[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Static system level uid/gid's reservations in Fedora/RHEL - how to handle situation?



2009/4/28 Ondřej Vašík <ovasik redhat com>:
> Hello,
> at the moment static system level uid/gid's are handled by setup package
> and /usr/share/doc/setup-*/uidgid file. There is threshold of system
> uid/gid's - it's uid/gid 100. Another way to reserve "static" uid/gid
> reservation is http://fedoraproject.org/wiki/PackageUserRegistry ...
> usable only for Fedora and only semi-static (as base id could be easily
> changed).
> As we are running out of the free uid/gid's in uidgid reservation file
> (no free gid's in fact at the moment), it has to be solved somehow...
> there are quite often requests for uidgid reservations as it increases
> security in many cases...

> What's the best way to handle that situation? One possibility is to
> increase the threshold of system level id's (to 200? 300?), another is
> to check current reservation and clean long-term unused reservations (I
> doubt there are many such cases, so it's only temporary solution). Other
> could be sharing groups (as static uid's are still available), but
> that's not always good solution.

One long term solution is to replace (or rather back up) the uid/gid
integer system with uuids.  This also helps with other problems like
Windows interop.

Here's a blog post about a change Solaris made in this respect:
http://blogs.sun.com/nico/entry/dealing_with_windows_sids_in
Mailing list thread in NFSv4 context:
http://www.nfsv4.org/nfsv4-wg-archive-dec-96-jan-03/1440.html

I'm sure there's other stuff out there.

Another thing to consider would be relying on SELinux domains for new
daemons, just give them e.g the "daemon" uid.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]