Zbigniew Jędrzejewski-Szmek píše v Ne 15. 01. 2017 v 00:13 +0000: > https://git.fedorahosted.org/cgit/setup.git/tree/uidgid has a list > of "soft static" uids and gids. > > Currently FPC has a process for allocating new numbers on this list, > but here's a number of static uid/gid allocations from old times, > which are not necessary. Dropping them will allow those numbers to be > used in the dynamic pool, reducing the risk of exhaustion of system > uids or gids. Dynamic pool uses static id area only in the worst case when uid/gids 200-999 are already allocated. >From the users listed down only "games" user is created by default - so unless the package that creates the uid/gid is installed, their ids can theoretically be used for dynamic ids creation. If they are on the system, you will not get anything by removal of static allocation - as they will occupy some dynamic id anyway. > (A "soft static" allocation is only needed for two reasons [1]: > - the user is used in the initramfs AND files or processes are carried > over into the real system, > - the UID is used on shared between systems. Third reason is sometimes mentioned - to prevent leak of "sensitive data" to other "dynamically allocated" when old system user is removed (and files owned by that users not deleted). But this is more hypothetical case. > All other packages should use "dynamic" allocation, i.e. create > the user/group in %pre and get any free number.) > > I thought I'd file a ticket against setup, but since there's a large > number of items on this list, I decided to ask here first. > Any objection to dropping (from the static list) any of the following? > > == No need for static allocation, afaict > games, man, slocate, squid, named, postgres, mysql, nscd, > rpcuser, rpc, rpm, ntp, mailman, gdm, utempter, apache, smmsp, > tomcat, frontpage, nut, beagleindex, avahi, tcpdmp, privoxy, radvd, > imap, majordomo, polkituser, screen, clamav, saned, mock, ricci, luci I agree for some of these I don't see any need for static id allocation - and they have static id allocated only for historical reasons. (typo s/tcpdmp/tcpdump btw.). I don't see imap in the uidgid file. > > == The following are completely unused? > console, wnn, haldaemon, vcsa, realtime, nocpulse, desktop, jonas, > pvm, xfs >From 45 ids listed above, 40 were reserved before I got maintenance of the setup package (2008). Only 4 (saned, mock, ricci, luci) were added by me and 1 is not in uidgid file at all. Reason for mock is explained in https://bugzilla.redhat.com/show_bug.cgi?id=928063#c0 . For ricci/luci, I expect reason for the static id is they belong to High Availability/Cluster... However, they were dropped meanwhile. Saned probably doesn't need static id, though. However, even if I drop these static allocation, I don't think we can reuse them for any other static allocations anytime soon - as this could mean dynamic allocation for the new potentially statically allocated account - if the system was maintained via upgrades from older Fedoras/RHELs/CentOS. IMHO, drop of these allocation doesn't bring much gain (except cleaner uidgid file) and brings some potential risks that can show in future. Regards, Ondrej > [1] The guidelines (https://fedoraproject.org/wiki/Packaging:UsersAndGroups) > don't mention the first reason, only the second one. Oh well, changing that > is probably not worth the effort. > > Zbyszek _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
