On Wed, 2011-05-25 at 10:55 +0200, Peter Vrabec wrote: > Hi, > > On Tuesday, May 24, 2011 05:25:44 PM Toshio Kuratomi wrote: > > On Tue, May 24, 2011 at 1:59 AM, Peter Vrabec <pvrabec@xxxxxxxxxx> wrote: > > > Hi all, > > > > > > I'd like to inform you that I have changed UID_MIN & GID_MIN from 500 to > > > 1000 in upgraded shadow-utils. > > > > > > Where? > > > /etc/login.defs. > > > shadow-utils-4.1.4.3-1.fc16 > > > > > > I suppose UID/GID_MIN=1000 is more common(other distros, upstream). We > > > are not in situation that 500 IDs for system accounts ought to be enough > > > for anybody. Actually, it was not 500.It was 299 because range 0-200 is > > > for reserved IDs. There are 799 non reserved IDs for system accounts > > > available after this change. > > > > This change should be made as a Feature for F16 and needs some > > thought/coordination put behind it. There's several issues that I > > see: > > > > * AFAIK, we actually have not run into the 500 uid limit yet (although > > it is a bit low to be comfortable) > > * AFAIK, we've only allocated the range 0-100 for reserved IDs. > > * The 0-100 reserved IDs are actually the pain point that we need to > > deal with, not the dynamic system ids in the 101-499 range. > We use 0-200 for reserved IDs since > http://lists.fedoraproject.org/pipermail/devel/2009-April/028740.html Actually since July 2009 - there are no free uid/gid's left bellow 100. And yes, I'm giving static assignments only for system accounts which potentially can handle/own sensitive information or do communicate with other systems - so I rejected some requests for static ID's reservation. > > > * We don't know how many, if any IDs this actually gets us for the > > dynamic range because any site that has already filled the 500-1000 > > UID range won't gain any extra dynamic system account through this > > change. > > * This could potentially break sites that are currently using the > > 500-1000 UID range and rely on the order of allocation of UIDs for > > their users on new machines matching with the UIDs on old machines. > > (For instance, NFS UIDs on filesystems matching between a box > > installed with RHEL5 and a box that gets newly installed with F16). > > > > -Toshio > > I'm not against wider announcement. I'm just not sure what is the right way - > F16 Feature/Release Notes/ .... ? We can also annouce the 200 limit for > reserved IDs. ;) Probably makes sense :) ... even some ID sanity validator/checker might be good idea for this "feature". Ondrej Vasik -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
