On 27/02/10 08:30, Aaron Griffin wrote:
On Thu, Feb 25, 2010 at 7:08 PM, Allan McRae<[email protected]> wrote:
On 23/02/10 15:06, Allan McRae wrote:
On 23/02/10 04:49, Roman Kyrylych wrote:
On Mon, Feb 22, 2010 at 17:19, Allan McRae<[email protected]> wrote:
Hi,
At the moment, groupadd always creates system groups with GID=99.
(http://bugs.archlinux.org/task/16092).
We can fix this by adding something quite standard like:
SYS_UID_MIN = 100
SYS_GID_MIN = 100
SYS_UID_MAX = 999
SYS_GID_MAX = 999
in /etc/login.defs
But this will lead to possible issues with packages using fixed GID>=
100.
e.g. I could create a bunch system groups and then install a package who
has predetermined that an already used group ID is for it.
There are two possible solutions:
1) Set SYS_{U,G}ID_MIN to (e.g.) 500 and have all packages use
numbers below
500.
2) Have the packages create a group without a specified ID. Anything
requiring a fixed group ID at compile time (e.g. mailman) must use a
number
< 100.
I am in favour of #2 (slightly) as it seems the better solution, but #1
would only require shadow to be fixed and no rebuilds for other packages
(the number of rebuilds for #2 would be very small). Opinions?
I prefer #2 too, but there is a priblem: the space of GID< 100 is
crowded,
and some packages (e.g. gdm) switched to not using fixed GIDs due to
this.
UIDs up to 1000 are reserved for system purposes,
would be nice to increase the number of reserved GIDs too.
This reserves GID< 1000 for system use, but only GID< 100 are "fixed".
The rest are assigned dynamically. Do we really need more fixed GIDs?
Most packages requiring a new group can have group ID generated on
install. Anyone know what other distros do here?
Any other opinions on this?
That packages that create groups> 100 that would require rebuilt for option
#1 are:
I like the idea of increasing the *ID_MIN (option #1), but don't other
distros use 1000 for system groups?
So looking into this further, other distro do not set any of the SYS_*
variables and rely on it calculating the defaults. Debian and Gentoo
use GID_MIN = 100 so must also have the issue with adding system groups
as described in FS#16092. Fedora sets GID_MIN at 500.
I am going for a compromise:
SYS_UID_MIN 500
SYS_UID_MAX 999
UID_MIN 1000
UID_MAX 60000
SYS_GID_MIN 500
SYS_GID_MAX 999
GID_MIN 1000
GID_MAX 60000
That means people can use groupadd --system and get a group id in the
500-999 range and we can specify group ids up to 499 in packaging. As
we have no package using the 500-999 group id range, no rebuilds will
need done.
Once all packages creating groups with GID>100 are adjusted to create
their group using groupadd --system rather than a predetermined group
number, we may want to revisit the lower limit for the SYS values.
Allan
