Re: [Ceph-maintainers] statically allocated uid/gid for ceph

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Tim Serong <tserong@suse.com>
To: Sage Weil <sweil@redhat.com>, Robert LeBlanc <robert@leblancnet.us>
Cc: Gaudenz Steinlin <gaudenz@debian.org>,
	Ken Dreyer <kdreyer@redhat.com>,
	ceph-devel <ceph-devel@vger.kernel.org>,
	cjwatson@debian.org, ceph-maintainers@ceph.com,
	Steven Timm <timm@fnal.gov>, Owen Synge <osynge@suse.com>
Subject: Re: [Ceph-maintainers] statically allocated uid/gid for ceph
Date: Fri, 15 May 2015 13:27:25 +1000	[thread overview]
Message-ID: <5555679D.6050903@suse.com> (raw)
In-Reply-To: <alpine.DEB.2.00.1505140935020.10788@cobra.newdream.net>

On 05/15/2015 02:41 AM, Sage Weil wrote:
> On Thu, 14 May 2015, Robert LeBlanc wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA256
>>
>> On Thu, May 14, 2015 at 10:08 AM, Sage Weil  wrote:
>>> The above should have no impact on other distros where a fixed UID/GID
>>> is already set in the package.
>>
>> This sounds pretty reasonable to me!  Perhaps there can be a 'default'
>> (but still opt-in) uid that is reserved and won't conflict going forward,
>> but may conflict with legacy environments?  That at least minimizes
>> complexity/pain for fresh environments (which I suspect will
>> be the bulk of the install base)?
>>
>>
>> Since there is no guarantee, can we just default to the same UID/GID that wa
>> s received from Debian, or is there a known conflict in RH/Cent/SUSE/etc?
> 
> The Fedora UID is 167.
>   - fedora: 0-200 = fixed allocations
>   - debian: 100-999 = dynamically allocated
>   - suse: 100-499 = dyamically allocated system users
> 
> The Debian UID is likely to be 64045.
>   - fedora: undefined (1000-60000 = user accounts, nothing above that)
>   - debian: 60000-64999 = reserved fixed uids, dynamically created
>   - suse: undefined (1000-60000 = user accounts, nothing above that)
> 
> I'm not sure which is less likely: colliding with a dynamically allocated 
> system user (how many of those are there?)

Some random data: my openSUSE desktop system has about 35 dynamically
allocated system users.  Looking at my mostly-clean SLE 11 and SLE 12
test sytems, each seems to have about 10 dynamically allocated users,
although interestingly SLE 11 starts adding these from 100, and
increments, while SLE 12 seems to start at 499 and go backwards.

> or a regular user (64045 is a very large uid).

My earlier thought was "everyone should follow Debian because it's a
very large UID", but this is still risky because high ranges can
conflict with UID ranges chosen when using an LDAP, AD or other backend.
 I can't state a specific conflict, just that there are sites whose
chosen user UID ranges overlap.  This is actually a real issue; there
are sites that have all systems (i.e.: even their servers) running such
backends, because they need users, even the sysadmins, to log in as a
regular user using that backend (then `sudo` or whatever for admin work)
due to auditing/security policies.

Regards,

Tim
-- 
Tim Serong
Senior Clustering Engineer
SUSE
tserong@suse.com

next prev parent reply	other threads:[~2015-05-15  3:27 UTC|newest]

Thread overview: 21+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <alpine.DEB.2.00.1412061245410.18213@cobra.newdream.net>
     [not found] ` <5488919E.4090109@redhat.com>
2014-12-10 18:48   ` [Ceph-maintainers] statically allocated uid/gid for ceph Sage Weil
2014-12-11  2:07     ` Tim Serong
2014-12-11 22:47       ` John Spray
2015-04-14  1:02       ` Sage Weil
2015-04-14  1:05       ` Sage Weil
2015-04-14  4:03         ` Tim Serong
2015-04-14 15:21           ` Sage Weil
2015-04-14 16:12             ` Ken Dreyer
2015-04-15 17:14               ` Gaudenz Steinlin
2015-04-27  9:56                 ` Tim Serong
2015-04-27 11:29                   ` HEWLETT, Paul (Paul)** CTR **
2015-04-28  5:00                     ` Tim Serong
2015-04-27 16:02                   ` Sage Weil
2015-05-14 12:16                     ` Tim Serong
2015-05-14 13:53                       ` Ken Dreyer
2015-05-14 16:08                       ` Sage Weil
     [not found]                         ` <CAANLjFpgivwxMhFLy4OcCxnJ_k5ssORCUm2r+BgtU+LEPQmvPw@mail.gmail.com>
2015-05-14 16:20                           ` Robert LeBlanc
2015-05-14 16:41                           ` Sage Weil
2015-05-15  3:27                             ` Tim Serong [this message]
2015-05-15 10:25                 ` Colin Watson
2015-04-15 10:32             ` Tim Serong

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=5555679D.6050903@suse.com \
    --to=tserong@suse.com \
    --cc=ceph-devel@vger.kernel.org \
    --cc=ceph-maintainers@ceph.com \
    --cc=cjwatson@debian.org \
    --cc=gaudenz@debian.org \
    --cc=kdreyer@redhat.com \
    --cc=osynge@suse.com \
    --cc=robert@leblancnet.us \
    --cc=sweil@redhat.com \
    --cc=timm@fnal.gov \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.