[PATCH 1/4] uuidgen: fail if uuidd isn't running

[PATCH 1/4] uuidgen: fail if uuidd isn't running

[Ludwig Nussel]

time bases uuids are not safe if uuidd is not running.
Add option --force to generate a uuid in this case nevertheless.
---
 misc-utils/uuidgen.c |   51 ++++++++++++++++++++++++++++++++++---------------
 1 files changed, 35 insertions(+), 16 deletions(-)

diff --git a/misc-utils/uuidgen.c b/misc-utils/uuidgen.c
index 3cf6ec9..b83b124 100644
--- a/misc-utils/uuidgen.c
+++ b/misc-utils/uuidgen.c
@@ -10,34 +10,43 @@
  */
 
 #include <stdio.h>
-#ifdef HAVE_STDLIB_H
 #include <stdlib.h>
-#endif
-#ifdef HAVE_GETOPT_H
 #include <getopt.h>
-#else
-extern int getopt(int argc, char * const argv[], const char *optstring);
-extern char *optarg;
-extern int optind;
-#endif
 
 #include "uuid.h"
 #include "nls.h"
+#include "c.h"
 
 #define DO_TYPE_TIME	1
 #define DO_TYPE_RANDOM	2
 
-static void usage(const char *progname)
+static const struct option long_options[] = {
+	{ "time",      0, NULL, 't' },
+	{ "random",    0, NULL, 'r' },
+	{ "force",     0, NULL, 128 },
+	{ "help",      0, NULL, 'h' },
+	{ 0, 0, 0, 0 }
+};
+
+static void usage(int ex)
 {
-	fprintf(stderr, _("Usage: %s [-r] [-t]\n"), progname);
-	exit(1);
+	printf(_("Usage: %s [options]\n"
+		"  -r, --random     Generate a random-based UUID\n"
+		"  -t, --time       Generate a time-based UUID\n"
+		"      --force      print uuid even if it's potentially weak\n"
+		"  -h, --help       Display this text\n"),
+		program_invocation_short_name);
+	exit(ex);
 }
 
+
+
 int
 main (int argc, char *argv[])
 {
 	int    c;
 	int    do_type = 0;
+	int    force = 0;
 	char   str[37];
 	uuid_t uu;
 
@@ -45,21 +54,31 @@ main (int argc, char *argv[])
 	bindtextdomain(PACKAGE, LOCALEDIR);
 	textdomain(PACKAGE);
 
-	while ((c = getopt (argc, argv, "tr")) != EOF)
+	while ((c = getopt_long(argc, argv, "rth", long_options, NULL)) != EOF ) {
 		switch (c) {
-		case 't':
-			do_type = DO_TYPE_TIME;
+		case 'h':
+			usage(0);
 			break;
 		case 'r':
 			do_type = DO_TYPE_RANDOM;
 			break;
+		case 't':
+			do_type = DO_TYPE_TIME;
+			break;
+		case 128:
+			force = 1;
+			break;
 		default:
-			usage(argv[0]);
+			usage(1);
 		}
+	}
 
 	switch (do_type) {
 	case DO_TYPE_TIME:
-		uuid_generate_time(uu);
+		if (uuid_generate_time_safe(uu) && !force) {
+			fprintf(stderr, _("uuidd not running or not operational.\n"));
+			exit(1);
+		}
 		break;
 	case DO_TYPE_RANDOM:
 		uuid_generate_random(uu);
-- 
1.7.3.4

[PATCH 2/4] uuid: implement uuid_generate_random_safe

[Ludwig Nussel]

uuid_generate_random_safe() cannot really fail but it may use a weak
random number generator as fallback.
---
 libuuid/src/gen_uuid.c |   32 +++++++++++++++++++++++++++++---
 libuuid/src/uuid.h     |    4 +++-
 libuuid/src/uuid.sym   |    2 ++
 misc-utils/uuidgen.c   |   10 ++++++++--
 4 files changed, 42 insertions(+), 6 deletions(-)

diff --git a/libuuid/src/gen_uuid.c b/libuuid/src/gen_uuid.c
index f4c8997..0c81a5c 100644
--- a/libuuid/src/gen_uuid.c
+++ b/libuuid/src/gen_uuid.c
@@ -693,6 +693,18 @@ void uuid_generate_random(uuid_t out)
 	__uuid_generate_random(out, &num);
 }
 
