WOW... Why do you guys keep picking on NFS?? :-) On 01/10/2018 05:46 AM, Jan Kurik wrote: > = System Wide Change: Rename "nobody" user = > https://fedoraproject.org/wiki/Changes/RenameNobodyUser > > Change owner(s): > *Zbigniew Jędrzejewski-Szmek <zbyszek AT in DOT waw DOT pl> > * Lennart Poettering <lpoetter AT redhat DOT com> > > Use "nobody:nobody" as the names for the kernel overflow UID:GID pair, > and retire the old "nfsnobody" name and the old "nobody:nogroup" pair > with 99:99 numbers > > > == Detailed Description == > Status quo: Fedora statically defines "nobody:nobody" pair with > uid:gid of 99:99 in setup.rpm, and "nfsnobody:nfsnobody" pair with > uid:gid of 65534:65534 in nfs-utils.rpm. > > This is problematic in a few different ways: > * 65534:65534 is used by the kernel as the overflow identifier, when > some UID cannot be represented in the current namespace. This applies > to both NFS, but probably more commonly nowadays to UIDs outside of > the current user namespace (e.g. when a file or process owned by a > user from outside of a container). Calling this "nfsnobody" is > misleading. Misleading to Whom??? -2 has been used since the 80's There has to be an uid/gid to map unknown uid/gid to. > * the name for the overflow user is only defined when nfs-utils.rpm is > installed. In particular in containers people want to minimize the > number of packages installed, so nfs-utils is likely not to be > installed. So if the nfs-utils is not installed... the id/gid will not be created > * the static nobody:nobody user/group pair was used for various > services for which weren't "worthy" of creating a dedicated user. This > is a severely misguided concept, because all processes of the nobody > user can ptrace and otherwise interact with each other. Separate users > for each service should be used instead, either normal allocated users > or systemd's DynamicUser's. > * other distributions use either nobody:nobody or nobody:nogroup for > the overflow uid:gid pair, and the different naming in Fedora is > confusing and can lead to incorrect use. But the uid/gid are still -2. > > We propose to: > * stop using nfsnobody for the overflow uid/gid names > * stop using nobody for the static user 99 and group 99 > * use the nobody:nobody pair of names for 65534:65534 What are you going to replace it with?? When a server gives a client a uid/gid that it does know about the client has to uid/gid to map it to. Somebody has to own the files. > > On existing systems, to make upgrades easier: > * if nfsnobody was defined, keep it in /etc/passwd *after* the new > line for nobody:nobody, so that both the old name and the new name map > to the same numbers > * if nobody user or group with number 99 was defined, keep it in > /etc/passwd and /etc/group, but rename to _nobody WHY??? What problem is this solving?? > > The new mapping for nobody:nobody would be implemented in two redundant ways: > * as a static allocation in /etc/passwd and /etc/group managed by setup.rpm > * dynamically provided by the nss-systemd module (by compiling systemd > with -Dnobody-user=nobody -Dnobody-group=nobody). Again... I have to ask why? What problem is this solving. > > > > == Scope == > * Proposal owners: > - recompile systemd with the right options to get expected answer from > nss-systemd > - propose patches for setup.rpm to add the new mapping and do the > steps listed in Detailed Description on update > - propose patches for nfs-utils to remove the nfsnobody mapping and do > the steps listed in Detailed Description on update > > * Other developers: > watch for regressions Watch out??? Expect! When start messing around with uid/gid in the NFS world... your going to break things... most likely legacy worlds... This is a very bad idea... IMHO... steved. > > * Release engineering: > #7258: https://pagure.io/releng/issue/7258 > > * List of deliverables: > N/A > > * Policies and guidelines: > nothing > (https://fedoraproject.org/wiki/Packaging:Guidelines#Users_and_Groups > already says "Note that system services packaged for Fedora MUST NOT > run as the nobody user" so no changes are required there.) > > * Trademark approval: > N/A (not needed for this Change) > _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
