On Sat, 15 Apr 2017 23:16:18 -0600
"Theo de Raadt" <dera...@openbsd.org> wrote:

> > Responding to multiple messages:
> > 
> > On Fri, 20 Jan 2017 08:43:46 +0100
> > "minek van" <minek...@mail.com> wrote:  
> > > I can see that the default users and when creating new ones have
> > > their UID/GUID incremented by 1. 
> > > 
> > > Could it bring more security if the UIDs/GUIDs would be random?  
> > 
> > On Mon, 23 Jan 2017 11:51:29 -0500
> > andrew fabbro <and...@fabbro.org> wrote:  
> > > The OP was just talking about changing from "last +1" to
> > > arc4random. Synchronizing UID/GID across servers (if you're not
> > > using a directory of some sort) is the same headache regardless
> > > of how you pick them.
> > > 
> > > If the OP meant every server has different, unique randomized
> > > UID/GIDs then that's a separate craziness.  
> > 
> > I can see this randomisation making systems management a bit more
> > difficult as a non-random GUID/UID setup can be used to do things
> > like:
> > 
> > GID 0 = wheel
> > GID 1-999 = privsep users, daemons, system
> > GID 1000-32765 = ordinary logins
> > GID 32766 = nogroup
> > GID 32767 = nobody
> > 
> > Because the separation is clear and not so random, you can also set
> > up GIDs/UIDs (1000-32765) permanently across a site where they need
> > to be static, in the case of logged-in users. Very necessary for
> > backups.
> > 
> > However, the users 1-999 may change depending on what order you
> > install packages in.
> > 
> > OpenBSD still randomizes PIDs, but I don't see the point these days:
> > https://security.stackexchange.com/questions/88692/do-randomized-pids-bring-more-security/89961
> >   
> 
> 
> Sorry you lost me.
> 
> I can't tell if you are supporting a useless idea, or declaring that a
> useless idea is not worth supporting.
> 

The latter. In this case I don't think UIDs/GIDs benefit from being
random for the above reasons.

Reply via email to