Re: strawman proposal: homed directories for users

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Di, 08.10.24 12:46, Stephen Gallagher (sgallagh@xxxxxxxxxx) wrote:

> I suspect you're talking past one another here; in practice, IPA has a
> random set of ID ranges that (IIRC) essentially owns the ID space of
> 10,000 - 2,010,000. (It's possible for the installer to set an
> arbitrary range outside that, but it's a custom choice). So you could
> probably reserve the IDs above 20,010,000 for homed in that situation.

Uh, that seems like a problematic choice for IPA. First of all within
that range is the UID 65534, i.e. the linux nobody/overflow/unmapped
UID. You should not delegate this UID for any users. Moreover, 65535
(the -1 value in 16bit) is special, as it indicates "don't change" in
various legacy APIs, old file systems and so on. Newer apis generally
use 4294967295 for that (i.e. -1 in 32bit), but for compat 65535
should be avoided to.

If you so will, the uids 0, 65534, 65535, 4294967295 all have some
special meaning to Linux, and should not be used for regular
users. Hence it's highly problematic if IPA just delegates 65534 or
65535 to its regular users, as you appear to suggest.

But there's more: container managers typically do not delegate more than 64K
UIDs to containers (that's what nspawn does, and as I understand, other
container managers map even less space by default). Yes, you can
delegate more if you do extra work, but it's not what happens by
default. This means, UIDs < 2^16 are more "valuable" than those >=
2^16. In particular for stuff that shall "just work" inside of
containers it's kinda relevant to stick to ranges <
2^16. (systemd-homed's local UID allocations qualify as that)

With your definitions above you basically take most of that range for
IPA as private property, and I think that's just not OK, it's leaves
no space for anyone else in the 16bit range really (under the
assumption that 1000…60000 are for classic /etc/passwd users, which is
what Fedora's login.defs dictates).

(BTW: talking about login.defs: if IPA wants to take possession from
UID range 10000 on, you are conflicting with Fedora's login.defs
definition which assigns the range 1000…60000 to regular users,
i.e. /etc/passwd)

Hence, what I'd like to ask IPA to do do is first of all stay away
from the 65534 + 65535 UIDs, that's just a major bug if you ask
me. I'd then like IPA to say away from the regular user range declared
in login.defs, i.e. UIDs < 60K. But also: leave some room in the 16bit
range, outside of the regular user range for other users.

My suggestion: change IPA to allocate from the range 65536…524287
range or so. Or alternatively from 1879048192…2147483647, which would
mean it wouldn't conflict with anything else anymore.

I understand that existing IPA deployments ignore all this, and that's
bad but hard to change. But at the very least, maybe for future
installations suggest better ranges.

We documented all our UID assignments and their reasons here:

https://systemd.io/UIDS-GIDS/

It would be very wise if IPA maintained a similar document with its
assignments, and similar considerations regarding the special UID
ranges and everything. Double assignments like the login.defs or
overflow UID stuff really should be avoided, and good documentation
helps for that.

I'd also be happy to update the UID/GID table on aforementioned
systemd documentation and delegate some range explicitly to IPA (or
IPA-like usecases) there, but for that I'd need some committment that
at least future IPA installations would honour it.

Lennart

--
Lennart Poettering, Berlin
-- 
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux