1 |
On 30/11/2016 01:13, William L. Thomson Jr. wrote: |
2 |
> On Wednesday, November 30, 2016 12:49:44 AM EST Alan McKinnon wrote: |
3 |
>> |
4 |
>> Why would you end up with duplicated UIDs and GIDs? The only real ways |
5 |
>> that can happen is |
6 |
>> - ebuild "edits" passwd and group directly using echo/sed and the like. |
7 |
>> - ebuild runs useradd|groupadd specifying the uid/gid as arguments |
8 |
> |
9 |
> I think you mean enewgroup and enewuser |
10 |
|
11 |
Or that. Don't fixate on the tool or it's name, the question is about |
12 |
your stateent of duplicate UIDs and GIDs. I responded with "how would |
13 |
that occur?" and gave 2 scenarios I could think off of the bat |
14 |
|
15 |
> |
16 |
>> Both of which are silly. Just use useradd/groupadd without uid/gid |
17 |
>> arguments. The utility will make sure the uid/gids are non-duplicate, |
18 |
>> and ensure they are <1000 or whatever for system accounts |
19 |
> |
20 |
> Randomly chosen GID and UID are a problem in the making. If you haven't |
21 |
> experienced such yet, give yourself time. Moving files between systems, you |
22 |
> have to chown/chgrp, etc it is NOT fun... |
23 |
|
24 |
chown/chgrp/chmod is not a chore. It is REQUIRED when moving files |
25 |
around from system to system. Aside from the possibility of uid/gid |
26 |
differing there is also umask in the mix which pretty much forces you to |
27 |
chmod anyway. If you need to do that you might as well chown/chgrp as |
28 |
well to be 100% sure. |
29 |
|
30 |
I routinely and often do all the above at work, moving files between |
31 |
FreeBSD, Ubuntu, Centos, Solaris and whatever container technology |
32 |
du-jour the devs decided was teh coolz awes0me today. And powershell on |
33 |
Unix plus posix/cygwin/bash on Windows. I have zero guarantees about any |
34 |
id consistency in that mess^Wreal-life-ISP-network, so what difference |
35 |
is Gentoo going to make? |
36 |
|
37 |
> |
38 |
> Or worse you mix stuff and give something improper permissions and really mess |
39 |
> up security... |
40 |
|
41 |
That's what chmod and eyeballs are for |
42 |
|
43 |
> |
44 |
>> How do you intend to MAKE devs follow it? More eternal bike-shedding? |
45 |
> |
46 |
> A nifty tool called repoman which could do a quick lookup. As could enewgroup/ |
47 |
> enewuser. They could hit the list/database. If something is trying to use |
48 |
> existing error, etc. Otherwise process to reserve it, etc. |
49 |
|
50 |
OK, so you could force code into repoman to do what you want. You still |
51 |
have to convince all other devs that it's a good idea |
52 |
> |
53 |
> |
54 |
>> Who cares what the uid/gid is? There's a range of about 950 to chose |
55 |
>> from. The way to ensure a filesystem object has the correct owner and |
56 |
>> group is by using chown/chgrp. |
57 |
> |
58 |
> See above, any administrator moving files between systems, restoring backups, |
59 |
> etc. |
60 |
|
61 |
See above about what I do on a real life network. Daily. For 15 years |
62 |
now and counting. |
63 |
|
64 |
> |
65 |
> Say you do a fresh install. What if all your UID/GID differ from your backup? |
66 |
> HUGE MESS!!!! |
67 |
|
68 |
So deal with it. That's what chmod is for. |
69 |
|
70 |
Or do you reinstall, restore backups and then NOT check all details |
71 |
thoroughly? |
72 |
|
73 |
> |
74 |
>> Except for a few cases out on left field (like nfs shares - a problem |
75 |
>> that nfs must fix) you don't really care what the uid/gid is, as long as |
76 |
>> it's not duplicated. The thing you care about is the NAME |
77 |
> |
78 |
> Not really just cases you haven't run into yet, which can be very common. |
79 |
|
80 |
Describe these cases please. I've got 15 years behind me at this and |
81 |
probably seen it all, but I'm just not seeing the problem you perceive |
82 |
|
83 |
> |
84 |
>>> This is not needless bureaucracy , this is necessary. |
85 |
>> |
86 |
>> This is a joke right? |
87 |
> |
88 |
> Not at all, others are clearly not aware of all the potential issues, having |
89 |
> not experienced them first hand, yet.... |
90 |
> |
91 |
