On Mon, Jul 18, 2016 at 8:39 AM, Lennart Poettering
<mzerqung(a)0pointer.de> wrote:
On Fedora, we currently have a "nobody" user that is
defined to UID
99. It's defined unconditionally like this. To my knowledge there's no
actual use of this user at all in Fedora however. The UID 65514
carries no name by default on Fedora, but as soon as you install the
NFS utils it gets mapped to the "nfsnobody" user name, misleadingly
indicating that it would be used only by NFS even though it's a much
more general concept. I figure the NFS guys adopted the name
"nfsnobody" for this, simply because "nobody" was already taken by
UID
99 on Fedora, unlike on other distributions.
At first glance it makes some sense. 2^32-2 doesn't force it into
64-bit space, it's tested on other operating systems, I'm concerned
that overlapping "nobody" with the working "nfsnobody" is going to
break tools. I'm also cncerned that it will change behavior for "tar",
"rsync", "star", and other programs that can be configured to store
and extract usernames *or* uids, or a mix of both.
In the context of user namespacing the UID 65534 appears a lot more
often as owner of various files. For example, if you turn on user
namespacing in typical container managers you'll notice that a ton of
files in /proc will then be owned by this user. Very confusingly, in a
container that includes the NFS utils all those files actually show up
as "nfsnobody"-owned now, even though there's no relation to NFS at all
for them.
And this is where the shift in behavior would get confusing.
How could a transition look like? I figure new installs should get
"nobody" defined to 65534. Old installs should keep the old
definitions in place instead. The NFS packages should be updated to
not create the "nfsnobody" user if there's already another user mapped
to 65534 (maybe it already does that?). Of course it's not pretty if
old and new systems use different definitions for this user, but I
think it's not too much of a real-life issue, as most code that refers
to this group already does so by UID instead of name, simply because
the name is not stable across distributions.
Like I said, I'm thinking of "rsync", "tar", and "star".
Also,
people.... do some interesting scripting to detect things like failed
NFS configurations. I'm not saying that's a blocker, but shifting it
to overlap with the current "nfsnobody" is likely to break some
people's tools in the field, especially if they run the latest Fedora
alongside RHEL, CentOS, or previous Fedora releases.
> Opinions?
>
> Lennart
>
> --
> Lennart Poettering, Red Hat
> --
> devel mailing list
> devel(a)lists.fedoraproject.org
>
https://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org