Re: Fixing the "nobody" user?

Heya! I'd like to start a discussion regarding the "nobody" user on Fedora, and propose that we change its definition sooner or later. I am not proposing a feature according to the feature process for this yet, but my hope is that these discussions will lead to one eventually. Most distributions (in particular Debian/Ubuntu-based ones) map the user "nobody" to UID 65534. I think we should change Fedora to do the same. Background: On Linux two UIDs are special: that's UID 0 for root, which is the privileged user we all know. And then there's UID 65534 (i.e. (uint16_t) -2), which is less well known. The Linux kernel calls it the "overflow" UID. It has four purposes: 1. The kernel maps UIDs > 65535 to it when when some subsystem/API/fs only supports 16bit UIDs, but a 32bit UID is passed to it. 2. it's used by the kernel's user namespacing as a the internal UID that external UIDs are mapped to that don't have any local mapping. 3. It's used by NFS for all user IDs that cannot be mapped locally if UID mapping is enabled. 4. One upon a time some system daemons chose to run as the "nobody" user, instead of a proper system user of their own. But this is universally frowned upon, and isn't done on any current systems afaics. In fact, to my knowledge Fedora even prohibits this explicitly in its policy (?). The uses 1-3 are relevant today, use 4 is clearly obsolete afaics. Uses 1-3 can be subsumed pretty nicely as "the UID something that cannot be mapped properly is mapped to".

On Fedora, we currently have a "nobody" user that is defined to UID 99. It's defined unconditionally like this. To my knowledge there's no actual use of this user at all in Fedora however.

The UID 65514 carries no name by default on Fedora, but as soon as you install the NFS utils it gets mapped to the "nfsnobody" user name, misleadingly indicating that it would be used only by NFS even though it's a much more general concept. I figure the NFS guys adopted the name "nfsnobody" for this, simply because "nobody" was already taken by UID 99 on Fedora, unlike on other distributions.

In the context of user namespacing the UID 65534 appears a lot more often as owner of various files. For example, if you turn on user namespacing in typical container managers you'll notice that a ton of files in /proc will then be owned by this user. Very confusingly, in a container that includes the NFS utils all those files actually show up as "nfsnobody"-owned now, even though there's no relation to NFS at all for them. I'd like to propose that we clean this up, and just make Fedora work like all other distributions. After all the reason of having this special UID in the first place is to sidestep mapping problems between different UID "realms". Hence I think it would be wise to at least make the name of this very special UID somewhat more stable and well-defined between distributions. I think this is of particular relevance as Debian/Ubuntu-based container images tend to be substantially more popular than Fedora-based ones, and hence I think we should try to unify at least the names and semantics of the two special UIDs all distros have, to minimize mapping problems and making user interaction in containers a bit more friendly. You might ask of course, why Fedora should change to adopt Debian's/Ubuntu's definition, instead of conversely making them adopt Fedora's definition? Well, that's simple: Debian's definition makes a lot more sense than Fedora's. And nothing we ship actually makes use of FEdora's definition afaics, and we currently carry a workaround called "nfsnobody" in some cases to avoid having to fix this properly. Another option would be to define an entirely new user name for 65534, for example "void" or so. But quite frankly, that sounds like a pointless bikeshedding excercise, and creates even more confusion, balkanization and political hassles if you'd try to convince other distros to adopt the same scheme too. Hence, let's go for "nobody == 65534" on Fedora too! And let's unify the various dsitributions a tiny bit more, on this specific aspect. How could a transition look like? I figure new installs should get "nobody" defined to 65534. Old installs should keep the old definitions in place instead. The NFS packages should be updated to not create the "nfsnobody" user if there's already another user mapped to 65534 (maybe it already does that?).