[Search for users]
[Overall Top Noters]
[List of all Conferences]
[Download this site]
| Title: | DCE Product Information |
| Notice: | Kit Info - See 2.*-4.* |
| Moderator: | TUXEDO::MAZZAFERRO |
|
| Created: | Fri Jun 26 1992 |
| Last Modified: | Fri Jun 06 1997 |
| Last Successful Update: | Fri Jun 06 1997 |
| Number of topics: | 2269 |
| Total number of notes: | 10003 |
2148.0. "Limits on DCE group membership?" by DV780::BROOKS (Use the source Luke!) Tue Feb 04 1997 16:25
I have a question regarding the number of DCE groups that are
supported. My customer is aware of the security problem with Transarc
DCE and a user belonging to more than NGROUPS_MAX-1 groups in the DCE
registry. The customer wants to use DCE groups for common need-to-know
authorization and could conceivably need many DCE groups. So there
are some questions they are asking about DCE groups:
1) Is there a limit on the number of DCE groups that are supported by
the DCE registry?
2) Is there a limit on the number of DCE groups that one can belong
to and what drives that limit?"
3) What vendors have limits on group membership and will this
limitation disappear in future releases?
The Transarc security advisory states that the HP and IBM products are
not effected by this problem. Does that mean that on the HP and IBM
platforms that belonging to NGROUPS_MAX-1 groups does not give the user
unauthorized access? Or does it mean that there is not a NGROUPS_MAX-1
limit on the number of groups a user can belong to?
And finally, it looks to me like NGROUPS_MAX is a UNIX kernel parameter
of some kind. So is this a case where the operating system of the
underlying platform is imposing this limit upon DCE/DFS?
The customer is very curious about this and there is no such thing as
"too much" information....so fire away!
Thanks for your help,
Paul Brooks
NSIS
(505)844-7226
Sandia National Laboratories
| T.R | Title | User | Personal
Name | Date | Lines
|
|---|