UID_MIN & GID_MIN changed

Simo Sorce simo at redhat.com
Thu May 26 12:56:51 UTC 2011 

On Wed, 2011-05-25 at 19:04 -0500, Dennis Gilmore wrote:
> On Wednesday, May 25, 2011 03:14:43 PM Simo Sorce wrote:
> > On Wed, 2011-05-25 at 20:04 +0000, "Jóhann B. Guðmundsson" wrote:
> > > On 05/25/2011 06:14 PM, Toshio Kuratomi wrote:
> > > > Coordination would be nice if we can decide on how we can sanely make
> > > > changes to this.
> > > 
> > > I would think first is to reach consciousness on what the
> > 
> > Do you mean consesus ? We are pretty conscious of the uid/gid problem
> > space I believe :)
> > 
> > > reserved/system IDs are supposed to be once that has been done we can
> > > start looking at what is the best approach to implement and or fix
> > > things that might break because of it.
> > 
> > Changing the reserved id space should break "only" new allocations on
> > systems that may have used the newly allocated IDs already.
> > The only way to fix that is to have the admin manually intervene after
> > the error is brought to his attanetion.
> > 
> > Of course a softer way to deal with this is to not change the defaults
> > on upgrade if checks reveals IDs in the affected space. The problem is
> > that it may not be easy to determine this, esp when centralized ID are
> > also available via NIS/LDAP.
> 
> new installs in places with legacy systems cand and likely will be effected 
> with the result in cases being that users can not log into systems any longer.

This is a worst case scenario and will not be that common. In those
cases admins will need to take corrective action, that may be annoying
in a very few cases, but not a tragedy. If you are using LDAP after all,
it is very unlikely you will go around creating new local user accounts
(and if you do you already have to make sure they do not conflict).

system users now have more space but they are not going to immediately
overflow about the uid 500 area, for most installations they will still
keeping being well below 500. And if your LDAP server has IDs below 500
you are already in a world of pain. If it has IDs between 500 and 1000
you are also in pain whenever you use debian based systems in your setup
too, and so you must already pay attention to what is going on in those
setups.

For these reasons I think excessive worries of doomsday scenarios are
unfounded.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

More information about the devel mailing list