On Mon, Jul 18, 2016 at 8:39 AM, Lennart Poettering <mzerqung@xxxxxxxxxxx> wrote: > On Fedora, we currently have a "nobody" user that is defined to UID > 99. It's defined unconditionally like this. To my knowledge there's no > actual use of this user at all in Fedora however. The UID 65514 > carries no name by default on Fedora, but as soon as you install the > NFS utils it gets mapped to the "nfsnobody" user name, misleadingly > indicating that it would be used only by NFS even though it's a much > more general concept. I figure the NFS guys adopted the name > "nfsnobody" for this, simply because "nobody" was already taken by UID > 99 on Fedora, unlike on other distributions. At first glance it makes some sense. 2^32-2 doesn't force it into 64-bit space, it's tested on other operating systems, I'm concerned that overlapping "nobody" with the working "nfsnobody" is going to break tools. I'm also cncerned that it will change behavior for "tar", "rsync", "star", and other programs that can be configured to store and extract usernames *or* uids, or a mix of both. > In the context of user namespacing the UID 65534 appears a lot more > often as owner of various files. For example, if you turn on user > namespacing in typical container managers you'll notice that a ton of > files in /proc will then be owned by this user. Very confusingly, in a > container that includes the NFS utils all those files actually show up > as "nfsnobody"-owned now, even though there's no relation to NFS at all > for them. And this is where the shift in behavior would get confusing. > How could a transition look like? I figure new installs should get > "nobody" defined to 65534. Old installs should keep the old > definitions in place instead. The NFS packages should be updated to > not create the "nfsnobody" user if there's already another user mapped > to 65534 (maybe it already does that?). Of course it's not pretty if > old and new systems use different definitions for this user, but I > think it's not too much of a real-life issue, as most code that refers > to this group already does so by UID instead of name, simply because > the name is not stable across distributions. Like I said, I'm thinking of "rsync", "tar", and "star". Also, people.... do some interesting scripting to detect things like failed NFS configurations. I'm not saying that's a blocker, but shifting it to overlap with the current "nfsnobody" is likely to break some people's tools in the field, especially if they run the latest Fedora alongside RHEL, CentOS, or previous Fedora releases. > Opinions? > > Lennart > > -- > Lennart Poettering, Red Hat > -- > devel mailing list > devel@xxxxxxxxxxxxxxxxxxxxxxx > https://lists.fedoraproject.org/admin/lists/devel@xxxxxxxxxxxxxxxxxxxxxxx -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://lists.fedoraproject.org/admin/lists/devel@xxxxxxxxxxxxxxxxxxxxxxx
