WOW... Why do you guys keep picking on NFS?? :-)
On 01/10/2018 05:46 AM, Jan Kurik wrote:
= System Wide Change: Rename "nobody" user =
https://fedoraproject.org/wiki/Changes/RenameNobodyUser
Change owner(s):
*Zbigniew Jędrzejewski-Szmek <zbyszek AT in DOT waw DOT pl>
* Lennart Poettering <lpoetter AT redhat DOT com>
Use "nobody:nobody" as the names for the kernel overflow UID:GID pair,
and retire the old "nfsnobody" name and the old "nobody:nogroup"
pair
with 99:99 numbers
== Detailed Description ==
Status quo: Fedora statically defines "nobody:nobody" pair with
uid:gid of 99:99 in setup.rpm, and "nfsnobody:nfsnobody" pair with
uid:gid of 65534:65534 in nfs-utils.rpm.
This is problematic in a few different ways:
* 65534:65534 is used by the kernel as the overflow identifier, when
some UID cannot be represented in the current namespace. This applies
to both NFS, but probably more commonly nowadays to UIDs outside of
the current user namespace (e.g. when a file or process owned by a
user from outside of a container). Calling this "nfsnobody" is
misleading.
Misleading to Whom??? -2 has been used since the 80's
There has to be an uid/gid to map unknown uid/gid to.
* the name for the overflow user is only defined when nfs-utils.rpm
is
installed. In particular in containers people want to minimize the
number of packages installed, so nfs-utils is likely not to be
installed.
So if the nfs-utils is not installed... the id/gid will not be created
* the static nobody:nobody user/group pair was used for various
services for which weren't "worthy" of creating a dedicated user. This
is a severely misguided concept, because all processes of the nobody
user can ptrace and otherwise interact with each other. Separate users
for each service should be used instead, either normal allocated users
or systemd's DynamicUser's.
* other distributions use either nobody:nobody or nobody:nogroup for
the overflow uid:gid pair, and the different naming in Fedora is
confusing and can lead to incorrect use.
But the uid/gid are still -2.
We propose to:
* stop using nfsnobody for the overflow uid/gid names
* stop using nobody for the static user 99 and group 99
* use the nobody:nobody pair of names for 65534:65534
What are you going to replace
it with?? When a server
gives a client a uid/gid that it does know about
the client has to uid/gid to map it to. Somebody has
to own the files.
On existing systems, to make upgrades easier:
* if nfsnobody was defined, keep it in /etc/passwd *after* the new
line for nobody:nobody, so that both the old name and the new name map
to the same numbers
* if nobody user or group with number 99 was defined, keep it in
/etc/passwd and /etc/group, but rename to _nobody
WHY??? What problem is this
solving??
The new mapping for nobody:nobody would be implemented in two redundant ways:
* as a static allocation in /etc/passwd and /etc/group managed by setup.rpm
* dynamically provided by the nss-systemd module (by compiling systemd
with -Dnobody-user=nobody -Dnobody-group=nobody).
Again... I have to ask why? What
problem is this solving.
== Scope ==
* Proposal owners:
- recompile systemd with the right options to get expected answer from
nss-systemd
- propose patches for setup.rpm to add the new mapping and do the
steps listed in Detailed Description on update
- propose patches for nfs-utils to remove the nfsnobody mapping and do
the steps listed in Detailed Description on update
* Other developers:
watch for regressions
Watch out??? Expect! When start messing around with uid/gid
in
the NFS world... your going to break things... most likely
legacy worlds...
This is a very bad idea... IMHO...
steved.
>
> * Release engineering:
> #7258:
https://pagure.io/releng/issue/7258
>
> * List of deliverables:
> N/A
>
> * Policies and guidelines:
> nothing
> (
https://fedoraproject.org/wiki/Packaging:Guidelines#Users_and_Groups
> already says "Note that system services packaged for Fedora MUST NOT
> run as the nobody user" so no changes are required there.)
>
> * Trademark approval:
> N/A (not needed for this Change)
>