[ic] IC setup in Multi permission mode - sort of off topic

Mike Heins interchange-users@interchange.redhat.com
Mon Nov 5 17:29:01 2001


Quoting Kevin Walsh (kevin@cursor.uk.com):
> > Ok this isn't particular to IC per say, but I didn't find a quick answer
> > to this anywhere else, including all the support forums at Redhat.
> > 
> > We started running IC under Redhat 7.2, and I almost immediately ran into
> > hard coded limitations on the number of groups that a process can belong
> > to. The default is 32, pretty low if you ask me but oh well...  Ok so
> > anyways I modified NGROUPS and NGROUPS_MAX in limits.h and
> > param.h, recompiled, not it...  Do I have to rebuild glibc also?  What am
> > I missing?
> >
> You would have to rebuild the kernel, the C compiler, any other
> compilers you have, C libraries etc., possibly Perl and some Perl
> modules, applications and a bunch of other stuff I haven't thought
> of.
> 
> Once you have done all this, you will find that NGROUPS is used
> all over the kernel and are left with the question "what is going
> to break now that I've changed this?"  NFS?
> 
> Some people have set NGROUPS_MAX to 256 without any trouble, others
> have not.  I have no need for anywhere near 32 group memberships per
> user so I haven't looked into the implications at all.  Give it a go
> if you feel brave.

I too ran into this back in the days when I ran a virtual hosting ISP
for MiniVend. I had quite a few more than 32 groups to worry about;
I ran into the 256-character group concatenation limit first, anyway.

The solution I used was to run multiple daemons as multiple user IDs,
but keeping their UID the same. So:

In /etc/passwd:

interch:x:400:400:Interchange Daemon:/usr/lib/interchange:/bin/tcsh
ic1:x:400:400:Interchange Daemon:/usr/lib/interchange:/bin/tcsh
ic2:x:400:400:Interchange Daemon:/usr/lib/interchange:/bin/tcsh
ic3:x:400:400:Interchange Daemon:/usr/lib/interchange:/bin/tcsh
ic4:x:400:400:Interchange Daemon:/usr/lib/interchange:/bin/tcsh

In /etc/group:

user1:x:501:ic1
user2:x:502:ic1
user3:x:503:ic1
user4:x:504:ic1
user5:x:505:ic1
user6:x:506:ic2
user7:x:507:ic2
user8:x:508:ic2
user9:x:509:ic3
user10:x:510:ic3

etc.

Then you run one daemon as ic1, one as ic2, etc. While this created
some managment problems at times, another advantage was that you could
segregate users according to what software and database they used, cutting
down core size and extraneous things you don't need.

-- 
Red Hat, Inc., 3005 Nichols Rd., Hamilton, OH  45013
phone +1.513.523.7621      <mheins@redhat.com>

My wife is great.  She doesn't care where I go, just as long as I don't
have any fun.  -- Lee Trevino