+int uuid_generate_random_safe(uuid_t out)
+{
+	int	num = 1;
+	/* No real reason to use the daemon for random uuid's -- yet */
+
+	if (get_random_fd() < 0)
+		return -1;
+
+	__uuid_generate_random(out, &num);
+	return 0;
+}
+
 
 /*
  * This is the generic front-end to uuid_generate_random and
@@ -700,10 +712,24 @@ void uuid_generate_random(uuid_t out)
  * /dev/urandom is available, since otherwise we won't have
  * high-quality randomness.
  */
-void uuid_generate(uuid_t out)
+static int _uuid_generate(uuid_t out)
 {
 	if (get_random_fd() >= 0)
-		uuid_generate_random(out);
+	{
+		int num = 1;
+		__uuid_generate_random(out, &num);
+		return 0;
+	}
 	else
-		uuid_generate_time(out);
+		return uuid_generate_time_generic(out);
+}
+
+void uuid_generate(uuid_t out)
+{
+	(void)_uuid_generate(out);
+}
+
+int uuid_generate_safe(uuid_t out)
+{
+	return _uuid_generate(out);
 }
diff --git a/libuuid/src/uuid.h b/libuuid/src/uuid.h
index 874d65a..2771255 100644
--- a/libuuid/src/uuid.h
+++ b/libuuid/src/uuid.h
@@ -79,7 +79,9 @@ void uuid_copy(uuid_t dst, const uuid_t src);
 void uuid_generate(uuid_t out);
 void uuid_generate_random(uuid_t out);
 void uuid_generate_time(uuid_t out);
-int uuid_generate_time_safe(uuid_t out);
+int uuid_generate_time_safe(uuid_t out) __attribute__((warn_unused_result));
+int uuid_generate_random_safe(uuid_t out) __attribute__((warn_unused_result));
+int uuid_generate_safe(uuid_t out) __attribute__((warn_unused_result));
 
 /* isnull.c */
 int uuid_is_null(const uuid_t uu);
diff --git a/libuuid/src/uuid.sym b/libuuid/src/uuid.sym
index 2cad51b..aec79e7 100644
--- a/libuuid/src/uuid.sym
+++ b/libuuid/src/uuid.sym
@@ -30,6 +30,8 @@ global:
 UUID_2.20 {
 global:
 	uuid_generate_time_safe;
+	uuid_generate_random_safe;
+	uuid_generate_safe;
 } UUID_1.0;
 
 
diff --git a/misc-utils/uuidgen.c b/misc-utils/uuidgen.c
index b83b124..e81e065 100644
--- a/misc-utils/uuidgen.c
+++ b/misc-utils/uuidgen.c
@@ -81,10 +81,16 @@ main (int argc, char *argv[])
 		}
 		break;
 	case DO_TYPE_RANDOM:
-		uuid_generate_random(uu);
+		if (uuid_generate_random_safe(uu) && !force) {
+			fprintf(stderr, _("/dev/[u]random unavailable.\n"));
+			exit(1);
+		}
 		break;
 	default:
-		uuid_generate(uu);
+		if (uuid_generate_safe(uu) && !force) {
+			fprintf(stderr, _("/dev/[u]random unavailable and uuidd not running.\n"));
+			exit(1);
+		}
 		break;
 	}
 
-- 
1.7.3.4

[PATCH 3/4] uuid: use new functions by default

[Ludwig Nussel]

---
 libuuid/src/gen_uuid.c |    2 ++
 libuuid/src/uuid.h     |   12 +++++++++---
 misc-utils/uuidgen.c   |    6 +++---
 3 files changed, 14 insertions(+), 6 deletions(-)

diff --git a/libuuid/src/gen_uuid.c b/libuuid/src/gen_uuid.c
index 0c81a5c..e6f8b74 100644
--- a/libuuid/src/gen_uuid.c
+++ b/libuuid/src/gen_uuid.c
@@ -38,6 +38,8 @@
  */
 #define _SVID_SOURCE
 
