On Mon, Jul 18, 2016 at 03:59:09PM +0200, Ondřej Vašík wrote: > Lennart Poettering píše v Po 18. 07. 2016 v 14:39 +0200: > > Heya! > > > > I'd like to start a discussion regarding the "nobody" user on Fedora, > > and propose that we change its definition sooner or later. I am not > > proposing a feature according to the feature process for this yet, but > > my hope is that these discussions will lead to one eventually. > > Thanks for starting the discussion on Fedora devel - as there already > was https://bugzilla.redhat.com/show_bug.cgi?id=1350526 - where it ended > up closed NOTABUG - as the nfs-utils maintainer is concerned about such > change ( https://bugzilla.redhat.com/show_bug.cgi?id=1350526#c3 ) - and > most of commenters (moved across several components) recommended "not a > bug" resolution. That was me. (I'm not the nfs-utils maintainer, though.) I honestly didn't think about it much beyond: there might be some risk to the change, so it needs some justification. So, trying to think it through some more from an NFS point of view: For authentication, rpc uses either numeric ID's or kerberos names. For referring to principals in file owners, groups, or ACLs, NFSv2/v3 uses numeric ID's, NFSv4 may use string names instead in some cases. So in the NFSv4 case you could end up with a read-modify-write of an ACL resulting in on-disk references to uid 99 turning into 65534's. That can happen in the local case too if, say, you're using a commandline utility that uses names, and you map 99 and 65534 both to "nobody" and "nobody" back to 65534. NFS users can already see that sort of behavior in mixed-distro environments. Anyway, I don't know. It'd certainly be nice to see the current situation cleaned up. I don't feel like I understand what might break on transition. --b. > > I agree with containers and user namespaces, overflow uid named > "nfsnobody" confuses users. But is there really some good and > non-disruptive solution? e.g. Overflow id can be changed to different > than (uint_16_t) -2, but it is the right way? > > > Most distributions (in particular Debian/Ubuntu-based ones) map the > > user "nobody" to UID 65534. I think we should change Fedora to do the > > same. Background: > > > > On Linux two UIDs are special: that's UID 0 for root, which is the > > privileged user we all know. And then there's UID 65534 > > (i.e. (uint16_t) -2), which is less well known. The Linux kernel calls > > it the "overflow" UID. It has four purposes: > > > > 1. The kernel maps UIDs > 65535 to it when when some subsystem/API/fs > > only supports 16bit UIDs, but a 32bit UID is passed to it. > > > > 2. it's used by the kernel's user namespacing as a the internal UID > > that external UIDs are mapped to that don't have any local mapping. > > > > 3. It's used by NFS for all user IDs that cannot be mapped locally if > > UID mapping is enabled. > > > > 4. One upon a time some system daemons chose to run as the "nobody" > > user, instead of a proper system user of their own. But this is > > universally frowned upon, and isn't done on any current systems > > afaics. In fact, to my knowledge Fedora even prohibits this > > explicitly in its policy (?). > > > > The uses 1-3 are relevant today, use 4 is clearly obsolete > > afaics. Uses 1-3 can be subsumed pretty nicely as "the UID something > > that cannot be mapped properly is mapped to". > > > > On Fedora, we currently have a "nobody" user that is defined to UID > > 99. It's defined unconditionally like this. To my knowledge there's no > > actual use of this user at all in Fedora however. The UID 65514 > > carries no name by default on Fedora, but as soon as you install the > > NFS utils it gets mapped to the "nfsnobody" user name, misleadingly > > indicating that it would be used only by NFS even though it's a much > > more general concept. I figure the NFS guys adopted the name > > "nfsnobody" for this, simply because "nobody" was already taken by UID > > 99 on Fedora, unlike on other distributions. > > It is really a historical reason. I don't think there was common > agreement at the time when 99 for nobody was selected (at least several > different approaches were in place these days). > > > In the context of user namespacing the UID 65534 appears a lot more > > often as owner of various files. For example, if you turn on user > > namespacing in typical container managers you'll notice that a ton of > > files in /proc will then be owned by this user. Very confusingly, in a > > container that includes the NFS utils all those files actually show up > > as "nfsnobody"-owned now, even though there's no relation to NFS at all > > for them. > > > > I'd like to propose that we clean this up, and just make Fedora work > > like all other distributions. After all the reason of having this > > special UID in the first place is to sidestep mapping problems between > > different UID "realms". Hence I think it would be wise to at least > > make the name of this very special UID somewhat more stable and > > well-defined between distributions. > > > > I think this is of particular relevance as Debian/Ubuntu-based > > container images tend to be substantially more popular than > > Fedora-based ones, and hence I think we should try to unify at least > > the names and semantics of the two special UIDs all distros have, to > > minimize mapping problems and making user interaction in containers a > > bit more friendly. > > > > You might ask of course, why Fedora should change to adopt > > Debian's/Ubuntu's definition, instead of conversely making them adopt > > Fedora's definition? Well, that's simple: Debian's definition makes a > > lot more sense than Fedora's. And nothing we ship actually makes use > > of FEdora's definition afaics, and we currently carry a workaround > > called "nfsnobody" in some cases to avoid having to fix this properly. > > It is not just Fedora, ArchLinux uses 99 nobody as well - as far as I > know. And probably some other systems as well. Debian, Ubuntu and > OpenSUSE use 65534 (although OpenSUSE seems to use 65534:65533 to add > even more confusion) > Citing Wiki: > "Nobody: Historically, the user “nobody” was assigned UID -2 by several > operating systems, although other values such as 2^15−1 = 32,767 are > also in use, such as by OpenBSD ( http://gnats.netbsd.org/6594 ). For > compatibility between 16-bit and 32-bit UIDs, many Linux distributions > now set it to be 2^16−2 = 65,534; the Linux kernel defaults to returning > this value when a 32-bit UID does not fit into the return value of the > 16-bit system calls ( http://lwn.net/Articles/532593/ ). An alternative > convention assigns the last UID of the range statically allocated for > system use (0-99) to nobody: 99." > > > > > Another option would be to define an entirely new user name for 65534, > > for example "void" or so. But quite frankly, that sounds like a > > pointless bikeshedding excercise, and creates even more confusion, > > balkanization and political hassles if you'd try to convince other > > distros to adopt the same scheme too. > > > > Hence, let's go for "nobody == 65534" on Fedora too! And let's unify > > the various dsitributions a tiny bit more, on this specific aspect. > > And potentially break some scripts that rely either on "nfsnobody" or on > id. This is something where we don't have control over it. > > > How could a transition look like? I figure new installs should get > > "nobody" defined to 65534. Old installs should keep the old > > definitions in place instead. The NFS packages should be updated to > > not create the "nfsnobody" user if there's already another user mapped > > to 65534 (maybe it already does that?). Of course it's not pretty if > > old and new systems use different definitions for this user, but I > > think it's not too much of a real-life issue, as most code that refers > > to this group already does so by UID instead of name, simply because > > the name is not stable across distributions. > > > > Opinions? > > I agree having uid -2 named "nfsnobody" is just confusing with user > namespaces and containers - and we should find some way how to solve it. > I don't agree that changing 99 "nobody" to 65534 "nobody" in > default /etc/passwd and not using "nfsnobody" in default new nfs-utils > installations is the right way to solve the issue. It might be less > confusing for some users and more in sync with Debian (and less with > e.g. ArchLinux), but has the potential to break something and imho > brings only very low benefit. > > Regards, > Ondrej > > > > Lennart > > > > -- > devel mailing list > devel@xxxxxxxxxxxxxxxxxxxxxxx > https://lists.fedoraproject.org/admin/lists/devel@xxxxxxxxxxxxxxxxxxxxxxx -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://lists.fedoraproject.org/admin/lists/devel@xxxxxxxxxxxxxxxxxxxxxxx
