[Fedora-packaging] Static UIDs and GIDs

"Jóhann B. Guðmundsson" johannbg at gmail.com
Thu Apr 11 20:01:41 UTC 2013 

On 04/11/2013 07:39 PM, "Jóhann B. Guðmundsson" wrote:
> On 04/11/2013 07:35 PM, Rex Dieter wrote:
>> On 04/11/2013 02:30 PM, "Jóhann B. Guðmundsson" wrote:
>>> What purpose and how useful will /etc/services be with this change?
>>
>> I fail to see it's relevance to UIDs/GIDs?  am I missing something?
>
> No I am apparently my wits
>
> my head was deep into other stuff when I replied

With my head half way out of my ass the problem we are trying to solve 
is that if I have have multiple servers, UID and GID numbers might not 
be consistent across servers.

If I have more than one server in my environment, UID and GID numbers 
can quickly become inconsistent between servers and servers running 
other *nix, which means is that the "apache" user might have a UID of 80 
on Server1, a UID of 82 on Server2, and a UID of 83 on Server3 which is 
one of the biggest reasons to standardize consistently UID and GID 
numbers across all servers is so that I can move to a central 
authentication system, such as LDAP. Central authentication systems, 
like LDAP, generally require that LDAP enabled users and groups have 
consistent UIDs and GIDs across all servers that are LDAP connected.

However even if you are not looking to utilize central authentication 
such as LDAP, you can still run in to problems with having inconsistent 
UID and GID numbers. For example, suppose you have a SAN LUN mapped to 
ServerA. This LUN might have thousands of files stored on it. Each file 
stored on the LUN has the file owner and group stored as UID and GID 
numbers. So if you take this LUN and unmap it from ServerA and map it to 
ServerB, you will have issues if the UID and GID numbers are not 
consistent between ServerA and ServerB. In this scenario, you could have 
a couple of problems. If apache was UID 80 on ServerA, and samba is UID 
80 on ServerB, after moving the LUN samba  owns all of apache files. If 
there is no UID 80 on ServerB, then the file does not have an owner on 
ServerB, and you simply see "404" as the owner when you run a ls –al 
command and you might also have such issues with inconsistent UID/GID 
numbers across servers when you are exporting NFS shares between servers.

This proposal does not actually solve that does it?

Hence why should we not simply just have static uid/gid and try to unify 
them between *nix and fix the underlying problem *first* instead of 
adding system users already to the existin problem with general users to 
the mix at packaging level?

More information about the packaging mailing list