tech-kern archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: converting uid/gid to abstract credentials



On 09.01-18:31, John Nemeth wrote:
[ ... ]
> } planning to begin tackling a variety of changes in the kernel.  the
> } first of which is to abstract and extend user credentials (initially
> } to remove the group membership limit).  however, initial engagement
> 
>      The group membership limit is historically dictated by NFS.  If
> you don't care about NFS, then there is nothing stopping you from
> bumping NGROUPS and rebuilding the system.

NFS will be dealt with through mapping groups to the IPC structs.
obviously this will bring considerations but with default (i.e. NGROUPS
== 16 ) there will be no visibile alteration.

bumping the NGROUPS isn't a scalable solution and therefore, for me,
unacceptable.  the overhead for smaller group numbers with large
NGROUPS becomes silly.  e.g. 32768 possible groups will translate to
an extra 131008 bytes per ucred struct and kauth_cred struct (and
probably other places too).

[ ... ]
> } as such i'm looking for opinions and definite issues that may arise
> } from using an abstract encoding of 'uid_t' similar to BCD.
> 
>      Why?  What benefit would you get from doing this?

as i said i'm in the early stages and need more time put something
coherent together.  i wish to unify user/process credentials under a
single type but have that type of variable length/size such that
group IDs may be 16 bit length, whilst user IDs may be 32 and other
credentials, capabilities, authorization, may be other lengths.
this isn't essential i'm just abstracting in my head.

in short, i'll get back to you on this.


Home | Main Index | Thread Index | Old Index