+#define LIBUUID_UNSAFE_LEGACY_PROTOTYPES
+
 #ifdef _WIN32
 #define _WIN32_WINNT 0x0500
 #include <windows.h>
diff --git a/libuuid/src/uuid.h b/libuuid/src/uuid.h
index 2771255..fec4f8c 100644
--- a/libuuid/src/uuid.h
+++ b/libuuid/src/uuid.h
@@ -76,12 +76,18 @@ int uuid_compare(const uuid_t uu1, const uuid_t uu2);
 void uuid_copy(uuid_t dst, const uuid_t src);
 
 /* gen_uuid.c */
-void uuid_generate(uuid_t out);
-void uuid_generate_random(uuid_t out);
-void uuid_generate_time(uuid_t out);
 int uuid_generate_time_safe(uuid_t out) __attribute__((warn_unused_result));
 int uuid_generate_random_safe(uuid_t out) __attribute__((warn_unused_result));
 int uuid_generate_safe(uuid_t out) __attribute__((warn_unused_result));
+#ifdef LIBUUID_UNSAFE_LEGACY_PROTOTYPES
+void uuid_generate(uuid_t out) __attribute__((deprecated));
+void uuid_generate_random(uuid_t out) __attribute__((deprecated));
+void uuid_generate_time(uuid_t out) __attribute__((deprecated));
+#else
+static inline int uuid_generate_time(uuid_t out) { return uuid_generate_time_safe(out); }
+static inline int uuid_generate_random(uuid_t out) { return uuid_generate_random_safe(out); }
+static inline int uuid_generate(uuid_t out) { return uuid_generate_safe(out); }
+#endif
 
 /* isnull.c */
 int uuid_is_null(const uuid_t uu);
diff --git a/misc-utils/uuidgen.c b/misc-utils/uuidgen.c
index e81e065..094f953 100644
--- a/misc-utils/uuidgen.c
+++ b/misc-utils/uuidgen.c
@@ -75,19 +75,19 @@ main (int argc, char *argv[])
 
 	switch (do_type) {
 	case DO_TYPE_TIME:
-		if (uuid_generate_time_safe(uu) && !force) {
+		if (uuid_generate_time(uu) && !force) {
 			fprintf(stderr, _("uuidd not running or not operational.\n"));
 			exit(1);
 		}
 		break;
 	case DO_TYPE_RANDOM:
-		if (uuid_generate_random_safe(uu) && !force) {
+		if (uuid_generate_random(uu) && !force) {
 			fprintf(stderr, _("/dev/[u]random unavailable.\n"));
 			exit(1);
 		}
 		break;
 	default:
-		if (uuid_generate_safe(uu) && !force) {
+		if (uuid_generate(uu) && !force) {
 			fprintf(stderr, _("/dev/[u]random unavailable and uuidd not running.\n"));
 			exit(1);
 		}
-- 
1.7.3.4

[PATCH 4/4] update manpage

[Ludwig Nussel]

---
 libuuid/man/Makefile.am     |    2 +-
 libuuid/man/uuid_generate.3 |   28 ++++++++++------------------
 misc-utils/uuidgen.1        |   11 ++++++++---
 3 files changed, 19 insertions(+), 22 deletions(-)

diff --git a/libuuid/man/Makefile.am b/libuuid/man/Makefile.am
index 8e9ed6d..3880952 100644
--- a/libuuid/man/Makefile.am
+++ b/libuuid/man/Makefile.am
@@ -3,7 +3,7 @@ include $(top_srcdir)/config/include-Makefile.am
 dist_man_MANS = uuid.3 uuid_clear.3 uuid_compare.3 uuid_copy.3 uuid_generate.3 \
 		uuid_is_null.3 uuid_parse.3 uuid_time.3 uuid_unparse.3
 
-UUID_GENERATE_LINKS = uuid_generate_random.3 uuid_generate_time.3 uuid_generate_time_safe.3
+UUID_GENERATE_LINKS = uuid_generate_random.3 uuid_generate_time.3
 
