Re: ports adding users

2006-10-14 Thread Jonathan McKeown 
On Friday 13 October 2006 21:54, Lowell Gilbert wrote:

 The convention is, indeed, that users get UIDs from 1000 up.  This
 doesn't seem to be explicitly described anywhere I can find at the
 moment, but it is implemented in adduser(8) -- and the porter's
 handbook requires hard-coded UIDs and GIDs to be under 1000 (but
 strongly recommends using pw(8) unless there is an important reason
 not to do so).

Yes. The reality of using pw(8) at port installation time, though, is that the 
port-created user will get a uid above 1000 - in fact a uid higher than the 
highest one currently in use, so I can't even just leave a gap in uid 
numbering for port-created users. This caught me out.

 A lot of your problem, though, is that you're trying to combine the
 UID (and GID) space of different machines, that have collisions.  The
 fact that some of those were created by ports isn't really important;
 the problem is that the UID maps were created independently and now
 need to be combined.

No, this isn't the main problem, which is that without some serious 
forethought (and an awareness of the issue), installing a port can screw up 
my user management by (quite correctly, as you point out above) using one of 
``my'' uids rather than a block set aside for ports which want a uid but 
don't need to reserve a specific one.

More to the point, it can do this at some point in the future, when I decide 
to install a new port on one server and then have to remember to mark that 
uid as used throughout my network.

 I'm not sure there's a perfect solution, other than planning ahead.

Agreed. I think my planning ahead is going to take the form I proposed 
originally, of adding an /etc/pw.conf (so that ports using pw(8) will use 
that configuration) forcing allocation within a given uid/gid range, and 
ensure that I only use numbers outside that range for real users.

I mentioned this on the list because I was Astonished (in the POLA sense) to 
find that my human users and ports-created (effectively system) users were 
not separated in any way by default, indeed were jumbled together in the 
sequence of uids/gids. I always like to create a permanent record of things 
that trip me up!

Jonathan
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: ports adding users

2006-10-13 Thread Lowell Gilbert 
Jonathan McKeown [EMAIL PROTECTED] writes:

 This is, I guess, a philosophical question.

 Twice in the last couple of weeks I have been bitten by ports adding users or 
 groups. In setting up my laptop, I created my user account in sysinstall 
 without creating my group. My ~ was created with the GID corresponding to my 
 UID, but in building KDE, comms/gnokii used pw groupadd and was allocated 
 `my' GID, resulting in my ~ being group-owned by gnokii.

 More seriously, we are moving our user accounts into LDAP and I now have a 
 problem on a server where I installed net/isc-dhcp3-server before configuring 
 pam_ldap and nss_ldap. As a result the dhcpd user (in /etc/passwd) and one of 
 my user accounts (in LDAP) have the same UID and GID. Disentangling these is 
 going to be... interesting.

 After some digging about, I see I can effectively reserve a block of 
 UIDs/GIDs 
 by starting my UID numbering at (1001 + x), and creating /etc/pw.conf with

 reuseuids yes
 reusegids yes

 to use the UIDs/GIDs between 1000 and (1000 + x) (otherwise pw just allocates 
 a UID/GID higher than any in use, which puts it right back in my reserved 
 range). Perhaps I should also set the maxuid/maxgid options too, just in 
 case?

 That's one option.

 Another is to expect dozens of busy port maintainers to cover for me by 
 reserving UIDs/GIDs instead of creating random users.

 Another is to arrange somehow that the ports infrastructure provide a pw.conf 
 which can be used when pw is called by ports, that limits the range of 
 UIDs/GIDs that a port can be allocated so that it doesn't overlap with the 
 range generally used for user accounts.

The convention is, indeed, that users get UIDs from 1000 up.  This
doesn't seem to be explicitly described anywhere I can find at the
moment, but it is implemented in adduser(8) -- and the porter's
handbook requires hard-coded UIDs and GIDs to be under 1000 (but
strongly recommends using pw(8) unless there is an important reason
not to do so).

A lot of your problem, though, is that you're trying to combine the
UID (and GID) space of different machines, that have collisions.  The
fact that some of those were created by ports isn't really important;
the problem is that the UID maps were created independently and now
need to be combined.  Even if the ports and user spaces had been kept
separate, there would have been conflicts between ports installed on
different machines adding different uids on each, and unless you were
planning ahead, with users being created likewise.

I'm not sure there's a perfect solution, other than planning ahead.

-- 
Lowell Gilbert, embedded/networking software engineer, Boston area
http://be-well.ilk.org/~lowell/
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]