1 |
On Sun, Dec 13, 2015 at 10:39 PM, Robin H. Johnson <robbat2@g.o> |
2 |
wrote: |
3 |
|
4 |
> On Sun, Dec 13, 2015 at 02:23:29PM -0800, Alec Warner wrote: |
5 |
> > 1) Why do you need deterministic uid / gid's? |
6 |
> > 2) If you do need deterministic uid / gid's, I would recommend storing |
7 |
> them |
8 |
> > all in the same place. |
9 |
> They are ALL for system users and groups. |
10 |
> |
11 |
|
12 |
What does that mean though? What is a System user or a System group? |
13 |
Why should you not store them in the user / group directory? |
14 |
|
15 |
|
16 |
> |
17 |
> TL;DR: if you're sharing data/config for system users/groups between |
18 |
> multiple systems based on UID/GID (not username), you need consistent |
19 |
> generation. |
20 |
> |
21 |
|
22 |
> Data on NFSv[23], with a shared apache/nginx user was one of the |
23 |
> original examples. I agree since then, that the data should NOT be owned |
24 |
> by apache/nginx anymore (NFSv4 also solves the problem). |
25 |
> |
26 |
|
27 |
This is certainly one workaround (you generate a shard user / role user |
28 |
that is the same uid / gid on every machine and you make that own the data |
29 |
/ run the service.) But you might as well just add apache to LDAP and call |
30 |
it a day? |
31 |
|
32 |
|
33 |
> |
34 |
> A much newer example, is let's consider the system group 'plugdev'. It's |
35 |
> one that is created dynamically at the moment. |
36 |
> |
37 |
> If I want to put my user in that group LDAP-wide, and have an LDAP |
38 |
> environment, I need to make sure the plugdev GID is the same on all |
39 |
> systems (actually it also varies slightly depending which LDAP group |
40 |
> membership model you're using for NSS data). |
41 |
> |
42 |
> > For example, you typically want a deterministic UID for a user. To |
43 |
> > accomplish this, you add that user to LDAP, give them a UID in LDAP, and |
44 |
> > then either add LDAP to nssswitch or use something like nsscache to sync |
45 |
> > the ldap UID's into the local system. |
46 |
> > |
47 |
> > 3) If you need deterministic GID's I would recommend storing them all in |
48 |
> > LDAP and syncing the group memberships locally. |
49 |
> So you want to define the group twice? Both in LDAP and locally? |
50 |
> |
51 |
|
52 |
Sorry, when I said sync I meant nsscache or similar. I understand why that |
53 |
would be confusing ;) |
54 |
|
55 |
|
56 |
> |
57 |
> > I never understood why people would think the distro should handle unique |
58 |
> > gid / uids. Plus you usually end up running: |
59 |
> > |
60 |
> > 1) More than one distro. |
61 |
> > 2) More than one 'flavor' of a single distro where for whatever reason, |
62 |
> uid |
63 |
> > and gid decisions differed (they renumbered, etc.) |
64 |
> Here's the work LSB did on it, with further references to what more |
65 |
> distros do: |
66 |
> |
67 |
> https://github.com/LinuxStandardBase/lsb/blob/master/documents/wip/userNaming.txt |
68 |
> |
69 |
> Here's the debian central database for it: |
70 |
> https://anonscm.debian.org/cgit/users/cjwatson/base-passwd.git/tree/README |
71 |
> |
72 |
> |
73 |
I'm not opposed to this effort, simply that getting everyone to conform is |
74 |
tricky and in complex environments you will inevitably end up in situations |
75 |
outside of the scope of the effort. I prefer practicality ;) |
76 |
|
77 |
|
78 |
> > So if you want a consistent GID for a group, store the group name and gid |
79 |
> > in ldap and sync it; do not rely on your distro to do it. IMHO doing so |
80 |
> is |
81 |
> > a design error. |
82 |
> Which is incompatible with NFSv3. |
83 |
> |
84 |
|
85 |
How so? (to be clear, most of my experience is with sec=krb5 nfsv3, and I |
86 |
haven't had to futz with it in a number of years.) |
87 |
But IIRC nfsv3 sends the uid / gid numbers in the protocol; you can't send |
88 |
names. Which is why you need consistent uid / gids. But I do not quite |
89 |
grasp how using LDAP to achieve this breaks nfsv3. |
90 |
|
91 |
|
92 |
> |
93 |
> > > [1] $ egrep '(enewgroup|enewuser)' * -R | awk -F '/' '{print $1 "/" |
94 |
> $2}' | |
95 |
> > > grep -v eclass | sort -u | wc -l |
96 |
> > > 443 |
97 |
> > > So there not so much gid uids needed |
98 |
> There are definitely entries like these, so be very careful in your |
99 |
> counting. |
100 |
> enewgroup $PN |
101 |
> enewuser ${PN} -1 -1 /var/lib/${PN} ${PN} |
102 |
> |
103 |
> Based on counting unique tuples of |
104 |
> ($CAT/$PN, $ARGS, I count 410+ of each enewgroup and enewuser calls. |
105 |
> |
106 |
> $ git grep -e 'enewuser ' -e 'enewgroup ' | \ |
107 |
> sed -r -e 's,/[^/]+:[[:space:]]*,/: ,g' -e 's,#.*,,g' | \ |
108 |
> grep -e ': enew' |sort |uniq |
109 |
> |
110 |
> Also watch out for packages that create MULTIPLE users/groups for privilege |
111 |
> separation (qmail is notorious for this). |
112 |
> |
113 |
> -- |
114 |
> Robin Hugh Johnson |
115 |
> Gentoo Linux: Developer, Infrastructure Lead, Foundation Trustee |
116 |
> E-Mail : robbat2@g.o |
117 |
> GnuPG FP : 11ACBA4F 4778E3F6 E4EDF38E B27B944E 34884E85 |
118 |
> |
119 |
> |