Jyri Virkki wrote: > > On Aug 9, 2008, at 3:16 PM, Glenn Brunette wrote: >> >> other OpenSolaris instances. This was the concern that two OpenSolaris >> systems with software deployed in different orders could end up with 2 >> accounts having the same UID. This is bad and has caused a great deal >> of problems in the past. > > Two [different] accounts with the same numeric uid on a system would > certainly be a problem, but that wasn't the topic at hand.
I mean a case like 2 "web" accounts with different UIDs - each on a different system. A lot of administrative activities may involve tar'ing up files from one system and extracting them on another. While there are a number of recommended practices for dealing with this, invariably this happens as 'root' and the extracted files retain the UID of the initial system so files that were owned by "web" for example are now no longer so. Perhaps this just points to the need for greater education (since there are a number of workarounds for this), but it has happened in nearly every customer I have reviewed (security assessment) over the last decade. As such, it is a use case that we should not ignore. In one recent customer alone, a security assessment revealed over 500K such files that had been transferred and whose assigned UID no longer matched the original system. >> I think that the Debian example was provided to illustrate that starting >> with UIDs > 1000 for user accounts would be a way of being consistent >> for reserved vs. non-reserved ranges in a heterogeneous way. > > Indeed it was, but coincidentally it also brought an example where most > daemon uids are assigned first-come-first-served and it seems to work > just fine (as a long-time admin of multiple Debian boxes I've never > encountered any issues nor do any potential ones come to mind). I have seen this although admittedly on Solaris 10 and earlier not on OpenSolaris with IPS. At a number of recent customers I found accounts like "web", "ldap", etc. who had up to 3 or 4 different UIDs across about 200 systems. Again, this is partly an awareness and education effort, but it is happening enough that we need to at least not dismiss the issue in our deliberations. g
