| 1 |
On 30/11/2016 01:13, William L. Thomson Jr. wrote: |
| 2 |
> On Wednesday, November 30, 2016 12:49:44 AM EST Alan McKinnon wrote: |
| 3 |
>> |
| 4 |
>> Why would you end up with duplicated UIDs and GIDs? The only real ways |
| 5 |
>> that can happen is |
| 6 |
>> - ebuild "edits" passwd and group directly using echo/sed and the like. |
| 7 |
>> - ebuild runs useradd|groupadd specifying the uid/gid as arguments |
| 8 |
> |
| 9 |
> I think you mean enewgroup and enewuser |
| 10 |
|
| 11 |
Or that. Don't fixate on the tool or it's name, the question is about |
| 12 |
your stateent of duplicate UIDs and GIDs. I responded with "how would |
| 13 |
that occur?" and gave 2 scenarios I could think off of the bat |
| 14 |
|
| 15 |
> |
| 16 |
>> Both of which are silly. Just use useradd/groupadd without uid/gid |
| 17 |
>> arguments. The utility will make sure the uid/gids are non-duplicate, |
| 18 |
>> and ensure they are <1000 or whatever for system accounts |
| 19 |
> |
| 20 |
> Randomly chosen GID and UID are a problem in the making. If you haven't |
| 21 |
> experienced such yet, give yourself time. Moving files between systems, you |
| 22 |
> have to chown/chgrp, etc it is NOT fun... |
| 23 |
|
| 24 |
chown/chgrp/chmod is not a chore. It is REQUIRED when moving files |
| 25 |
around from system to system. Aside from the possibility of uid/gid |
| 26 |
differing there is also umask in the mix which pretty much forces you to |
| 27 |
chmod anyway. If you need to do that you might as well chown/chgrp as |
| 28 |
well to be 100% sure. |
| 29 |
|
| 30 |
I routinely and often do all the above at work, moving files between |
| 31 |
FreeBSD, Ubuntu, Centos, Solaris and whatever container technology |
| 32 |
du-jour the devs decided was teh coolz awes0me today. And powershell on |
| 33 |
Unix plus posix/cygwin/bash on Windows. I have zero guarantees about any |
| 34 |
id consistency in that mess^Wreal-life-ISP-network, so what difference |
| 35 |
is Gentoo going to make? |
| 36 |
|
| 37 |
> |
| 38 |
> Or worse you mix stuff and give something improper permissions and really mess |
| 39 |
> up security... |
| 40 |
|
| 41 |
That's what chmod and eyeballs are for |
| 42 |
|
| 43 |
> |
| 44 |
>> How do you intend to MAKE devs follow it? More eternal bike-shedding? |
| 45 |
> |
| 46 |
> A nifty tool called repoman which could do a quick lookup. As could enewgroup/ |
| 47 |
> enewuser. They could hit the list/database. If something is trying to use |
| 48 |
> existing error, etc. Otherwise process to reserve it, etc. |
| 49 |
|
| 50 |
OK, so you could force code into repoman to do what you want. You still |
| 51 |
have to convince all other devs that it's a good idea |
| 52 |
> |
| 53 |
> |
| 54 |
>> Who cares what the uid/gid is? There's a range of about 950 to chose |
| 55 |
>> from. The way to ensure a filesystem object has the correct owner and |
| 56 |
>> group is by using chown/chgrp. |
| 57 |
> |
| 58 |
> See above, any administrator moving files between systems, restoring backups, |
| 59 |
> etc. |
| 60 |
|
| 61 |
See above about what I do on a real life network. Daily. For 15 years |
| 62 |
now and counting. |
| 63 |
|
| 64 |
> |
| 65 |
> Say you do a fresh install. What if all your UID/GID differ from your backup? |
| 66 |
> HUGE MESS!!!! |
| 67 |
|
| 68 |
So deal with it. That's what chmod is for. |
| 69 |
|
| 70 |
Or do you reinstall, restore backups and then NOT check all details |
| 71 |
thoroughly? |
| 72 |
|
| 73 |
> |
| 74 |
>> Except for a few cases out on left field (like nfs shares - a problem |
| 75 |
>> that nfs must fix) you don't really care what the uid/gid is, as long as |
| 76 |
>> it's not duplicated. The thing you care about is the NAME |
| 77 |
> |
| 78 |
> Not really just cases you haven't run into yet, which can be very common. |
| 79 |
|
| 80 |
Describe these cases please. I've got 15 years behind me at this and |
| 81 |
probably seen it all, but I'm just not seeing the problem you perceive |
| 82 |
|
| 83 |
> |
| 84 |
>>> This is not needless bureaucracy , this is necessary. |
| 85 |
>> |
| 86 |
>> This is a joke right? |
| 87 |
> |
| 88 |
> Not at all, others are clearly not aware of all the potential issues, having |
| 89 |
> not experienced them first hand, yet.... |
| 90 |
> |
| 91 |