 man_MANS = $(UUID_GENERATE_LINKS)
 CLEANFILES = $(man_MANS)
diff --git a/libuuid/man/uuid_generate.3 b/libuuid/man/uuid_generate.3
index 8185056..2b799ee 100644
--- a/libuuid/man/uuid_generate.3
+++ b/libuuid/man/uuid_generate.3
@@ -31,16 +31,15 @@
 .\" Created  Wed Mar 10 17:42:12 1999, Andreas Dilger
 .TH UUID_GENERATE 3 "May 2009" "util-linux" "Libuuid API"
 .SH NAME
-uuid_generate, uuid_generate_random, uuid_generate_time,
-uuid_generate_time_safe \- create a new unique UUID value
+uuid_generate, uuid_generate_random, uuid_generate_time
+\- create a new unique UUID value
 .SH SYNOPSIS
 .nf
 .B #include <uuid/uuid.h>
 .sp
-.BI "void uuid_generate(uuid_t " out );
-.BI "void uuid_generate_random(uuid_t " out );
-.BI "void uuid_generate_time(uuid_t " out );
-.BI "int uuid_generate_time_safe(uuid_t " out );
+.BI "int uuid_generate(uuid_t " out );
+.BI "int uuid_generate_random(uuid_t " out );
+.BI "int uuid_generate_time(uuid_t " out );
 .fi
 .SH DESCRIPTION
 The
@@ -82,16 +81,7 @@ to this file) and/or the
 daemon, if it is running already or can be be spawned by the process (if
 installed and the process has enough permissions to run it).  If neither of
 these two synchronization mechanisms can be used, it is theoretically possible
-that two concurrently running processes obtain the same UUID(s).  To tell
-whether the UUID has been generated in a safe manner, use
-.BR uuid_generate_time_safe .
-.sp
-The
-.B uuid_generate_time_safe
-is similar to
-.BR uuid_generate_time ,
-except that it returns a value which denotes whether any of the synchronization
-mechanisms (see above) has been used.
+that two concurrently running processes obtain the same UUID(s).
 .sp
 The UUID is 16 bytes (128 bits) long, which gives approximately 3.4x10^38
 unique values (there are approximately 10^80 elementary particles in
@@ -101,12 +91,14 @@ The new UUID can reasonably be considered unique among all UUIDs created
 on the local system, and among UUIDs created on other systems in the past
 and in the future.
 .SH RETURN VALUE
+The functions return zero if the UUID has been generated in a safe manner and -1
+if the UUID is potentially weak.
 The newly created UUID is returned in the memory location pointed to by
 .IR out .
-.B uuid_generate_time_safe
-returns zero if the UUID has been generated in a safe manner, -1 otherwise.
 .SH "CONFORMING TO"
 OSF DCE 1.1
+.sp
+In the original implementation the functions did not have a return value.
 .SH AUTHOR
 Theodore Y. Ts'o
 .SH AVAILABILITY
diff --git a/misc-utils/uuidgen.1 b/misc-utils/uuidgen.1
index 453a7f5..efb6d9b 100644
--- a/misc-utils/uuidgen.1
+++ b/misc-utils/uuidgen.1
@@ -37,15 +37,20 @@ or
 options.
 .SH OPTIONS
 .TP
-.B \-r
+.B \-r, \-\-random
 Generate a random-based UUID.  This method creates a UUID consisting mostly
 of random bits.  It requires that the operating system have a high
 quality random number generator, such as
 .IR /dev/random .
 .TP
-.B \-t
+.B \-t, \-\-time
 Generate a time-based UUID.  This method creates a UUID based on the system
-clock plus the system's ethernet hardware address, if present.
+clock plus the system's ethernet hardware address, if present. uuidd must be
+running to make sure no duplicate uuids are generated. 
+.TP
+.B \-\-force
+Force generating a UUID even if it's potentially weak, ie
+/dev/[u]random not available or uuidd not running.
 .SH "CONFORMING TO"
 OSF DCE 1.1
 .SH AUTHOR
-- 
1.7.3.4

Re: [PATCH 1/4] uuidgen: fail if uuidd isn't running

[Karel Zak]

On Thu, Jun 16, 2011 at 03:59:36PM +0200, Ludwig Nussel wrote: 
> -static void usage(const char *progname)
> +static const struct option long_options[] = {
> +	{ "time",      0, NULL, 't' },
> +	{ "random",    0, NULL, 'r' },
> +	{ "force",     0, NULL, 128 },
                            ^^^^
              Why not 'f' (as short option)?