> Work with enough systems, move files around, share lots of stuff, restore |
92 |
> backups, you will start to see a major need. |
93 |
|
94 |
See above. I submit this problem does not really exist, that the real |
95 |
solution is chmod/chown/chgrp/attention and eyeballs. Which you pretty |
96 |
much have to do anyway for other reasons than lack of consistency around |
97 |
UID/GID. Like umask, SGID on directories |
98 |
|
99 |
[ snip ] |
100 |
|
101 |
>> I have packaged a few things in Gentoo (privately only) |
102 |
> |
103 |
> Try doing it for the public, which will end up with thousands of installs. |
104 |
|
105 |
I'm still not seeing it. You can have a million installs from an ebuild |
106 |
available to the public, and the vast majority are completely isolated |
107 |
from each other. |
108 |
|
109 |
> |
110 |
>> , and written |
111 |
>> more shell installers, puppet manifests, ansible playbooks and user |
112 |
>> account deployers than I care to recall; I've never run into this |
113 |
>> problem that I couldn't solve trivially - usually by just knowing the |
114 |
>> username|groupname and looking up the corresponding uid/gid. Really, |
115 |
>> it's just data mapping and we have tools to do the lookup real fast. |
116 |
> |
117 |
> Clearly you haven't come across it yet, and likely because experience has |
118 |
> differed. But I have given you a few examples of how this could happen to |
119 |
> anyone and why there would be a need. |
120 |
> |
121 |
> Say it is a failed mail server, and you need to take the queue/spool to |
122 |
> another. Same with print, or other jobs... You need them to have the same UID/ |
123 |
> GID, or you end up wasting MORE time syncing them to the system they go onto. |
124 |
> Much easier to ensure all are the same. |
125 |
|
126 |
Let's look at real life. |
127 |
|
128 |
I have exim mail servers on FreeBSD, Ubuntu and Centos. Now that's a |
129 |
typical real-life scenario, and they are different deliberately. |
130 |
Shuttling the mail spool from one machine to another is a fairly lengthy |
131 |
scp/rsync operation followed by a very fast chmod & chown and daemon |
132 |
start. The saving is maybe 2 seconds in something that takes many minutes. |
133 |
|
134 |
How about my name servers? They are also a mix and the hosted domains |
135 |
are in cvs. The bind user does not have a shell and root doesn't get to |
136 |
cvs update. |
137 |
|
138 |
Now these are typical ordinary everyday sysadmin actions, and trying to |
139 |
register standard UIDs on Gentoo does nothing to shave seconds off the |
140 |
full process. So why bother? It would be optimizing for the less common |
141 |
case. |
142 |
|
143 |
I could also describe the enormous collection of jar files the devs want |
144 |
dropped into new tomcat installs from any of several source code repos. |
145 |
|
146 |
> This goes for many other things. Lots of data gets owned by system accounts. |
147 |
> Moving that data from system to system, with different UID/GIDs is a |
148 |
> nightmare... |
149 |
|
150 |
I'm starting to think that you need more experience with real-world |
151 |
deployments with things other than Gentoo in them. Your position only |
152 |
affects Gentoo and does nothing to assist with the same circumstance on |
153 |
everything that is not Gentoo - the common case. |
154 |
|
155 |
The real problem here is not inconsistency, because that is something |
156 |
you will never fix. The problem is the design of Unix itself and what |
157 |
goes into inodes - a 16 bit number that maps to a name for the benefit |
158 |
of humans. Syncing files between machines was never really envisaged - |
159 |
humans worked with named and the IDs were whatever passwd said they |
160 |
were. So as long as you picked a UID and stuck with it, all was good. |
161 |
So you have a system where the UID can be any 16 bit number you want it |
162 |
to be, and THAT is the real problem - people DID make it anything they |
163 |
wanted it to be. That genie is long since out of the bottle and isn't |
164 |
going back in. |
165 |
|
166 |
|
167 |
-- |
168 |
Alan McKinnon |
169 |
alan.mckinnon@×××××.com |