On Sun, Dec 13, 2015 at 02:23:29PM -0800, Alec Warner wrote: > 1) Why do you need deterministic uid / gid's? > 2) If you do need deterministic uid / gid's, I would recommend storing them > all in the same place. They are ALL for system users and groups.
TL;DR: if you're sharing data/config for system users/groups between multiple systems based on UID/GID (not username), you need consistent generation. Data on NFSv[23], with a shared apache/nginx user was one of the original examples. I agree since then, that the data should NOT be owned by apache/nginx anymore (NFSv4 also solves the problem). A much newer example, is let's consider the system group 'plugdev'. It's one that is created dynamically at the moment. If I want to put my user in that group LDAP-wide, and have an LDAP environment, I need to make sure the plugdev GID is the same on all systems (actually it also varies slightly depending which LDAP group membership model you're using for NSS data). > For example, you typically want a deterministic UID for a user. To > accomplish this, you add that user to LDAP, give them a UID in LDAP, and > then either add LDAP to nssswitch or use something like nsscache to sync > the ldap UID's into the local system. > > 3) If you need deterministic GID's I would recommend storing them all in > LDAP and syncing the group memberships locally. So you want to define the group twice? Both in LDAP and locally? > I never understood why people would think the distro should handle unique > gid / uids. Plus you usually end up running: > > 1) More than one distro. > 2) More than one 'flavor' of a single distro where for whatever reason, uid > and gid decisions differed (they renumbered, etc.) Here's the work LSB did on it, with further references to what more distros do: https://github.com/LinuxStandardBase/lsb/blob/master/documents/wip/userNaming.txt Here's the debian central database for it: https://anonscm.debian.org/cgit/users/cjwatson/base-passwd.git/tree/README > So if you want a consistent GID for a group, store the group name and gid > in ldap and sync it; do not rely on your distro to do it. IMHO doing so is > a design error. Which is incompatible with NFSv3. > > [1] $ egrep '(enewgroup|enewuser)' * -R | awk -F '/' '{print $1 "/" $2}' | > > grep -v eclass | sort -u | wc -l > > 443 > > So there not so much gid uids needed There are definitely entries like these, so be very careful in your counting. enewgroup $PN enewuser ${PN} -1 -1 /var/lib/${PN} ${PN} Based on counting unique tuples of ($CAT/$PN, $ARGS, I count 410+ of each enewgroup and enewuser calls. $ git grep -e 'enewuser ' -e 'enewgroup ' | \ sed -r -e 's,/[^/]+:[[:space:]]*,/: ,g' -e 's,#.*,,g' | \ grep -e ': enew' |sort |uniq Also watch out for packages that create MULTIPLE users/groups for privilege separation (qmail is notorious for this). -- Robin Hugh Johnson Gentoo Linux: Developer, Infrastructure Lead, Foundation Trustee E-Mail : robb...@gentoo.org GnuPG FP : 11ACBA4F 4778E3F6 E4EDF38E B27B944E 34884E85
