value.
The minimum value to which ngroups_max can be tuned is also 20. This guarantees backward
compatibility with all previous applications and system configurations.
The maximum value to which ngroups_max can be tuned is 65536.
Dynamic tuning
The ngroups_max tunable is dynamic: changes do not require a reboot. Any change takes effect
immediately for new user logins. However, standards conformance requires that a running process
not experience a change in the maximum number of groups value during its lifetime. Specifically, this
means that when a process is made aware of the value of the maximum number of groups, that value