UID_MIN & GID_MIN changed

[Toshio Kuratomi]

2011/5/25 "Jóhann B. Guðmundsson" <johannbg at gmail.com>:
> On 05/25/2011 12:30 AM, Dennis Gilmore wrote:
>> On Tuesday, May 24, 2011 10:25:44 AM Toshio Kuratomi wrote:
>>> On Tue, May 24, 2011 at 1:59 AM, Peter Vrabec<pvrabec at redhat.com>  wrote:
>>>> Hi all,
>>>>
>>>> I'd like to inform you that I have changed UID_MIN&  GID_MIN from 500 to
>>>> 1000 in upgraded shadow-utils.
>>>>
>>>> Where?
>>>> /etc/login.defs.
>>>> shadow-utils-4.1.4.3-1.fc16
>>>>
>>>> I suppose UID/GID_MIN=1000 is more common(other distros, upstream). We
>>>> are not in situation that 500 IDs for system accounts ought to be enough
>>>> for anybody. Actually, it was not 500.It was 299 because range 0-200 is
>>>> for reserved IDs. There are 799 non reserved IDs for system accounts
>>>> available after this change.
>>> This change should be made as a Feature for F16 and needs some
>>> thought/coordination put behind it.  There's several issues that I
>>> see:
>>>
>>> * AFAIK, we actually have not run into the 500 uid limit yet (although
>>> it is a bit low to be comfortable)
>>> *  AFAIK, we've only allocated the range 0-100 for reserved IDs.
>>> * The 0-100 reserved IDs are actually the pain point that we need to
>>> deal with, not the dynamic system ids in the 101-499 range.
>>> * We don't know how many, if any IDs this actually gets us for the
>>> dynamic range because any site that has already filled the 500-1000
>>> UID range won't gain any extra dynamic system account through this
>>> change.
>>> * This could potentially break sites that are currently using the
>>> 500-1000 UID range and rely on the order of allocation of UIDs for
>>> their users on new machines matching with the UIDs on old machines.
>>> (For instance, NFS UIDs on filesystems matching between a box
>>> installed with RHEL5 and a box that gets newly installed with F16).
>>>
>>> -Toshio
>> Im with Toshio here  there is potential pitfalls with many legacy systems.
>> there is also great potential that system ids from newer systems will clash
>> with legacy ids in ldap and nis setups,  we really should make it a feature as
>> it really deserves to be widely anounced.  not quietly on the list here where
>> it will likely get forgoten until users are bitten when they start deploying
>> f16 boxes.
>>
>> Dennis
>
> Agreed
>
> Is there a distro wide/*nix wide agreement on what and which range
> reserved/system IDs are supposed to be?
>
> If there is not a general consciousness regarding reserved/system IDs
> and what they are supposed to be there will always be the risk of
> colliding with ids on other distribution and *nix platforms.
>
There is a standard but not a consensus:

http://refspecs.linux-foundation.org/LSB_4.0.0/LSB-Core-generic/LSB-Core-generic/uidrange.html

On problem is that the LSB is very strict in its ranges there but: 1)
not every distro follows it and 2) the static range is definitely too
small.

> I recommend this be made a feature and the feature owners contact at
> least all major distributions and potentially other *nix platforms and
> distro/*nix wide consciousness be made and when this change is made that
> change would reflect the consciousness that was reached.
>
Coordination would be nice if we can decide on how we can sanely make
changes to this.

-Toshio