The answer is:
It is the result of an design decision to automatically add 'admin' to every group. Since linux arbitrarily limits the number of groups a user can belong to to 32, and since SME creates a few non-visible (in the manager) groups, the limit on the number of groups had to be pegged at 28.
Note that the 32 limit is on the number of groups a user can belong to, not on the number of groups that can exist. I've seen linux systems with hundreds of groups. In fact, you'll notice that a private group is created for every user, so if you have 500 users you have at least 500 groups, plus the default groups that are created, plus any groups created via the SME manager.
Note also that the 32 groups per user limit can be increased, but it is a non-trivial hack and probably causes more problems than it solves.
The question I've never seen adequately answered is this:
Why must 'admin' be a member of every group?
I believe this is because even though even though admin and root share the same password, admin does not share root's access rights. The uid/gid for admin is 101/101. To mimic root it would need to be 0/0. I suspect the rationale for including admin in every group is so that it can read/write the various group owned directories and files, which it would not otherwise be allowed to do given its normal user uid/gid.
To remove admin from every SME-defined group, I suspect would require 'su' wrappers around several console and web manager functions. This is a development issue, and probably one of significant scope.
There might also be some loss of functionality, such as 'admin' being able to access any i-bay (via http, ftp, samba, appletalk) it chooses. This is not so much a development problem as it is a systems management issue. If you are the administrator, you can always login as root to do your damage (I mean, administration.) But, SME is designed to protect non-technical types from the complexities of their system.
Perhaps a solution could be to provide a console interface that would chroot to the base of a selected user or i-bay and execute 'mc' (Midnight Commander) or some other file manager. Or, a web interface to one of the less powerful but arguably more friendly browser-based file managers.
fwiw
8 Replies
2185 Views