| 1 |
On Mon, Nov 29, 2021 at 2:25 AM Ulrich Mueller <ulm@g.o> wrote: |
| 2 |
> |
| 3 |
> >>>>> On Mon, 29 Nov 2021, Alec Warner wrote: |
| 4 |
> |
| 5 |
> > - If Gentoo adds an acct-user/foo user, and that user already exists |
| 6 |
> > on my system with the wrong UID: the eclass dies[0]. |
| 7 |
> |
| 8 |
> I don't think that's correct. The eclass will just use the already |
| 9 |
> existing UID then (except for the very few acct-user packages that |
| 10 |
> define ACCT_USER_ENFORCE_ID). |
| 11 |
> |
| 12 |
> > - If Gentoo adds an acct-user/foo user, with uid=12345, and that uid |
| 13 |
> > is assigned to a user on my system already, the eclass dies. |
| 14 |
> |
| 15 |
> Similar to above, the eclass will dynamically allocate another UID that |
| 16 |
> is free. |
| 17 |
|
| 18 |
Oh good I misread it, you are right; my apologies. |
| 19 |
|
| 20 |
> |
| 21 |
> > - Some environments are very old, and so real users have unexpected |
| 22 |
> > uids; this includes Gentoo itself. |
| 23 |
> > - Gentoo (the community) used to allocate UIDs to devs in the |
| 24 |
> > 500-1000 range and we have 17 active developers with UIDs in that |
| 25 |
> > range. So for example if we allocate one of these UIDs to an acct-* |
| 26 |
> > package; that package will not be installable on woodpecker without |
| 27 |
> > modification because those UIDs are already taken. |
| 28 |
> |
| 29 |
> See above. |
| 30 |
> |
| 31 |
> Also, why would one allocate UIDs in the 500..999 range (1000 is fine, |
| 32 |
> actually)? Gentoo always had UID_MIN=1000 and SYS_UID_MAX=999. |
| 33 |
|
| 34 |
A bunch of reasons. |
| 35 |
- In the case of gentoo.org specifically I am guessing bugs and / or |
| 36 |
ignorance (as we discussed on IRC.) enewuser / useradd / the normal |
| 37 |
utilities lack the permissions to add users (because they cannot write |
| 38 |
to LDAP without credentials) and so currently we have a tool |
| 39 |
(perl_ldap); from 2006 onward it looks for the highest uidNumber in |
| 40 |
LDAP and adds 1 to it. I don't have the source code for earlier |
| 41 |
versions, but code comments implied the uids were entered by people; |
| 42 |
not machines. People are really bad at consistently allocating UIDs |
| 43 |
and are bad at following standards :) |
| 44 |
- In my previous work, the uid automation would routinely have bugs |
| 45 |
(we did not have good unit or functional testing) and often the uid |
| 46 |
range requirements were either not implemented (oops) or were buggy |
| 47 |
(also oops.) We often fixed weird bugs by hand (if we noticed that |
| 48 |
e.g. an account had some weird problem and it was someone's first day; |
| 49 |
redoing their account is cheap.) But if the bug was in the past; it |
| 50 |
was often too expensive to fix anything; so our user accounts had many |
| 51 |
exciting quirks of names, odd assignments, etc. |
| 52 |
|
| 53 |
This is why I say that conceptually the 'identity provider' is |
| 54 |
external to Gentoo (because we all have our weird site-specific |
| 55 |
quirks.) As you note above though, most acct-* packages will not break |
| 56 |
and will just assign some other uid / gid; so only the FORCE_ID |
| 57 |
packages matter and there are only 3 of those...so I mostly concede on |
| 58 |
that basis provided we avoid adding more FORCE'd packages. |
| 59 |
|
| 60 |
-A |
| 61 |
|
| 62 |
> |
| 63 |
> Ulrich |
Archives