On Fr, 12.01.18 10:41, Steve Dickson (ste...@redhat.com) wrote: > >>> It's not systemd that came up with reusing 65534 for user > >>> namespacing. It's kernel people: > >>> > >>> $ cat /proc/sys/kernel/overflowuid > >>> 65534 > >> How was that number chosen and why can't be changed? > > > > It's conceptually the same thing: it's where UIDs are mapped that > > cannot be mapped properly otherwise. > > Right... I'm assuming this overflow almost never happens > from looking at the code.
Nope, it happens *all* the time. Just look into /proc in a container with user namespacing. You'll see that the majority of files there are owned by 65534, as these files for security reasons are owned by the root user of the host (and not the root user of the container), and that user tends not to be mapped to the container, so that the container cannot make changes to /proc. If userns is used it's very hard to not see the UID 65534 popping up all the time. > So the problem trying to be solved is when the overflow uid/gid > are used (which is rarely), the owner of the file become > nfsnobody which does not make any sense because it is on a local filesystem. > > If this is the case, my I suggest that since the overflow uid/gid is > basically an arbitrary value and easily changeable... Why not > have some boot process echo '99' into /proc/sys/kernel/overflowuid > which would match nicely to a uid/gid of a user named 'nobody'? Well, uh, because nobody does that. Also: why? It's conceptually the same thing. And sorry to bring this to you, but I figure the users of userns (through all its incarnations in Docker, flatpak, bubblewrap, nspawn, LXC, …) are much more numerous than the ones of NFS, and the mindshare is probably with them. You appear to suggest that changing the name of user 65534 would create mapping problems for NFS that didn't exist before. But that's bogus, as these mapping problems always existed pretty badly, since the name "nfsnobody" is a Fedoraism/Redhatism, and other distros tend to use nobody:nogroup or nobody:nobody for that user, and hence you have to deal with the differences with the naming anyway already, in all your code. I mean, NFS is not a Fedora/Red Hat-only thing, is it? And it's definitely our intention to improve on this, and just give up on this Fedoraism/Redhatism, and moving to something more generic. Lennart -- Lennart Poettering, Red Hat _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org
