[Acl-Devel] Number of ACL-Entries

[S. Klaiber]

> On Wednesday, 26 July 2006 16:27, Dave Kleikamp wrote:
> > On Wed, 2006-07-26 at 09:54 +0200, S. Klaiber wrote:
> > > Hi there,
> > >
> > > I just joined the list and I am new to mailinglists at all.
> > >
> > > I intend to define up to 7000 entrys into an acl on a ext3 filesystem,
> > > Kernel 2.6.9-34, which will also be accessed via NFS. I read and
> > > verified that it is only possible to define up to 500 entrys.
> > >
> > > I tried to find out the general limit and I only got the above
> > > information from a redhat mailinglist. Macro-variables like the old
> > > EXT3_ACL_MAX_ENTRIES (kernel 2.4.21) which bound the limit to 32 (due
> > > to the block size) do not exist anymore and I didnt find out how the
> > > limit is defined in newer kernel versions yet. And I also don't know
> > > what other logical factors these limits depend to.
> >
> > The acl is stored as an extended attribute (xattr), and the maximum size
> > of an xattr in ext3 is the block size, which is typically 4096 bytes
> > (that's the maximum too).  The size of an acl entry is 8 bytes, and
> > after accounting for the xattr header and the acl header, there is room
> > for about 500 entries in the block.
> >
> > > - What can I do to define up to 7000 entrys in an ACL?
> >
> > Are you sure you really want to?  Can you use groups to better manage
> > access?  Even if you could store 7000 acl entries, there would be a lot
> > of overhead in reading and processing the acls.
> >
> > > - Should I use a different filesystem?
> >
> > That might work.  I know jfs supports larger xattrs.  I'm not sure what
> > the limits of other files systems are.  I don't know if nfs will work
> > with too many acl entries either.
>
> ReiserFS also has a 64K size limit as well. NFS supports up to 1024 ACL
> entries on filesystems which allow that many.
>
> It is total madness to define such huge ACLs though; I am sure with the use
> of one or at most a few groups, you can reduce the size dramatically (say,
> down to five or six ACL entries).
>
> Andreas

Hi Shaggy and Andreas,

thanks for your quick and valuable answers!
I have a scenario with about 7000 users who are required to share files with
each other and arrange individual access to those files. Division of these
files in goups would be the best idea since they are expected to be
classified by projects.

But what if there are more projects than the limit of group-assignments to a
user?

In HP/UX 11.11 the maximum number of groups in the system was 20. In Solaris
 8 it was also 16 or 20. What is the maximum number of groups in 2.6 Linux?
 And in how many groups can a user be listed? I assume that the value of
NGROUPS_MAX in the kernel sources (include/linux/limits.h, v. 2.6.9-34)
define the maximum number of groups in the system. This is currently 65536
(/proc/sys/ngroups_max or sysctl -a). But what is the maximum number of
groups that a user can be assigned to?

Currently i am working on a concept where the files are stored in a database
and the users can define each others access by setting up ACLs within the
DBMs via a web-interface. I could also deny direct access to the files via
the file system and write a special service that has an own ACL-Management
and controls the file access. Just like ftp but with an own ACL handling. But
fs ACLs would be the best idea.

Best regards
Stephan