  Karel

-- 
 Karel Zak  <kzak@redhat.com>
 http://karelzak.blogspot.com

Re: [PATCH 2/4] uuid: implement uuid_generate_random_safe

[Karel Zak]

On Thu, Jun 16, 2011 at 03:59:37PM +0200, Ludwig Nussel wrote:
> uuid_generate_random_safe() cannot really fail but it may use a weak
> random number generator as fallback.
> ---
>  libuuid/src/gen_uuid.c |   32 +++++++++++++++++++++++++++++---
>  libuuid/src/uuid.h     |    4 +++-
>  libuuid/src/uuid.sym   |    2 ++
>  misc-utils/uuidgen.c   |   10 ++++++++--
>  4 files changed, 42 insertions(+), 6 deletions(-)
> 
> diff --git a/libuuid/src/gen_uuid.c b/libuuid/src/gen_uuid.c
> index f4c8997..0c81a5c 100644
> --- a/libuuid/src/gen_uuid.c
> +++ b/libuuid/src/gen_uuid.c
> @@ -693,6 +693,18 @@ void uuid_generate_random(uuid_t out)
>  	__uuid_generate_random(out, &num);
>  }
>  
> +int uuid_generate_random_safe(uuid_t out)
> +{
> +	int	num = 1;
> +	/* No real reason to use the daemon for random uuid's -- yet */
> +
> +	if (get_random_fd() < 0)
> +		return -1;
> +
> +	__uuid_generate_random(out, &num);
> +	return 0;
> +}
> +

 It would be nice to use the same concept for the *_random functions as
 we already use for the *_time functions. It means to rename
 __uuid_generate_random() to uuid_generate_random_generic().

>  /*
>   * This is the generic front-end to uuid_generate_random and
> @@ -700,10 +712,24 @@ void uuid_generate_random(uuid_t out)
>   * /dev/urandom is available, since otherwise we won't have
>   * high-quality randomness.
>   */
> -void uuid_generate(uuid_t out)
> +static int _uuid_generate(uuid_t out)

 rename to: static int uuid_generate_genetic()

> +void uuid_generate(uuid_t out)
> +{
> +	(void)_uuid_generate(out);

 Don't use "(void)" in the code :-) It's unnecessary.

> +int uuid_generate_time_safe(uuid_t out) __attribute__((warn_unused_result));
> +int uuid_generate_random_safe(uuid_t out) __attribute__((warn_unused_result));
> +int uuid_generate_safe(uuid_t out) __attribute__((warn_unused_result));

 Good idea, but is warn_unused_result supported in old gcc versions?
 See include/c.h where we have __GNUC_PREREQ stuff.

    Karel

-- 
 Karel Zak  <kzak@redhat.com>
 http://karelzak.blogspot.com

Re: [PATCH 1/4] uuidgen: fail if uuidd isn't running

[Ted Ts'o]

On Thu, Jun 16, 2011 at 03:59:36PM +0200, Ludwig Nussel wrote:
> time bases uuids are not safe if uuidd is not running.
> Add option --force to generate a uuid in this case nevertheless.

I really wouldn't worry about time-based uuid if you're grabbing them
from uuidgen.  Yes, if you're generating thousands of uuid's in
parallel via the C interface, it's possible that you potentially force
a collision.  But via the command-line interface of uuidgen?

There are plenty of other things to worry about.

							- Ted

Re: [PATCH 2/4] uuid: implement uuid_generate_random_safe

[Ted Ts'o]

On Thu, Jun 16, 2011 at 03:59:37PM +0200, Ludwig Nussel wrote:
> +int uuid_generate_random_safe(uuid_t out)
> +{
> +	int	num = 1;
> +	/* No real reason to use the daemon for random uuid's -- yet */

Note that amongst some distributions, there is a very strong
resistance against using the uuidd daemon.  Partially because it's
"yet another daemon", partially because any long-running daemon has to
get extra review/auditing because for potential security problems,
etc.

Also please note that there's only *one* user of the uuid library, the
proprietary SAP R/3 system, that generates enough uuids, and with a
high enough frequency, where "safety" has ever been an issue.  Most of
the time, people simply aren't generating uuid's at the rate of
thousands a second.  So I'm really not convinced it's a good idea to
assume that the uuidd daemon will *always* be installed, let alone be
running, and the wholesale deprecation of the existing interfaces
(which are compatible with interfaces used by a number of other
operating systems, BTW), just because there is this idea that the
exsting interfaces are "unsafe".  Really, they're not.

