User id allocation and fedora-usermgmt

David Lutterkort dlutter at redhat.com
Thu Mar 2 01:17:19 UTC 2006 

On Wed, 2006-03-01 at 07:25 +0100, Enrico Scholz wrote:
> dlutter at redhat.com (David Lutterkort) writes:
> 
> >         UID     For use by/managed by
> >         0-199   Fedora Core, FC steering committee
> >         200-299 reserved for future allocation
> >         300-399 Fedora Extras, FeSCo
> >         400-499 reserved for future allocation
> 
> not possible; accordingly FHS, these ranges are available for free use
> and must not be assigned statically. 

Actually, that's a very loose paraphrasing of what the LSB (not FHS)
says[1]:

        The system User IDs from 0 to 99 should be statically allocated
        by the system, and shall not be created by applications.

        The system User IDs from 100 to 499 should be reserved for
        dynamic allocation by system administrators and post install
        scripts using useradd.

This is pretty vague, as far as standards go, and clearly, having only
100 user id's for statically allocated users is not practical (FC itself
already uses more than 100 system users)

It seems that a sensible policy for Fedora could serve as the basis for
a clarification of the LSB in this respect.

> They might be already in use in
> existing systems, and a static assignment in future FE packages WILL
> create conflicts.

Absolutely; though I don't see how fedora-usermgmt addresses that issue.
This seems like an argument for always allocating uid's dynamically for
FE system accounts, and changing the packaging guidelines so that
packages will not remove users (which fixes the security risk from
reused uid's) It would also erase the one big benefit of statically
allocated uid's: easy correpsondance of users across machines in a
network for things like NFS filesystems.

> The fact is, that you will not find a free range for new static uid. The
> only possible range for static uids is 0-99 which is reserved for Core
> already.

I think this is mainly because there has never been a clear guideline on
what to do.

> > For Fedora Extras, user id's would be tracked as they are right now
> > at http://fedoraproject.org/wiki/Packaging/UserRegistry (with all
> > uid/gid's bumped up by 300) and new uid's/gid's would be allocated
> > during package review from the FE range 300-399.

It seems that that page
http://fedoraproject.org/wiki/Packaging/UserCreation is only a
recommendation, not a requirement for package review. Could you change
the page to clearly state that it's not a packaging requirement ? I
think it's pretty confusing as it is right now.

> I am in doubt that we will stay below 100 users...

Absolutely. But for the time being, it's enough; once we approach the
100 uid's we would have to either allocate more uid's or think of
something else.

[1]
http://refspecs.freestandards.org/LSB_3.1.0/LSB-Core-generic/LSB-Core-generic/uidrange.html

More information about the fedora-extras-list mailing list