Re: [gentoo-dev] rfc: allow -1 for ACCT_USER_ID and ACCT_GROUP_ID in ::gentoo

[Alec Warner <antarus@gentoo.org>]

On Mon, Nov 29, 2021 at 2:25 AM Ulrich Mueller <ulm@gentoo.org> wrote:
>
> >>>>> On Mon, 29 Nov 2021, Alec Warner wrote:
>
> > - If Gentoo adds an acct-user/foo user, and that user already exists
> > on my system with the wrong UID: the eclass dies[0].
>
> I don't think that's correct. The eclass will just use the already
> existing UID then (except for the very few acct-user packages that
> define ACCT_USER_ENFORCE_ID).
>
> > - If Gentoo adds an acct-user/foo user, with uid=12345, and that uid
> > is assigned to a user on my system already, the eclass dies.
>
> Similar to above, the eclass will dynamically allocate another UID that
> is free.

Oh good I misread it, you are right; my apologies.

>
> > - Some environments are very old, and so real users have unexpected
> > uids; this includes Gentoo itself.
> >    - Gentoo (the community) used to allocate UIDs to devs in the
> > 500-1000 range and we have 17 active developers with UIDs in that
> > range. So for example if we allocate one of these UIDs to an acct-*
> > package; that package will not be installable on woodpecker without
> > modification because those UIDs are already taken.
>
> See above.
>
> Also, why would one allocate UIDs in the 500..999 range (1000 is fine,
> actually)? Gentoo always had UID_MIN=1000 and SYS_UID_MAX=999.

A bunch of reasons.
 - In the case of gentoo.org specifically I am guessing bugs and / or
ignorance (as we discussed on IRC.) enewuser / useradd / the normal
utilities lack the permissions to add users (because they cannot write
to LDAP without credentials) and so currently we have a tool
(perl_ldap); from 2006 onward it looks for the highest uidNumber in
LDAP and adds 1 to it. I don't have the source code for earlier
versions, but code comments implied the uids were entered by people;
not machines. People are really bad at consistently allocating UIDs
and are bad at following standards :)
 - In my previous work, the uid automation would routinely have bugs
(we did not have good unit or functional testing) and often the uid
range requirements were either not implemented (oops) or were buggy
(also oops.) We often fixed weird bugs by hand (if we noticed that
e.g. an account had some weird problem and it was someone's first day;
redoing their account is cheap.) But if the bug was in the past; it
was often too expensive to fix anything; so our user accounts had many
exciting quirks of names, odd assignments, etc.

This is why I say that conceptually the 'identity provider' is
external to Gentoo (because we all have our weird site-specific
quirks.) As you note above though, most acct-* packages will not break
and will just assign some other uid / gid; so only the FORCE_ID
packages matter and there are only 3 of those...so I mostly concede on
that basis provided we avoid adding more FORCE'd packages.

-A

>
> Ulrich