Lennart Poettering píše v Po 18. 07. 2016 v 14:39 +0200: > Heya! > > I'd like to start a discussion regarding the "nobody" user on Fedora, > and propose that we change its definition sooner or later. I am not > proposing a feature according to the feature process for this yet, but > my hope is that these discussions will lead to one eventually. Thanks for starting the discussion on Fedora devel - as there already was https://bugzilla.redhat.com/show_bug.cgi?id=1350526 - where it ended up closed NOTABUG - as the nfs-utils maintainer is concerned about such change ( https://bugzilla.redhat.com/show_bug.cgi?id=1350526#c3 ) - and most of commenters (moved across several components) recommended "not a bug" resolution. I agree with containers and user namespaces, overflow uid named "nfsnobody" confuses users. But is there really some good and non-disruptive solution? e.g. Overflow id can be changed to different than (uint_16_t) -2, but it is the right way? > Most distributions (in particular Debian/Ubuntu-based ones) map the > user "nobody" to UID 65534. I think we should change Fedora to do the > same. Background: > > On Linux two UIDs are special: that's UID 0 for root, which is the > privileged user we all know. And then there's UID 65534 > (i.e. (uint16_t) -2), which is less well known. The Linux kernel calls > it the "overflow" UID. It has four purposes: > > 1. The kernel maps UIDs > 65535 to it when when some subsystem/API/fs > only supports 16bit UIDs, but a 32bit UID is passed to it. > > 2. it's used by the kernel's user namespacing as a the internal UID > that external UIDs are mapped to that don't have any local mapping. > > 3. It's used by NFS for all user IDs that cannot be mapped locally if > UID mapping is enabled. > > 4. One upon a time some system daemons chose to run as the "nobody" > user, instead of a proper system user of their own. But this is > universally frowned upon, and isn't done on any current systems > afaics. In fact, to my knowledge Fedora even prohibits this > explicitly in its policy (?). > > The uses 1-3 are relevant today, use 4 is clearly obsolete > afaics. Uses 1-3 can be subsumed pretty nicely as "the UID something > that cannot be mapped properly is mapped to". > > On Fedora, we currently have a "nobody" user that is defined to UID > 99. It's defined unconditionally like this. To my knowledge there's no > actual use of this user at all in Fedora however. The UID 65514 > carries no name by default on Fedora, but as soon as you install the > NFS utils it gets mapped to the "nfsnobody" user name, misleadingly > indicating that it would be used only by NFS even though it's a much > more general concept. I figure the NFS guys adopted the name > "nfsnobody" for this, simply because "nobody" was already taken by UID > 99 on Fedora, unlike on other distributions. It is really a historical reason. I don't think there was common agreement at the time when 99 for nobody was selected (at least several different approaches were in place these days). > In the context of user namespacing the UID 65534 appears a lot more > often as owner of various files. For example, if you turn on user > namespacing in typical container managers you'll notice that a ton of > files in /proc will then be owned by this user. Very confusingly, in a > container that includes the NFS utils all those files actually show up > as "nfsnobody"-owned now, even though there's no relation to NFS at all > for them. > > I'd like to propose that we clean this up, and just make Fedora work > like all other distributions. After all the reason of having this > special UID in the first place is to sidestep mapping problems between > different UID "realms". Hence I think it would be wise to at least > make the name of this very special UID somewhat more stable and > well-defined between distributions. > > I think this is of particular relevance as Debian/Ubuntu-based > container images tend to be substantially more popular than > Fedora-based ones, and hence I think we should try to unify at least > the names and semantics of the two special UIDs all distros have, to > minimize mapping problems and making user interaction in containers a > bit more friendly. > > You might ask of course, why Fedora should change to adopt > Debian's/Ubuntu's definition, instead of conversely making them adopt > Fedora's definition? Well, that's simple: Debian's definition makes a > lot more sense than Fedora's. And nothing we ship actually makes use > of FEdora's definition afaics, and we currently carry a workaround > called "nfsnobody" in some cases to avoid having to fix this properly. It is not just Fedora, ArchLinux uses 99 nobody as well - as far as I know. And probably some other systems as well. Debian, Ubuntu and OpenSUSE use 65534 (although OpenSUSE seems to use 65534:65533 to add even more confusion) Citing Wiki: "Nobody: Historically, the user “nobody” was assigned UID -2 by several operating systems, although other values such as 2^15−1 = 32,767 are also in use, such as by OpenBSD ( http://gnats.netbsd.org/6594 ). For compatibility between 16-bit and 32-bit UIDs, many Linux distributions now set it to be 2^16−2 = 65,534; the Linux kernel defaults to returning this value when a 32-bit UID does not fit into the return value of the 16-bit system calls ( http://lwn.net/Articles/532593/ ). An alternative convention assigns the last UID of the range statically allocated for system use (0-99) to nobody: 99." > Another option would be to define an entirely new user name for 65534, > for example "void" or so. But quite frankly, that sounds like a > pointless bikeshedding excercise, and creates even more confusion, > balkanization and political hassles if you'd try to convince other > distros to adopt the same scheme too. > > Hence, let's go for "nobody == 65534" on Fedora too! And let's unify > the various dsitributions a tiny bit more, on this specific aspect. And potentially break some scripts that rely either on "nfsnobody" or on id. This is something where we don't have control over it. > How could a transition look like? I figure new installs should get > "nobody" defined to 65534. Old installs should keep the old > definitions in place instead. The NFS packages should be updated to > not create the "nfsnobody" user if there's already another user mapped > to 65534 (maybe it already does that?). Of course it's not pretty if > old and new systems use different definitions for this user, but I > think it's not too much of a real-life issue, as most code that refers > to this group already does so by UID instead of name, simply because > the name is not stable across distributions. > > Opinions? I agree having uid -2 named "nfsnobody" is just confusing with user namespaces and containers - and we should find some way how to solve it. I don't agree that changing 99 "nobody" to 65534 "nobody" in default /etc/passwd and not using "nfsnobody" in default new nfs-utils installations is the right way to solve the issue. It might be less confusing for some users and more in sync with Debian (and less with e.g. ArchLinux), but has the potential to break something and imho brings only very low benefit. Regards, Ondrej > > Lennart > -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://lists.fedoraproject.org/admin/lists/devel@xxxxxxxxxxxxxxxxxxxxxxx
