1 |
On Mon, Nov 29, 2021 at 2:25 AM Ulrich Mueller <ulm@g.o> wrote: |
2 |
> |
3 |
> >>>>> On Mon, 29 Nov 2021, Alec Warner wrote: |
4 |
> |
5 |
> > - If Gentoo adds an acct-user/foo user, and that user already exists |
6 |
> > on my system with the wrong UID: the eclass dies[0]. |
7 |
> |
8 |
> I don't think that's correct. The eclass will just use the already |
9 |
> existing UID then (except for the very few acct-user packages that |
10 |
> define ACCT_USER_ENFORCE_ID). |
11 |
> |
12 |
> > - If Gentoo adds an acct-user/foo user, with uid=12345, and that uid |
13 |
> > is assigned to a user on my system already, the eclass dies. |
14 |
> |
15 |
> Similar to above, the eclass will dynamically allocate another UID that |
16 |
> is free. |
17 |
|
18 |
Oh good I misread it, you are right; my apologies. |
19 |
|
20 |
> |
21 |
> > - Some environments are very old, and so real users have unexpected |
22 |
> > uids; this includes Gentoo itself. |
23 |
> > - Gentoo (the community) used to allocate UIDs to devs in the |
24 |
> > 500-1000 range and we have 17 active developers with UIDs in that |
25 |
> > range. So for example if we allocate one of these UIDs to an acct-* |
26 |
> > package; that package will not be installable on woodpecker without |
27 |
> > modification because those UIDs are already taken. |
28 |
> |
29 |
> See above. |
30 |
> |
31 |
> Also, why would one allocate UIDs in the 500..999 range (1000 is fine, |
32 |
> actually)? Gentoo always had UID_MIN=1000 and SYS_UID_MAX=999. |
33 |
|
34 |
A bunch of reasons. |
35 |
- In the case of gentoo.org specifically I am guessing bugs and / or |
36 |
ignorance (as we discussed on IRC.) enewuser / useradd / the normal |
37 |
utilities lack the permissions to add users (because they cannot write |
38 |
to LDAP without credentials) and so currently we have a tool |
39 |
(perl_ldap); from 2006 onward it looks for the highest uidNumber in |
40 |
LDAP and adds 1 to it. I don't have the source code for earlier |
41 |
versions, but code comments implied the uids were entered by people; |
42 |
not machines. People are really bad at consistently allocating UIDs |
43 |
and are bad at following standards :) |
44 |
- In my previous work, the uid automation would routinely have bugs |
45 |
(we did not have good unit or functional testing) and often the uid |
46 |
range requirements were either not implemented (oops) or were buggy |
47 |
(also oops.) We often fixed weird bugs by hand (if we noticed that |
48 |
e.g. an account had some weird problem and it was someone's first day; |
49 |
redoing their account is cheap.) But if the bug was in the past; it |
50 |
was often too expensive to fix anything; so our user accounts had many |
51 |
exciting quirks of names, odd assignments, etc. |
52 |
|
53 |
This is why I say that conceptually the 'identity provider' is |
54 |
external to Gentoo (because we all have our weird site-specific |
55 |
quirks.) As you note above though, most acct-* packages will not break |
56 |
and will just assign some other uid / gid; so only the FORCE_ID |
57 |
packages matter and there are only 3 of those...so I mostly concede on |
58 |
that basis provided we avoid adding more FORCE'd packages. |
59 |
|
60 |
-A |
61 |
|
62 |
> |
63 |
> Ulrich |