Group Membership Expansion: Guidelines for Deployment

Note 1

Setting the ngroups_max tunable to a value higher than 20 can cause

applications that assume the old fixed limit to fail.

Note 2

The ngroups_max tunable is dynamic. Increases to the tunable take effect

immediately for new logins, but do not affect users who are already logged

in or processes that are already running. It is also possible to decrease the

tunable to values lower than the number of groups associated with existing

users. Users associated with more groups than are permitted by a new

lower limit will note, on their next login, that some of those groups are

missing from their set of supplementary group IDs. File accesses and other

operations that depend on the missing groups will no longer work.

NGROUPS_MAX, _SC_NGROUPS_MAX (run-time limit)

The NGROUPS_MAX system variable is the same value as that of the ngroups_max system tunable

parameter, but it will be frozen for the life of a process or session once read. The value may be

obtained via the function sysconf(_SC_NGROUPS_MAX) or the command getconf

NGROUPS_MAX. The act of reading the value freezes the value associated with the calling process if it

was not already frozen. This value is copied on exec(2) but not fork(2). Children of fork will be limited

to the greater of the ngroups_max tunable or the number of groups to which they currently belong.

Correct handling of supplementary group ID lists

This section describes how correct programs handle supplementary group ID lists, from the most

common to the least common use cases.

Use getgroups(0, NULL)

Programs that need the number of supplementary group IDs currently associated with the calling

process should use getgroups(0, NULL) to determine the answer. Most processes in a typical HP-

UX environment will belong to only a few groups.

Use dynamic allocation for supplementary group ID lists

Once the number of supplementary group IDs associated with a process has been determined, space

to store that many gid_t values must be dynamically allocated with malloc() or a similar facility.

The number of groups you have space for and the pointer to the dynamically allocated space must be

passed to the getgroups(2) call so that it can fill in the list of supplementary group IDs currently

associated with the calling process. getgroups(2) will return EINVAL if the space allocated is

insufficient to hold all the supplementary group IDs associated with the calling process.

Use initgroups(3)

Privileged applications that need to initialize the list of supplementary group IDs associated with the

calling process should use initgroups(3).

Use sysconf(_SC_NGROUPS_MAX)

The sysconf(_SC_NGROUPS_MAX) call should be used to determine the maximum number of

supplementary group IDs that may be associated with the current process. The value returned will

never be smaller than the NGROUPS_MAX compile-time constant, but it may be larger.

Privileged applications that must directly set the supplementary group IDs associated with a process

must be designed to work within the limit returned by this call. Such applications may rely on this

value to be at least NGROUPS_MAX (20) on any HP-UX 11i system.