On Mon, 2016-07-18 at 14:39 +0200, Lennart Poettering wrote: > Heya! > > I'd like to start a discussion regarding the "nobody" user on Fedora, > and propose that we change its definition sooner or later. I am not > proposing a feature according to the feature process for this yet, > but > my hope is that these discussions will lead to one eventually. > > Most distributions (in particular Debian/Ubuntu-based ones) map the > user "nobody" to UID 65534. I think we should change Fedora to do the > same. Background: > > On Linux two UIDs are special: that's UID 0 for root, which is the > privileged user we all know. And then there's UID 65534 > (i.e. (uint16_t) -2), which is less well known. The Linux kernel > calls > it the "overflow" UID. It has four purposes: > > 1. The kernel maps UIDs > 65535 to it when when some subsystem/API/fs > only supports 16bit UIDs, but a 32bit UID is passed to it. > > 2. it's used by the kernel's user namespacing as a the internal UID > that external UIDs are mapped to that don't have any local > mapping. > > 3. It's used by NFS for all user IDs that cannot be mapped locally if > UID mapping is enabled. > > 4. One upon a time some system daemons chose to run as the "nobody" > user, instead of a proper system user of their own. But this is > universally frowned upon, and isn't done on any current systems > afaics. In fact, to my knowledge Fedora even prohibits this > explicitly in its policy (?). > > The uses 1-3 are relevant today, use 4 is clearly obsolete > afaics. Uses 1-3 can be subsumed pretty nicely as "the UID something > that cannot be mapped properly is mapped to". > > On Fedora, we currently have a "nobody" user that is defined to UID > 99. It's defined unconditionally like this. To my knowledge there's > no > actual use of this user at all in Fedora however. The UID 65514 > carries no name by default on Fedora, but as soon as you install the > NFS utils it gets mapped to the "nfsnobody" user name, misleadingly > indicating that it would be used only by NFS even though it's a much > more general concept. I figure the NFS guys adopted the name > "nfsnobody" for this, simply because "nobody" was already taken by > UID > 99 on Fedora, unlike on other distributions. > > In the context of user namespacing the UID 65534 appears a lot more > often as owner of various files. For example, if you turn on user > namespacing in typical container managers you'll notice that a ton of > files in /proc will then be owned by this user. Very confusingly, in > a > container that includes the NFS utils all those files actually show > up > as "nfsnobody"-owned now, even though there's no relation to NFS at > all > for them. > > I'd like to propose that we clean this up, and just make Fedora work > like all other distributions. After all the reason of having this > special UID in the first place is to sidestep mapping problems > between > different UID "realms". Hence I think it would be wise to at least > make the name of this very special UID somewhat more stable and > well-defined between distributions. > > I think this is of particular relevance as Debian/Ubuntu-based > container images tend to be substantially more popular than > Fedora-based ones, and hence I think we should try to unify at least > the names and semantics of the two special UIDs all distros have, to > minimize mapping problems and making user interaction in containers a > bit more friendly. > > You might ask of course, why Fedora should change to adopt > Debian's/Ubuntu's definition, instead of conversely making them adopt > Fedora's definition? Well, that's simple: Debian's definition makes a > lot more sense than Fedora's. And nothing we ship actually makes use > of FEdora's definition afaics, and we currently carry a workaround > called "nfsnobody" in some cases to avoid having to fix this > properly. > > Another option would be to define an entirely new user name for > 65534, > for example "void" or so. But quite frankly, that sounds like a > pointless bikeshedding excercise, and creates even more confusion, > balkanization and political hassles if you'd try to convince other > distros to adopt the same scheme too. > > Hence, let's go for "nobody == 65534" on Fedora too! And let's unify > the various dsitributions a tiny bit more, on this specific aspect. > > How could a transition look like? I figure new installs should get > "nobody" defined to 65534. Old installs should keep the old > definitions in place instead. The NFS packages should be updated to > not create the "nfsnobody" user if there's already another user > mapped > to 65534 (maybe it already does that?). Of course it's not pretty if > old and new systems use different definitions for this user, but I > think it's not too much of a real-life issue, as most code that > refers > to this group already does so by UID instead of name, simply because > the name is not stable across distributions. > > Opinions? +1, Simo. -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://lists.fedoraproject.org/admin/lists/devel@xxxxxxxxxxxxxxxxxxxxxxx
