ngroups_max(5)ngroups_max(5)NAMEngroups_max - maximum number of supplementary group IDs per process
VALUES
Default
Allowed values
DESCRIPTION
A process may have up to ngroups_max supplementary group IDs in addi‐
tion to the effective group ID.
Who is Expected to Change This Tunable?
Anyone who needs users to be able to belong to more than the default 20
groups.
Restrictions on Changing
Processes that exist when this limit is changed (as well as future
descendants of such processes) may not observe the new limit. New
login sessions will observe the new limit immediately.
When Should the Value of This Tunable Be Raised?
This tunable should be raised if any users need to belong to more
groups than currently permitted.
What Are the Side Effects of Raising the Value?
If no users are associated with more groups than permitted by the old
value, then there are no side-effects of raising this value.
Any user who is associated with more groups than permitted by the old
value will observe on their next login that more of those groups now
appear in their supplementary group IDs list.
The more groups a user belongs to, the more kernel storage that user's
processes will require to store the list of groups and the longer it
will take both kernel and user-space code to search that list. If
users belonging to a large number of groups run a large number of pro‐
cesses, overall system performance may degrade proportionally.
Users who have more than 20 supplementary group IDs may observe prob‐
lems with older applications. See the section below for details.
When Should the Value of This Tunable Be Lowered?
This tunable may be lowered if no users require so many supplementary
group IDs.
What Are the Side Effects of Lowering the Value?
Users who are associated with more groups than permitted by the new
limit will observe on their next login that some of those groups are
missing from their set of supplementary group IDs. Any file accesses
or other operations which depended on these groups may no longer work.
Lowering this tunable will not cause any groups to be removed from the
set of supplementary group IDs associated with any current processes.
Nor will it prevent future descendants of those processes from inherit‐
ing the full set of supplementary group IDs from their parents. A call
to setgroups(2) with a subset of the current supplementary group IDs
will always succeed.
What Other Tunable Values Should Be Changed at the Same Time?
None.
WARNINGS
Users who are associated with more than 20 groups may observe problems
with older applications when ngroups_max is set greater than 20.
Older applications that call getgroups(2) generally use the constant
NGROUPS_MAX (defined in to size the storage for group IDs. get‐
groups(2) will return an error if the caller did not provide enough
storage for all the supplementary group IDs that the caller belongs to.
These applications may fail or operate as though the user belongs only
to the group identified by the effective group ID.
Compatibility with older applications can be achieved by several means:
· Don't associate users with more than 20 groups if they must run
older applications.
· An individual user may require more than 20 groups, but have some
applications which fail with more than 20 groups.
One workaround is to start those applications with a wrapper program
which truncates the list of supplementary group IDs to the first 20
groups and then invokes the application.
An example of such a wrapper program follows:
#include <limits.h>
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
main (int argc, char **argv)
{
gid_t *list;
int ngroups;
int ret;
ngroups = getgroups(0, NULL);
if (ngroups > NGROUPS_MAX) {
list = (gid_t *)malloc(ngroups * sizeof(gid_t));
ngroups = getgroups(ngroups, list);
ret = setgroups(NGROUPS_MAX, list);
if (ret == -1) {
perror("setgroups");
exit(-1);
}
}
execvp(argv[1], &argv[1]);
perror("execvp");
exit(-1);
}
All HP-UX kernel tunable parameters are release specific. This parame‐
ter may be removed or have its meaning changed in future releases of
HP-UX.
Installation of optional kernel software, from HP or other vendors, may
cause changes to tunable parameter values. After installation, some
tunable parameters may no longer be at the default or recommended val‐
ues. For information about the effects of installation on tunable val‐
ues, consult the documentation for the kernel software being installed.
For information about optional kernel software that was factory
installed on your system, see at
AUTHOR
was developed by HP.
SEE ALSOgetconf(1), groupadd(1M), groupmod(1M), useradd(1M), usermod(1M),
getaccess(2), getgroups(2), setgroups(2), sysconf(2), group(4), lim‐
its(5), glossary(9).
Tunable Kernel Parameters ngroups_max(5)