| 1 |
On Sun, Dec 13, 2015 at 02:23:29PM -0800, Alec Warner wrote: |
| 2 |
> 1) Why do you need deterministic uid / gid's? |
| 3 |
> 2) If you do need deterministic uid / gid's, I would recommend storing them |
| 4 |
> all in the same place. |
| 5 |
They are ALL for system users and groups. |
| 6 |
|
| 7 |
TL;DR: if you're sharing data/config for system users/groups between |
| 8 |
multiple systems based on UID/GID (not username), you need consistent |
| 9 |
generation. |
| 10 |
|
| 11 |
Data on NFSv[23], with a shared apache/nginx user was one of the |
| 12 |
original examples. I agree since then, that the data should NOT be owned |
| 13 |
by apache/nginx anymore (NFSv4 also solves the problem). |
| 14 |
|
| 15 |
A much newer example, is let's consider the system group 'plugdev'. It's |
| 16 |
one that is created dynamically at the moment. |
| 17 |
|
| 18 |
If I want to put my user in that group LDAP-wide, and have an LDAP |
| 19 |
environment, I need to make sure the plugdev GID is the same on all |
| 20 |
systems (actually it also varies slightly depending which LDAP group |
| 21 |
membership model you're using for NSS data). |
| 22 |
|
| 23 |
> For example, you typically want a deterministic UID for a user. To |
| 24 |
> accomplish this, you add that user to LDAP, give them a UID in LDAP, and |
| 25 |
> then either add LDAP to nssswitch or use something like nsscache to sync |
| 26 |
> the ldap UID's into the local system. |
| 27 |
> |
| 28 |
> 3) If you need deterministic GID's I would recommend storing them all in |
| 29 |
> LDAP and syncing the group memberships locally. |
| 30 |
So you want to define the group twice? Both in LDAP and locally? |
| 31 |
|
| 32 |
> I never understood why people would think the distro should handle unique |
| 33 |
> gid / uids. Plus you usually end up running: |
| 34 |
> |
| 35 |
> 1) More than one distro. |
| 36 |
> 2) More than one 'flavor' of a single distro where for whatever reason, uid |
| 37 |
> and gid decisions differed (they renumbered, etc.) |
| 38 |
Here's the work LSB did on it, with further references to what more |
| 39 |
distros do: |
| 40 |
https://github.com/LinuxStandardBase/lsb/blob/master/documents/wip/userNaming.txt |
| 41 |
|
| 42 |
Here's the debian central database for it: |
| 43 |
https://anonscm.debian.org/cgit/users/cjwatson/base-passwd.git/tree/README |
| 44 |
|
| 45 |
|
| 46 |
> So if you want a consistent GID for a group, store the group name and gid |
| 47 |
> in ldap and sync it; do not rely on your distro to do it. IMHO doing so is |
| 48 |
> a design error. |
| 49 |
Which is incompatible with NFSv3. |
| 50 |
|
| 51 |
> > [1] $ egrep '(enewgroup|enewuser)' * -R | awk -F '/' '{print $1 "/" $2}' | |
| 52 |
> > grep -v eclass | sort -u | wc -l |
| 53 |
> > 443 |
| 54 |
> > So there not so much gid uids needed |
| 55 |
There are definitely entries like these, so be very careful in your counting. |
| 56 |
enewgroup $PN |
| 57 |
enewuser ${PN} -1 -1 /var/lib/${PN} ${PN} |
| 58 |
|
| 59 |
Based on counting unique tuples of |
| 60 |
($CAT/$PN, $ARGS, I count 410+ of each enewgroup and enewuser calls. |
| 61 |
|
| 62 |
$ git grep -e 'enewuser ' -e 'enewgroup ' | \ |
| 63 |
sed -r -e 's,/[^/]+:[[:space:]]*,/: ,g' -e 's,#.*,,g' | \ |
| 64 |
grep -e ': enew' |sort |uniq |
| 65 |
|
| 66 |
Also watch out for packages that create MULTIPLE users/groups for privilege |
| 67 |
separation (qmail is notorious for this). |
| 68 |
|
| 69 |
-- |
| 70 |
Robin Hugh Johnson |
| 71 |
Gentoo Linux: Developer, Infrastructure Lead, Foundation Trustee |
| 72 |
E-Mail : robbat2@g.o |
| 73 |
GnuPG FP : 11ACBA4F 4778E3F6 E4EDF38E B27B944E 34884E85 |
Archives