ngroups_max.5 (2010 09)
m
ngroups_max(5) ngroups_max(5)
(Tunable Kernel Parameters)
NAME
ngroups_max - maximum number of supplementary group IDs per process
VALUES
Default
20
Allowed values
Minimum: 20 supplementary group IDs
Maximum:
65535 supplementary group IDs
DESCRIPTION
A process may have up to ngroups_max supplementary group IDs in addition to the effective group ID.
Who is Expected to Change This Tunable?
Anyone who needs users to be able to belong to more than the default 20 groups.
Restrictions on Changing
Processes that exist when this limit is changed (as well as future descendants of such processes) may not
observe the new limit. New login sessions will observe the new limit immediately.
When Should the Value of This Tunable Be Raised?
This tunable should be raised if any users need to belong to more groups than currently permitted.
What Are the Side Effects of Raising the Value?
If no users are associated with more groups than permitted by the old value, then there are no side-effects
of raising this value.
Any user who is associated with more groups than permitted by the old value will observe on their next
login that more of those groups now appear in their supplementary group IDs list.
The more groups a user belongs to, the more kernel storage that user’s processes will require to store the
list of groups and the longer it will take both kernel and user-space code to search that list. If users
belonging to a large number of groups run a large number of processes, overall system performance may
degrade proportionally.
Users who have more than 20 supplementary group IDs may observe problems with older applications.
See the WARNINGS section below for details.
When Should the Value of This Tunable Be Lowered?
This tunable may be lowered if no users require so many supplementary group IDs.
What Are the Side Effects of Lowering the Value?
Users who are associated with more groups than permitted by the new limit will observe on their next
login that some of those groups are missing from their set of supplementary group IDs. Any file accesses
or other operations which depended on these groups may no longer work.
Lowering this tunable will not cause any groups to be removed from the set of supplementary group IDs
associated with any current processes. Nor will it prevent future descendants of those processes from
inheriting the full set of supplementary group IDs from their parents. A call to setgroups (2) with a subset
of the current supplementary group IDs will always succeed.
What Other Tunable Values Should Be Changed at the Same Time?
None.
WARNINGS
Users who are associated with more than 20 groups may observe problems with older applications when
ngroups_max is set greater than 20.
Older applications that call getgroups (2) generally use the constant NGROUPS_MAX (defined in
<limits.h>) to size the storage for group IDs. getgroups (2) will return an error if the caller did not
provide enough storage for all the supplementary group IDs that the caller belongs to. These applications
may fail or operate as though the user belongs only to the group identified by the effective group ID.
Compatibility with older applications can be achieved by several means:
HP-UX 11i Version 3: September 2010 − 1 − Hewlett-Packard Company 1