2009/4/28 Ondřej Vašík <ovasik(a)redhat.com>:
Hello,
at the moment static system level uid/gid's are handled by setup package
and /usr/share/doc/setup-*/uidgid file. There is threshold of system
uid/gid's - it's uid/gid 100. Another way to reserve "static" uid/gid
reservation is
http://fedoraproject.org/wiki/PackageUserRegistry ...
usable only for Fedora and only semi-static (as base id could be easily
changed).
As we are running out of the free uid/gid's in uidgid reservation file
(no free gid's in fact at the moment), it has to be solved somehow...
there are quite often requests for uidgid reservations as it increases
security in many cases...
What's the best way to handle that situation? One possibility is
to
increase the threshold of system level id's (to 200? 300?), another is
to check current reservation and clean long-term unused reservations (I
doubt there are many such cases, so it's only temporary solution). Other
could be sharing groups (as static uid's are still available), but
that's not always good solution.
One long term solution is to replace (or rather back up) the uid/gid
integer system with uuids. This also helps with other problems like
Windows interop.
Here's a blog post about a change Solaris made in this respect:
http://blogs.sun.com/nico/entry/dealing_with_windows_sids_in
Mailing list thread in NFSv4 context:
http://www.nfsv4.org/nfsv4-wg-archive-dec-96-jan-03/1440.html
I'm sure there's other stuff out there.
Another thing to consider would be relying on SELinux domains for new
daemons, just give them e.g the "daemon" uid.