David Halik wrote:
Hi, I just had a couple of questions about nfsnobody.
We run a very large NFS infrastructure based off of a NetApp, and we're
been discussing whether or not it is necessary to have 64 bit nfsnobody
as 4294967294. I understand the reasoning behind this (232 - 2 gives you
a max UID), but we're having issues since we run multiple architectures.
The UID doesn't play nice across Solaris, Redhat, 32 vs 64bit, etc.
Are there any obvious security risks or problems with using nfsnobody as
65534 (216 - 2) on 64bit, or even just assigning it a random value, 300
for example? I can't see any particular reason for having such a high
number other than to keep it above any possible real UID space.
Anyone who relies on identical UIDs (or user names) across systems is
off his head, even staying with Linux.
For example, install a new default Tikanga, the first user account will
be 500. Do it with Debian, it will be 1000.
User names can be important, but don't rely on system accounts matching.
UIDs are important for security within one system, but not externally.
Where one has shared filesystems where UIDs are visible across systems,
then it's the system administrator's (I'm looking at you, David)
responsibility to arrange the mapping.
I recall when 99 was the common UID for nobody, and it was used by
Apache and then some others and then too many and they got split out,
and then -1 was introduced and then -2.
The numbers are unimportant, what matters is your rules about who
reads/writes what.
Sadly, I'm badly out of touch with how to implement such rules.
Also, the NetApp automatically generates quota tables based off of the
highest UID, so obviously this is a *major* problem if suddenly we have
billions of users as far as the NetApp is concerned. Ultimately, we'd
like to just assign it a low value in the range with our other system
account, but we are not sure of the potential risks with NFS etc.
Any comments would be appreciated.
Thanks!
--
Cheers
John
-- spambait
[EMAIL PROTECTED] [EMAIL PROTECTED]
-- Advice
http://webfoot.com/advice/email.top.php
http://www.catb.org/~esr/faqs/smart-questions.html
http://support.microsoft.com/kb/555375
You cannot reply off-list:-)
_______________________________________________
rhelv5-list mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/rhelv5-list
