On Fri, 22 Sep 2023 13:57:09 +0200 Guido Berhoerster <[email protected]> wrote: > In addition to systemd, polkitd now also uses a UID above 499, on a main > server with MATE desktop I have the following UIDs above 499: > > 995 polkitd > 997 systemd-timesync > 998 systemd-network
Regarding systemd, systemd-sysusers is the third mechanism how system users can be created. So these users are created by systemd-sysusers either during installation by a postinst script (like e.g. polkitd) or during boot via the systemd-sysusers.service. The UID/GID range in systemd-sysusers is determined either per file, that is on a system level by each package, or compiled-in default which is 0-999, there is no run-time configuration for system administrators and the documentation strongly discourages changing that. The actual allocation algorithm does not seem to be documented, (but in best systemd tradition) it seems to be the opposite what other tools are doing, allocating from highest to lowest which causes the problems for us. There is actually an escape hatch, systemd can be compiled with -Dcompat-mutable-uid-boundaries=true which makes it obey /etc/login.defs at runtime. Again the docs state that this is a compatibility feature which should only be used for upgrading systems. So it is not clear how much this can be relied on in the future. So our options are to: - try to convince the rest of Debian to limit the system UID/GID range to 0-499 - convince every package maintainer to explicitly specify a range 0-499 in their systemd-sysuser config file - try to get the systemd package maintainers to build the package with -Dcompat-mutable-uid-boundaries=true - change the DebianEdu scheme giving LDAP users a UID/GIDs range 2000-60000 or similar Suggestions? References: - https://systemd.io/UIDS-GIDS/ - https://www.freedesktop.org/software/systemd/man/systemd-sysusers.html - https://www.freedesktop.org/software/systemd/man/sysusers.d.html -- Guido Berhoerster
