2009/4/28 Ondřej Vašík <ovasik@xxxxxxxxxx>: > Hello, > at the moment static system level uid/gid's are handled by setup package > and /usr/share/doc/setup-*/uidgid file. There is threshold of system > uid/gid's - it's uid/gid 100. Another way to reserve "static" uid/gid > reservation is http://fedoraproject.org/wiki/PackageUserRegistry ... > usable only for Fedora and only semi-static (as base id could be easily > changed). > As we are running out of the free uid/gid's in uidgid reservation file > (no free gid's in fact at the moment), it has to be solved somehow... > there are quite often requests for uidgid reservations as it increases > security in many cases... > What's the best way to handle that situation? One possibility is to > increase the threshold of system level id's (to 200? 300?), another is > to check current reservation and clean long-term unused reservations (I > doubt there are many such cases, so it's only temporary solution). Other > could be sharing groups (as static uid's are still available), but > that's not always good solution. One long term solution is to replace (or rather back up) the uid/gid integer system with uuids. This also helps with other problems like Windows interop. Here's a blog post about a change Solaris made in this respect: http://blogs.sun.com/nico/entry/dealing_with_windows_sids_in Mailing list thread in NFSv4 context: http://www.nfsv4.org/nfsv4-wg-archive-dec-96-jan-03/1440.html I'm sure there's other stuff out there. Another thing to consider would be relying on SELinux domains for new daemons, just give them e.g the "daemon" uid. -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
