Static system level uid/gid's reservations in Fedora/RHEL - how to handle situation?
Colin Walters
walters at verbum.org
Wed Apr 29 14:36:34 UTC 2009
2009/4/28 Ondřej Vašík <ovasik at redhat.com>:
> Hello,
> at the moment static system level uid/gid's are handled by setup package
> and /usr/share/doc/setup-*/uidgid file. There is threshold of system
> uid/gid's - it's uid/gid 100. Another way to reserve "static" uid/gid
> reservation is http://fedoraproject.org/wiki/PackageUserRegistry ...
> usable only for Fedora and only semi-static (as base id could be easily
> changed).
> As we are running out of the free uid/gid's in uidgid reservation file
> (no free gid's in fact at the moment), it has to be solved somehow...
> there are quite often requests for uidgid reservations as it increases
> security in many cases...
> What's the best way to handle that situation? One possibility is to
> increase the threshold of system level id's (to 200? 300?), another is
> to check current reservation and clean long-term unused reservations (I
> doubt there are many such cases, so it's only temporary solution). Other
> could be sharing groups (as static uid's are still available), but
> that's not always good solution.
One long term solution is to replace (or rather back up) the uid/gid
integer system with uuids. This also helps with other problems like
Windows interop.
Here's a blog post about a change Solaris made in this respect:
http://blogs.sun.com/nico/entry/dealing_with_windows_sids_in
Mailing list thread in NFSv4 context:
http://www.nfsv4.org/nfsv4-wg-archive-dec-96-jan-03/1440.html
I'm sure there's other stuff out there.
Another thing to consider would be relying on SELinux domains for new
daemons, just give them e.g the "daemon" uid.
More information about the fedora-devel-list
mailing list