> Work with enough systems, move files around, share lots of stuff, restore |
| 92 |
> backups, you will start to see a major need. |
| 93 |
|
| 94 |
See above. I submit this problem does not really exist, that the real |
| 95 |
solution is chmod/chown/chgrp/attention and eyeballs. Which you pretty |
| 96 |
much have to do anyway for other reasons than lack of consistency around |
| 97 |
UID/GID. Like umask, SGID on directories |
| 98 |
|
| 99 |
[ snip ] |
| 100 |
|
| 101 |
>> I have packaged a few things in Gentoo (privately only) |
| 102 |
> |
| 103 |
> Try doing it for the public, which will end up with thousands of installs. |
| 104 |
|
| 105 |
I'm still not seeing it. You can have a million installs from an ebuild |
| 106 |
available to the public, and the vast majority are completely isolated |
| 107 |
from each other. |
| 108 |
|
| 109 |
> |
| 110 |
>> , and written |
| 111 |
>> more shell installers, puppet manifests, ansible playbooks and user |
| 112 |
>> account deployers than I care to recall; I've never run into this |
| 113 |
>> problem that I couldn't solve trivially - usually by just knowing the |
| 114 |
>> username|groupname and looking up the corresponding uid/gid. Really, |
| 115 |
>> it's just data mapping and we have tools to do the lookup real fast. |
| 116 |
> |
| 117 |
> Clearly you haven't come across it yet, and likely because experience has |
| 118 |
> differed. But I have given you a few examples of how this could happen to |
| 119 |
> anyone and why there would be a need. |
| 120 |
> |
| 121 |
> Say it is a failed mail server, and you need to take the queue/spool to |
| 122 |
> another. Same with print, or other jobs... You need them to have the same UID/ |
| 123 |
> GID, or you end up wasting MORE time syncing them to the system they go onto. |
| 124 |
> Much easier to ensure all are the same. |
| 125 |
|
| 126 |
Let's look at real life. |
| 127 |
|
| 128 |
I have exim mail servers on FreeBSD, Ubuntu and Centos. Now that's a |
| 129 |
typical real-life scenario, and they are different deliberately. |
| 130 |
Shuttling the mail spool from one machine to another is a fairly lengthy |
| 131 |
scp/rsync operation followed by a very fast chmod & chown and daemon |
| 132 |
start. The saving is maybe 2 seconds in something that takes many minutes. |
| 133 |
|
| 134 |
How about my name servers? They are also a mix and the hosted domains |
| 135 |
are in cvs. The bind user does not have a shell and root doesn't get to |
| 136 |
cvs update. |
| 137 |
|
| 138 |
Now these are typical ordinary everyday sysadmin actions, and trying to |
| 139 |
register standard UIDs on Gentoo does nothing to shave seconds off the |
| 140 |
full process. So why bother? It would be optimizing for the less common |
| 141 |
case. |
| 142 |
|
| 143 |
I could also describe the enormous collection of jar files the devs want |
| 144 |
dropped into new tomcat installs from any of several source code repos. |
| 145 |
|
| 146 |
> This goes for many other things. Lots of data gets owned by system accounts. |
| 147 |
> Moving that data from system to system, with different UID/GIDs is a |
| 148 |
> nightmare... |
| 149 |
|
| 150 |
I'm starting to think that you need more experience with real-world |
| 151 |
deployments with things other than Gentoo in them. Your position only |
| 152 |
affects Gentoo and does nothing to assist with the same circumstance on |
| 153 |
everything that is not Gentoo - the common case. |
| 154 |
|
| 155 |
The real problem here is not inconsistency, because that is something |
| 156 |
you will never fix. The problem is the design of Unix itself and what |
| 157 |
goes into inodes - a 16 bit number that maps to a name for the benefit |
| 158 |
of humans. Syncing files between machines was never really envisaged - |
| 159 |
humans worked with named and the IDs were whatever passwd said they |
| 160 |
were. So as long as you picked a UID and stuck with it, all was good. |
| 161 |
So you have a system where the UID can be any 16 bit number you want it |
| 162 |
to be, and THAT is the real problem - people DID make it anything they |
| 163 |
wanted it to be. That genie is long since out of the bottle and isn't |
| 164 |
going back in. |
| 165 |
|
| 166 |
|
| 167 |
-- |
| 168 |
Alan McKinnon |
| 169 |
alan.mckinnon@×××××.com |
Archives