On Sat, 15 Apr 2017 23:16:18 -0600 "Theo de Raadt" <dera...@openbsd.org> wrote:
> > Responding to multiple messages: > > > > On Fri, 20 Jan 2017 08:43:46 +0100 > > "minek van" <minek...@mail.com> wrote: > > > I can see that the default users and when creating new ones have > > > their UID/GUID incremented by 1. > > > > > > Could it bring more security if the UIDs/GUIDs would be random? > > > > On Mon, 23 Jan 2017 11:51:29 -0500 > > andrew fabbro <and...@fabbro.org> wrote: > > > The OP was just talking about changing from "last +1" to > > > arc4random. Synchronizing UID/GID across servers (if you're not > > > using a directory of some sort) is the same headache regardless > > > of how you pick them. > > > > > > If the OP meant every server has different, unique randomized > > > UID/GIDs then that's a separate craziness. > > > > I can see this randomisation making systems management a bit more > > difficult as a non-random GUID/UID setup can be used to do things > > like: > > > > GID 0 = wheel > > GID 1-999 = privsep users, daemons, system > > GID 1000-32765 = ordinary logins > > GID 32766 = nogroup > > GID 32767 = nobody > > > > Because the separation is clear and not so random, you can also set > > up GIDs/UIDs (1000-32765) permanently across a site where they need > > to be static, in the case of logged-in users. Very necessary for > > backups. > > > > However, the users 1-999 may change depending on what order you > > install packages in. > > > > OpenBSD still randomizes PIDs, but I don't see the point these days: > > https://security.stackexchange.com/questions/88692/do-randomized-pids-bring-more-security/89961 > > > > > Sorry you lost me. > > I can't tell if you are supporting a useless idea, or declaring that a > useless idea is not worth supporting. > The latter. In this case I don't think UIDs/GIDs benefit from being random for the above reasons.