						- Ted

Re: [PATCH 2/4] uuid: implement uuid_generate_random_safe

[Ludwig Nussel]

Ted Ts'o wrote:
> On Thu, Jun 16, 2011 at 03:59:37PM +0200, Ludwig Nussel wrote:
> > +int uuid_generate_random_safe(uuid_t out)
> > +{
> > +	int	num = 1;
> > +	/* No real reason to use the daemon for random uuid's -- yet */
> 
> Note that amongst some distributions, there is a very strong
> resistance against using the uuidd daemon.  Partially because it's
> "yet another daemon", partially because any long-running daemon has to
> get extra review/auditing because for potential security problems,
> etc.

Yes, that concerns us too. However I'd rather have uuidd running all
the time, started in a clean environment rather than making it
getuid/setgid. A third option would be to make uuidd startable via
inetd.

> Also please note that there's only *one* user of the uuid library, the
> proprietary SAP R/3 system, that generates enough uuids, and with a
> high enough frequency, where "safety" has ever been an issue.  Most of
> the time, people simply aren't generating uuid's at the rate of
> thousands a second.

I can't judge. We got quite some pressure to set the setuid bit on
uuidd by default because 'several customers' demand it. Making the
interface more explicitly require uuidd would defeat arguments that
an application and the admin can't even notice there's a problem. 

cu
Ludwig

-- 
 (o_   Ludwig Nussel
 //\
 V_/_  http://www.suse.de/
SUSE LINUX Products GmbH, GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer, HRB 16746 (AG Nürnberg) 

Re: [PATCH 3/4] uuid: use new functions by default

[Karel Zak]

On Thu, Jun 16, 2011 at 03:59:38PM +0200, Ludwig Nussel wrote:
> -void uuid_generate(uuid_t out);
> -void uuid_generate_random(uuid_t out);
> -void uuid_generate_time(uuid_t out);
>  int uuid_generate_time_safe(uuid_t out) __attribute__((warn_unused_result));
>  int uuid_generate_random_safe(uuid_t out) __attribute__((warn_unused_result));
>  int uuid_generate_safe(uuid_t out) __attribute__((warn_unused_result));
> +#ifdef LIBUUID_UNSAFE_LEGACY_PROTOTYPES
> +void uuid_generate(uuid_t out) __attribute__((deprecated));
> +void uuid_generate_random(uuid_t out) __attribute__((deprecated));
> +void uuid_generate_time(uuid_t out) __attribute__((deprecated));
> +#else
> +static inline int uuid_generate_time(uuid_t out) { return uuid_generate_time_safe(out); }
> +static inline int uuid_generate_random(uuid_t out) { return uuid_generate_random_safe(out); }
> +static inline int uuid_generate(uuid_t out) { return uuid_generate_safe(out); }
> +#endif

 Oh, <censored> ... :-)

 Please, move this change to your (SAP) applications. I really don't
 want to mess up the library API for a reason which is completely
 irrelevant for 99% of all users.

 I don't think that overwrite any exported symbols with in-line
 functions is a good way how maintain any API. 
 
 I don't see a problem to support the *_safe functions for you, but
 don't force us to use it.

    Karel

-- 
 Karel Zak  <kzak@redhat.com>
 http://karelzak.blogspot.com

Re: [PATCH 1/4] uuidgen: fail if uuidd isn't running

[Karel Zak]

On Thu, Jun 16, 2011 at 10:07:56PM -0400, Ted Ts'o wrote:
> On Thu, Jun 16, 2011 at 03:59:36PM +0200, Ludwig Nussel wrote:
> > time bases uuids are not safe if uuidd is not running.
> > Add option --force to generate a uuid in this case nevertheless.
>
> I really wouldn't worry about time-based uuid if you're grabbing them
> from uuidgen.  Yes, if you're generating thousands of uuid's in
> parallel via the C interface, it's possible that you potentially force
> a collision.  But via the command-line interface of uuidgen?

 I agree with Ted. 

 Let's go one step back (sorry Ludwig). It would be really better to
 add --safe rather than --force. We can use the --safe option to test
 the new *_safe functions or for really paranoid environments, but we
 should not force people use the new functionality.

