2011/5/25 "JÃhann B. GuÃmundsson" <johannbg@xxxxxxxxx>: > On 05/25/2011 12:30 AM, Dennis Gilmore wrote: >> On Tuesday, May 24, 2011 10:25:44 AM Toshio Kuratomi wrote: >>> On Tue, May 24, 2011 at 1:59 AM, Peter Vrabec<pvrabec@xxxxxxxxxx> Âwrote: >>>> Hi all, >>>> >>>> I'd like to inform you that I have changed UID_MIN& ÂGID_MIN from 500 to >>>> 1000 in upgraded shadow-utils. >>>> >>>> Where? >>>> /etc/login.defs. >>>> shadow-utils-4.1.4.3-1.fc16 >>>> >>>> I suppose UID/GID_MIN=1000 is more common(other distros, upstream). We >>>> are not in situation that 500 IDs for system accounts ought to be enough >>>> for anybody. Actually, it was not 500.It was 299 because range 0-200 is >>>> for reserved IDs. There are 799 non reserved IDs for system accounts >>>> available after this change. >>> This change should be made as a Feature for F16 and needs some >>> thought/coordination put behind it. ÂThere's several issues that I >>> see: >>> >>> * AFAIK, we actually have not run into the 500 uid limit yet (although >>> it is a bit low to be comfortable) >>> * ÂAFAIK, we've only allocated the range 0-100 for reserved IDs. >>> * The 0-100 reserved IDs are actually the pain point that we need to >>> deal with, not the dynamic system ids in the 101-499 range. >>> * We don't know how many, if any IDs this actually gets us for the >>> dynamic range because any site that has already filled the 500-1000 >>> UID range won't gain any extra dynamic system account through this >>> change. >>> * This could potentially break sites that are currently using the >>> 500-1000 UID range and rely on the order of allocation of UIDs for >>> their users on new machines matching with the UIDs on old machines. >>> (For instance, NFS UIDs on filesystems matching between a box >>> installed with RHEL5 and a box that gets newly installed with F16). >>> >>> -Toshio >> Im with Toshio here Âthere is potential pitfalls with many legacy systems. >> there is also great potential that system ids from newer systems will clash >> with legacy ids in ldap and nis setups, Âwe really should make it a feature as >> it really deserves to be widely anounced. Ânot quietly on the list here where >> it will likely get forgoten until users are bitten when they start deploying >> f16 boxes. >> >> Dennis > > Agreed > > Is there a distro wide/*nix wide agreement on what and which range > reserved/system IDs are supposed to be? > > If there is not a general consciousness regarding reserved/system IDs > and what they are supposed to be there will always be the risk of > colliding with ids on other distribution and *nix platforms. > There is a standard but not a consensus: http://refspecs.linux-foundation.org/LSB_4.0.0/LSB-Core-generic/LSB-Core-generic/uidrange.html On problem is that the LSB is very strict in its ranges there but: 1) not every distro follows it and 2) the static range is definitely too small. > I recommend this be made a feature and the feature owners contact at > least all major distributions and potentially other *nix platforms and > distro/*nix wide consciousness be made and when this change is made that > change would reflect the consciousness that was reached. > Coordination would be nice if we can decide on how we can sanely make changes to this. -Toshio -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
