Static User/Group Mappings
/start rant
Switching my servers from Annvix to Mandriva is absolutely maddening. The biggest problem is dynamic uid/gid mappings. Do you know how frustrating it is to have apache uid 77 on one machine and uid 92 on another? Or svn is gid 75 on one and gid 76 on another? It’s driving me absolutely bonkers.
Why on earth we switched, years ago, from static uid/gid mapping to dynamic mapping is beyond me. It’s the most utterly retarded thing possible. Consistency between different installs is not a bad thing people! Sure, the original argument was “it keeps the passwd file smaller” but… news flash! It’s *easy* to specify the uid or gid in the spec file and it’s trivial to keep a publicly-accessible list of the map so people don’t grab inappropriate uid or gid numbers. I mean, seriously… I implemented that in Annvix over 4 years ago! It was one of the first things I did.
Of course, mention this and developers/maintainers poo-poo the idea (no, that’s not theoretical… after I did it Annvix I proposed it again and… gasp… it was poo-poo’d… like usual).
Gaaaahhh! If I had a brick wall handy I’d be smashing my head in it at the moment.
/end rant
Buchan
There are other problems you don’t mention.
Propose a real alternative, and maybe it will be discussed. But, having a single package own every uid and gid is not scalable.
Apr 08, 2008 @ 04:22:38proyvind
Third time’s a charm, propose it again and implement it in addition!
I do agree on this being sane (if done right..).
Apr 08, 2008 @ 10:43:15Misc
Well, for me the main objection i used to have was to not keep a static list somewhere that should be updated to keep thing unique, and updated with all possible and reserved names, because this doesn’t scale, imho.
Now, maybe we could find some arrangement, as we are using a piece of script to assign uid, this could be done, this just need someone to patch it, and have a list and a dynamic range.
I propose to have something like a list of know daemon in range 50-250, and use > 300 for dynamic uid, as long someone manage the original list, this should be ok, i guess ( ie, as long as the daemon you use are in the list :p ).
I suppose the main issue is that it doesn’t bother enough people to be done, like often, people are not against your ideas, it is just they are not bothered enough for this.
I cannot truly say that I have ever been annoyed by this on my own servers, and they all run mandriva.
( and while we are on it, maybe we could follow apple and use _sshd instead of sshd, etc, so someone called “nicolas trevor pilidian” could use ntp as username without trouble )
Apr 08, 2008 @ 16:21:43yoho
Good point. I agree it’s a PITA when you have mismatched uid/gid between two hosts. But then, it starts to be difficult if you need to switch from one distro to another one, so it’s the same problem. A IANA list of GID/UID/SERVICES would be great, but go and convince them !
Apr 11, 2008 @ 10:22:33vdanen
Buchan: of course there are other problems… this wasn’t mean to go into every single issue. Of course, you don’t have to be an ass.. having one package own every uid and gid… where did you get that from? I never said that. Of course having a single package (like setup) owning and installing of this doesn’t scale.
I implemented this in Annvix years ago. And it has worked 100% without any problems with just minor modifications to the rpm-helper scripts that add users, so everything is still setup in the rpm package, just using a pre-defined uid.
http://annvix.org/Documentation/Dev/Building/UID_GID_Map
That’s the “map” for Annvix. You can easily determine what is where, and the uid/gid range is well established.
For instance, with openssh, you would use:
%pre server
%_pre_useradd sshd /var/empty /bin/true 71
Essentially there is one extra argument to %_pre_useradd, the uid/gid to use (71 in this example).
http://www.yingternet.com/viewvc/releases/3.1-CURRENT/openssh/SPECS/openssh.spec?revision=8441&root=packages&view=markup
I don’t see why this wouldn’t be scalable, and I also don’t see this being that difficult to implement. People just have to stop coming up with lame excuses as to why things can’t be done better.
Apr 20, 2008 @ 15:08:25