FreeBSD Username and Group Limits

FreeBSD has much shorter username limits than Linux, by default, and thus it is usually impossible to use the full domain name as the unique suffix for usernames. A full world rebuild is required to work around this issue, in order to insure that the kernel and all support tools agree on the longer username length.

FreeBSD has a limit of 16 secondary groups, and so permissions on homes can never be tighter than 751 (which makes directories list-able by all users that have a shell), because Apache must be able to access the public_html directory. As long as suexec is used for all web applications, files containing sensitive data can, and should, have 750 or tighter permissions. It is not known if a world rebuild with a higher limit is safe or feasible.

pkg_add and ports lack transactional installation capabilities, and thus it is impossible for an automated process like to insure that packages are all installed successfully, or that a failure is predictable (in the sense that a failed install results in nothing rather than the appearance of an installation). Compounding this issue, pkg_add currently has at least two bugs. The first bug leads to occasional "fatal" errors being reported, even when the package was successfully installed. The second is merely a segmentation fault, apparently triggered by a race condition, which is intermittent and difficult to reproduce. Thus, it is not only likely that problems may occur during installation, cannot accurately detect it when they do. So, may complete without error on FreeBSD, even if the installation of some or all packages failed. There is no good workaround for this problem, aside from fixing the failed package installations manually once they are identified. The virtualmin-install.log usually provides the clues you need to correct these problems.