On Tue, Mar 08, 2005 at 10:11:21AM -0500, David Collier-Brown wrote:
> Imagine for a moment that Solaris provided a pair of extra calls:
> set_auxgroups_max(int max)
> and
> activate_auxgroup(group)
> The first allows the aux group list to be as long as you like.
> The second makes an existing member of the aux groups "active",
> where active really means that it's moved to the first 8, 16 or
> 32. Both require root permissions.
> Does that help?

I think it would. But I doubt it's necessary if you require root for both. I
could imagine set_auxgroups_max to be a ulimit, and the second one is not
necessary as there is an order in the setgroups call. Only the first 16 groups
qualify for NFS access rights. You might need another syscall if you would like
to allow non-root processes to re-order its own group list.