On 05/15/2015 02:41 AM, Sage Weil wrote: > On Thu, 14 May 2015, Robert LeBlanc wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA256 >> >> On Thu, May 14, 2015 at 10:08 AM, Sage Weil wrote: >>> The above should have no impact on other distros where a fixed UID/GID >>> is already set in the package. >> >> This sounds pretty reasonable to me! Perhaps there can be a 'default' >> (but still opt-in) uid that is reserved and won't conflict going forward, >> but may conflict with legacy environments? That at least minimizes >> complexity/pain for fresh environments (which I suspect will >> be the bulk of the install base)? >> >> >> Since there is no guarantee, can we just default to the same UID/GID that wa >> s received from Debian, or is there a known conflict in RH/Cent/SUSE/etc? > > The Fedora UID is 167. > - fedora: 0-200 = fixed allocations > - debian: 100-999 = dynamically allocated > - suse: 100-499 = dyamically allocated system users > > The Debian UID is likely to be 64045. > - fedora: undefined (1000-60000 = user accounts, nothing above that) > - debian: 60000-64999 = reserved fixed uids, dynamically created > - suse: undefined (1000-60000 = user accounts, nothing above that) > > I'm not sure which is less likely: colliding with a dynamically allocated > system user (how many of those are there?) Some random data: my openSUSE desktop system has about 35 dynamically allocated system users. Looking at my mostly-clean SLE 11 and SLE 12 test sytems, each seems to have about 10 dynamically allocated users, although interestingly SLE 11 starts adding these from 100, and increments, while SLE 12 seems to start at 499 and go backwards. > or a regular user (64045 is a very large uid). My earlier thought was "everyone should follow Debian because it's a very large UID", but this is still risky because high ranges can conflict with UID ranges chosen when using an LDAP, AD or other backend. I can't state a specific conflict, just that there are sites whose chosen user UID ranges overlap. This is actually a real issue; there are sites that have all systems (i.e.: even their servers) running such backends, because they need users, even the sysadmins, to log in as a regular user using that backend (then `sudo` or whatever for admin work) due to auditing/security policies. Regards, Tim -- Tim Serong Senior Clustering Engineer SUSE tserong@xxxxxxxx -- To unsubscribe from this list: send the line "unsubscribe ceph-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