    Karel

-- 
 Karel Zak  <kzak@redhat.com>
 http://karelzak.blogspot.com

Re: [PATCH 2/4] uuid: implement uuid_generate_random_safe

[Theodore Tso]

On Jun 17, 2011, at 3:37 AM, Ludwig Nussel wrote:

>> 
>> Also please note that there's only *one* user of the uuid library, the
>> proprietary SAP R/3 system, that generates enough uuids, and with a
>> high enough frequency, where "safety" has ever been an issue.  Most of
>> the time, people simply aren't generating uuid's at the rate of
>> thousands a second.
> 
> I can't judge. We got quite some pressure to set the setuid bit on
> uuidd by default because 'several customers' demand it. Making the
> interface more explicitly require uuidd would defeat arguments that
> an application and the admin can't even notice there's a problem. 

Look, a time-based UUID is composed of a ethernet MAC address
(for uniqueness in space, assuming NIC's are assigned unique
MAC addresses0, a 100ns granularity timestamp (for uniqueness
in time), and a 13-bit counter. 

We are using gettimeofday(), which has microsecond granularity,
so if you have multiple calls to generate UUID's within the same
microsecond, called from different CPU's, now the only thing
protecting you is the 13-bit counter, which is initialized to a
random value w/o uuidd.   To make matters worse, the proprietary
SAP system abuses UUID's by folding, spindling, and mutilating
UUID's so the timestamp appears in the most significant bits,
so that its btree lookups (it's using the UUID's as a object id) in
the database can be as efficient as possible.  Which is why they
can't use /dev/random generated UUID's --- well, that and this
is being used in their database initialization program, where
they are generating literally millions of uuid's, and /dev/random
or some kind of scheme where you throttle time-based UUID
generation would slow down the SAP R/3 database load
process unacceptably.   (I worked with your predecessor at
SuSE/Novell, and wrote uuidd specifically because to help
out SAP, mainly because (a) I was at IBM at the time, and figured
customers of IBM hardware would care, and (b) I have one
or two friends who work at SAP, and wanted to help them out.
But I never intended for uuidd to become mandatory, and I 
got complaints from some distro's about adding yet another
daemon.)

This is why I'm pretty confident *no* *one* other than SAP is
going to be running into this problem, because I don't know of
anyone else which is generating UUID's at this insane rate ---
and would be quite, quite surprised if they were.

These days, we have a higher resolution clock interface, so at
least in theory we could use clock_gettime(), which would give
us a nanosecond interface.  This would give us another factor 
of 10 improvement on the granularity of time-based UUID's.
This might be worth doing, if someone really cared.  If they do,
though, I'd request that it be autoconf'ed, so that this library 
remains portable to non-Linux environments --- there are folks
who are using this library to build GNOME and other OSS
packages on *BSD's and Solaris systems, for example --- 
although I suspect many of them are still using the uuid library
from e2fsprogs.

-- Ted

Re: [PATCH 1/4] uuidgen: fail if uuidd isn't running

[Ludwig Nussel]

Karel Zak wrote:
> On Thu, Jun 16, 2011 at 10:07:56PM -0400, Ted Ts'o wrote:
> > On Thu, Jun 16, 2011 at 03:59:36PM +0200, Ludwig Nussel wrote:
> > > time bases uuids are not safe if uuidd is not running.
> > > Add option --force to generate a uuid in this case nevertheless.
> >
> > I really wouldn't worry about time-based uuid if you're grabbing them
> > from uuidgen.  Yes, if you're generating thousands of uuid's in
> > parallel via the C interface, it's possible that you potentially force
> > a collision.  But via the command-line interface of uuidgen?
>=20
>  I agree with Ted.=20
>=20
>  Let's go one step back (sorry Ludwig). It would be really better to
>  add --safe rather than --force. We can use the --safe option to test
>  the new *_safe functions or for really paranoid environments, but we
>  should not force people use the new functionality.

Actually never mind, forget about the patches. I'm perfectly fine
with a 'no'. This discussion now finally documents in public the
background and reasons why things are the way they are. Thanks a lot
for your patience and Ted for the detailed explanation!

cu
Ludwig

=2D-=20
 (o_   Ludwig Nussel
 //\
 V_/_  http://www.suse.de/
SUSE LINUX Products GmbH, GF: Jeff Hawn, Jennifer Guild, Felix Imend=F6rffe=
r, HRB 16746 (AG N=FCrnberg)=20