[Acl-Devel] Number of ACL-Entries

[Andreas Gruenbacher]

On Wednesday, 26 July 2006 16:27, Dave Kleikamp wrote:
> On Wed, 2006-07-26 at 09:54 +0200, S. Klaiber wrote:
> > Hi there,
> >
> > I just joined the list and I am new to mailinglists at all.
> >
> > I intend to define up to 7000 entrys into an acl on a ext3 filesystem,
> > Kernel 2.6.9-34, which will also be accessed via NFS. I read and verified
> > that it is only possible to define up to 500 entrys.
> >
> > I tried to find out the general limit and I only got the above
> > information from a redhat mailinglist. Macro-variables like the old
> > EXT3_ACL_MAX_ENTRIES (kernel 2.4.21) which bound the limit to 32 (due to
> > the block size) do not exist anymore and I didnt find out how the limit
> > is defined in newer kernel versions yet. And I also don't know what other
> > logical factors these limits depend to.
>
> The acl is stored as an extended attribute (xattr), and the maximum size
> of an xattr in ext3 is the block size, which is typically 4096 bytes
> (that's the maximum too).  The size of an acl entry is 8 bytes, and
> after accounting for the xattr header and the acl header, there is room
> for about 500 entries in the block.
>
> > - What can I do to define up to 7000 entrys in an ACL?
>
> Are you sure you really want to?  Can you use groups to better manage
> access?  Even if you could store 7000 acl entries, there would be a lot
> of overhead in reading and processing the acls.
>
> > - Should I use a different filesystem?
>
> That might work.  I know jfs supports larger xattrs.  I'm not sure what
> the limits of other files systems are.  I don't know if nfs will work
> with too many acl entries either.

ReiserFS also has a 64K size limit as well. NFS supports up to 1024 ACL 
entries on filesystems which allow that many.

It is total madness to define such huge ACLs though; I am sure with the use of 
one or at most a few groups, you can reduce the size dramatically (say, down 
to five or six ACL entries).

Andreas