1 |
On Sun, Dec 13, 2015 at 02:23:29PM -0800, Alec Warner wrote: |
2 |
> 1) Why do you need deterministic uid / gid's? |
3 |
> 2) If you do need deterministic uid / gid's, I would recommend storing them |
4 |
> all in the same place. |
5 |
They are ALL for system users and groups. |
6 |
|
7 |
TL;DR: if you're sharing data/config for system users/groups between |
8 |
multiple systems based on UID/GID (not username), you need consistent |
9 |
generation. |
10 |
|
11 |
Data on NFSv[23], with a shared apache/nginx user was one of the |
12 |
original examples. I agree since then, that the data should NOT be owned |
13 |
by apache/nginx anymore (NFSv4 also solves the problem). |
14 |
|
15 |
A much newer example, is let's consider the system group 'plugdev'. It's |
16 |
one that is created dynamically at the moment. |
17 |
|
18 |
If I want to put my user in that group LDAP-wide, and have an LDAP |
19 |
environment, I need to make sure the plugdev GID is the same on all |
20 |
systems (actually it also varies slightly depending which LDAP group |
21 |
membership model you're using for NSS data). |
22 |
|
23 |
> For example, you typically want a deterministic UID for a user. To |
24 |
> accomplish this, you add that user to LDAP, give them a UID in LDAP, and |
25 |
> then either add LDAP to nssswitch or use something like nsscache to sync |
26 |
> the ldap UID's into the local system. |
27 |
> |
28 |
> 3) If you need deterministic GID's I would recommend storing them all in |
29 |
> LDAP and syncing the group memberships locally. |
30 |
So you want to define the group twice? Both in LDAP and locally? |
31 |
|
32 |
> I never understood why people would think the distro should handle unique |
33 |
> gid / uids. Plus you usually end up running: |
34 |
> |
35 |
> 1) More than one distro. |
36 |
> 2) More than one 'flavor' of a single distro where for whatever reason, uid |
37 |
> and gid decisions differed (they renumbered, etc.) |
38 |
Here's the work LSB did on it, with further references to what more |
39 |
distros do: |
40 |
https://github.com/LinuxStandardBase/lsb/blob/master/documents/wip/userNaming.txt |
41 |
|
42 |
Here's the debian central database for it: |
43 |
https://anonscm.debian.org/cgit/users/cjwatson/base-passwd.git/tree/README |
44 |
|
45 |
|
46 |
> So if you want a consistent GID for a group, store the group name and gid |
47 |
> in ldap and sync it; do not rely on your distro to do it. IMHO doing so is |
48 |
> a design error. |
49 |
Which is incompatible with NFSv3. |
50 |
|
51 |
> > [1] $ egrep '(enewgroup|enewuser)' * -R | awk -F '/' '{print $1 "/" $2}' | |
52 |
> > grep -v eclass | sort -u | wc -l |
53 |
> > 443 |
54 |
> > So there not so much gid uids needed |
55 |
There are definitely entries like these, so be very careful in your counting. |
56 |
enewgroup $PN |
57 |
enewuser ${PN} -1 -1 /var/lib/${PN} ${PN} |
58 |
|
59 |
Based on counting unique tuples of |
60 |
($CAT/$PN, $ARGS, I count 410+ of each enewgroup and enewuser calls. |
61 |
|
62 |
$ git grep -e 'enewuser ' -e 'enewgroup ' | \ |
63 |
sed -r -e 's,/[^/]+:[[:space:]]*,/: ,g' -e 's,#.*,,g' | \ |
64 |
grep -e ': enew' |sort |uniq |
65 |
|
66 |
Also watch out for packages that create MULTIPLE users/groups for privilege |
67 |
separation (qmail is notorious for this). |
68 |
|
69 |
-- |
70 |
Robin Hugh Johnson |
71 |
Gentoo Linux: Developer, Infrastructure Lead, Foundation Trustee |
72 |
E-Mail : robbat2@g.o |
73 |
GnuPG FP : 11ACBA4F 4778E3F6 E4EDF38E B27B944E 34884E85 |