| 1 |
On Sun, Dec 13, 2015 at 10:39 PM, Robin H. Johnson <robbat2@g.o> |
| 2 |
wrote: |
| 3 |
|
| 4 |
> On Sun, Dec 13, 2015 at 02:23:29PM -0800, Alec Warner wrote: |
| 5 |
> > 1) Why do you need deterministic uid / gid's? |
| 6 |
> > 2) If you do need deterministic uid / gid's, I would recommend storing |
| 7 |
> them |
| 8 |
> > all in the same place. |
| 9 |
> They are ALL for system users and groups. |
| 10 |
> |
| 11 |
|
| 12 |
What does that mean though? What is a System user or a System group? |
| 13 |
Why should you not store them in the user / group directory? |
| 14 |
|
| 15 |
|
| 16 |
> |
| 17 |
> TL;DR: if you're sharing data/config for system users/groups between |
| 18 |
> multiple systems based on UID/GID (not username), you need consistent |
| 19 |
> generation. |
| 20 |
> |
| 21 |
|
| 22 |
> Data on NFSv[23], with a shared apache/nginx user was one of the |
| 23 |
> original examples. I agree since then, that the data should NOT be owned |
| 24 |
> by apache/nginx anymore (NFSv4 also solves the problem). |
| 25 |
> |
| 26 |
|
| 27 |
This is certainly one workaround (you generate a shard user / role user |
| 28 |
that is the same uid / gid on every machine and you make that own the data |
| 29 |
/ run the service.) But you might as well just add apache to LDAP and call |
| 30 |
it a day? |
| 31 |
|
| 32 |
|
| 33 |
> |
| 34 |
> A much newer example, is let's consider the system group 'plugdev'. It's |
| 35 |
> one that is created dynamically at the moment. |
| 36 |
> |
| 37 |
> If I want to put my user in that group LDAP-wide, and have an LDAP |
| 38 |
> environment, I need to make sure the plugdev GID is the same on all |
| 39 |
> systems (actually it also varies slightly depending which LDAP group |
| 40 |
> membership model you're using for NSS data). |
| 41 |
> |
| 42 |
> > For example, you typically want a deterministic UID for a user. To |
| 43 |
> > accomplish this, you add that user to LDAP, give them a UID in LDAP, and |
| 44 |
> > then either add LDAP to nssswitch or use something like nsscache to sync |
| 45 |
> > the ldap UID's into the local system. |
| 46 |
> > |
| 47 |
> > 3) If you need deterministic GID's I would recommend storing them all in |
| 48 |
> > LDAP and syncing the group memberships locally. |
| 49 |
> So you want to define the group twice? Both in LDAP and locally? |
| 50 |
> |
| 51 |
|
| 52 |
Sorry, when I said sync I meant nsscache or similar. I understand why that |
| 53 |
would be confusing ;) |
| 54 |
|
| 55 |
|
| 56 |
> |
| 57 |
> > I never understood why people would think the distro should handle unique |
| 58 |
> > gid / uids. Plus you usually end up running: |
| 59 |
> > |
| 60 |
> > 1) More than one distro. |
| 61 |
> > 2) More than one 'flavor' of a single distro where for whatever reason, |
| 62 |
> uid |
| 63 |
> > and gid decisions differed (they renumbered, etc.) |
| 64 |
> Here's the work LSB did on it, with further references to what more |
| 65 |
> distros do: |
| 66 |
> |
| 67 |
> https://github.com/LinuxStandardBase/lsb/blob/master/documents/wip/userNaming.txt |
| 68 |
> |
| 69 |
> Here's the debian central database for it: |
| 70 |
> https://anonscm.debian.org/cgit/users/cjwatson/base-passwd.git/tree/README |
| 71 |
> |
| 72 |
> |
| 73 |
I'm not opposed to this effort, simply that getting everyone to conform is |
| 74 |
tricky and in complex environments you will inevitably end up in situations |
| 75 |
outside of the scope of the effort. I prefer practicality ;) |
| 76 |
|
| 77 |
|
| 78 |
> > So if you want a consistent GID for a group, store the group name and gid |
| 79 |
> > in ldap and sync it; do not rely on your distro to do it. IMHO doing so |
| 80 |
> is |
| 81 |
> > a design error. |
| 82 |
> Which is incompatible with NFSv3. |
| 83 |
> |
| 84 |
|
| 85 |
How so? (to be clear, most of my experience is with sec=krb5 nfsv3, and I |
| 86 |
haven't had to futz with it in a number of years.) |
| 87 |
But IIRC nfsv3 sends the uid / gid numbers in the protocol; you can't send |
| 88 |
names. Which is why you need consistent uid / gids. But I do not quite |
| 89 |
grasp how using LDAP to achieve this breaks nfsv3. |
| 90 |
|
| 91 |
|
| 92 |
> |
| 93 |
> > > [1] $ egrep '(enewgroup|enewuser)' * -R | awk -F '/' '{print $1 "/" |
| 94 |
> $2}' | |
| 95 |
> > > grep -v eclass | sort -u | wc -l |
| 96 |
> > > 443 |
| 97 |
> > > So there not so much gid uids needed |
| 98 |
> There are definitely entries like these, so be very careful in your |
| 99 |
> counting. |
| 100 |
> enewgroup $PN |
| 101 |
> enewuser ${PN} -1 -1 /var/lib/${PN} ${PN} |
| 102 |
> |
| 103 |
> Based on counting unique tuples of |
| 104 |
> ($CAT/$PN, $ARGS, I count 410+ of each enewgroup and enewuser calls. |
| 105 |
> |
| 106 |
> $ git grep -e 'enewuser ' -e 'enewgroup ' | \ |
| 107 |
> sed -r -e 's,/[^/]+:[[:space:]]*,/: ,g' -e 's,#.*,,g' | \ |
| 108 |
> grep -e ': enew' |sort |uniq |
| 109 |
> |
| 110 |
> Also watch out for packages that create MULTIPLE users/groups for privilege |
| 111 |
> separation (qmail is notorious for this). |
| 112 |
> |
| 113 |
> -- |
| 114 |
> Robin Hugh Johnson |
| 115 |
> Gentoo Linux: Developer, Infrastructure Lead, Foundation Trustee |
| 116 |
> E-Mail : robbat2@g.o |
| 117 |
> GnuPG FP : 11ACBA4F 4778E3F6 E4EDF38E B27B944E 34884E85 |
| 118 |
> |
| 119 |
> |
Archives