From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-dev+bounces-79347-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by finch.gentoo.org (Postfix) with ESMTPS id B550D139085
	for <garchives@archives.gentoo.org>; Fri, 27 Jan 2017 19:45:46 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id 935EAE0D43;
	Fri, 27 Jan 2017 19:45:37 +0000 (UTC)
Received: from mail-ua0-x242.google.com (mail-ua0-x242.google.com [IPv6:2607:f8b0:400c:c08::242])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by pigeon.gentoo.org (Postfix) with ESMTPS id 4B4EFE0D35
	for <gentoo-dev@lists.gentoo.org>; Fri, 27 Jan 2017 19:45:37 +0000 (UTC)
Received: by mail-ua0-x242.google.com with SMTP id i68so25517157uad.1
        for <gentoo-dev@lists.gentoo.org>; Fri, 27 Jan 2017 11:45:37 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=mime-version:in-reply-to:references:from:date:message-id:subject:to;
        bh=DhetI3Mrg0J5n01deEtTQHXF218q109iUQmSCKp1tp8=;
        b=Bxa8yyorbgdTPNggKsHYFTp27mYNwroROqzB03Wk2Qx1avm8gVklpOgiGFHvpXp8dm
         4af7C5/mlg7hVdV7L3d/RvpLhYApi+j8FkhJPkfVNU5E8oT5KGw4Y5l//poFkrAyfszP
         /KFbRy6WL822q36jJhASKOGIc3N3IZP3CdoIo1Ue22QJzAjs0eSww1tugLlVD6R8NAQk
         ZQc2Id+V3+7H6W3kjzGQP/tPu9Z98I04YA34ldoUtaxZonEmblCTZpIBhtws5rzSHfD/
         M+0jKzLrZVAKQY7AzCCc0VEjUAz4cAfCrNjZS0HXIxXCbquCbnLtvDoqBdVCz062Wl9P
         B4eQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:in-reply-to:references:from:date
         :message-id:subject:to;
        bh=DhetI3Mrg0J5n01deEtTQHXF218q109iUQmSCKp1tp8=;
        b=YaAfbFAKhSab6baHX7ymgDlF98dXLo64YMGVIyGolUjHTOYn+x98jgQadtKLZDrb/p
         TbFVilNSYYkPvqYORlJagsPU16i3NYT2o9NJ+/NyemqasZg8BL2xGaYINO1DZuPU2ixi
         a7D/M3lYKfgWKs9ZQsAKt/JfPkaiBOK0x0As+d4nNX0vvtqCFGW5m9BqHz4mhzkdLMzz
         Y6nq6Zvit/uVXd+X2t69Nff1yBSAXrgMYMwxa9a0i0ak+ju0rPd+cmL8+yGHKKMy1oas
         DnemVNxMNrIt6ZooxeH1BDC7PmNSuV2DmoVphc/1KPQ5DZdn5JqoqLm6UqwVmzP7c8gu
         y0xQ==
X-Gm-Message-State: AIkVDXIV53apuLovf+1xay5bkDr6BT3x3x6PLE1mNyg+pPE78x2INcqkzn23RbsMiIzPDZ9FK/wuQxbCw6WmlQ==
X-Received: by 10.176.0.143 with SMTP id 15mr4683424uaj.22.1485546336423; Fri,
 27 Jan 2017 11:45:36 -0800 (PST)
Precedence: bulk
List-Post: <mailto:gentoo-dev@lists.gentoo.org>
List-Help: <mailto:gentoo-dev+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-dev+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-dev+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-dev.gentoo.org>
X-BeenThere: gentoo-dev@lists.gentoo.org
Reply-to: gentoo-dev@lists.gentoo.org
MIME-Version: 1.0
Received: by 10.103.144.206 with HTTP; Fri, 27 Jan 2017 11:45:35 -0800 (PST)
In-Reply-To: <CAGfcS_=biacBM0xsy0GX3_X0mOAd3BdgHDXYorSBkmwsoQ9sgQ@mail.gmail.com>
References: <9558d41c-17c0-4bbd-e2f8-02575c6d0ecd@gentoo.org> <CAGfcS_=biacBM0xsy0GX3_X0mOAd3BdgHDXYorSBkmwsoQ9sgQ@mail.gmail.com>
From: Gregory Woodbury <redwolfe@gmail.com>
Date: Fri, 27 Jan 2017 14:45:35 -0500
Message-ID: <CAJoOjx_YUmJOH-3UWcbw5eibM0BEspkB5+baTbgavcQEusXbXw@mail.gmail.com>
Subject: Re: [gentoo-dev] Requirements for UID/GID management
To: gentoo-dev@lists.gentoo.org
Content-Type: multipart/alternative; boundary=001a113d729eae1705054718b5ef
X-Archives-Salt: cd5b2ecb-e72c-4d93-a926-cde870fb4523
X-Archives-Hash: e3c418eabefa51dbbf629f39b8d10ba9

--001a113d729eae1705054718b5ef
Content-Type: text/plain; charset=UTF-8

On Fri, Jan 27, 2017 at 1:52 PM, Rich Freeman <rich0@gentoo.org> wrote:

> On Fri, Jan 27, 2017 at 12:54 PM, Michael Orlitzky <mjo@gentoo.org> wrote:
> >
> > You don't really have to care what UID/GID is assigned, because each
> > user/group will only be created once and referenced by name (as $PN). By
> > default, we could pick the first available UID in most packages.
>
> I might be not following correctly, but due to how filesystems/etc
> work it is probably desirable to have consistent UID/GIDs as much as
> reasonably possible.  Things like NFS, chroots, containers, and so on
> can be a bit simpler if these are consistent, because they involve one
> system having visibility into a filesystem hosted on another, and
> usually in these cases the UID/GID is what is kept constant, not the
> name.  (IMO UID/GID namespace is one of those areas where
> Linux/POSIX/etc has some weaknesses.)
>
> This doesn't really seem like a problem though.  Just have a table
> somewhere (wiki?) to track who is using what UID/GID and encode those
> defaults into the ebuild that creates those users.--
>

There should be a division of the system managed UID space:
1)  constant/consistent UID/GID for major things (portage, etc.)
2)  variable space for per package groups/users that generally don't care
      about consistency

A quick look at /etc/passwd shows that many of the system UIDs are
under 250 (portage) and a few scattered above 400. GIDs are similar,
though some are "fixed" and some are assigned going down from 999.

Some eclasses may need to be scrutinized for what behavior they are using.

-- 
G.Wolfe Woodbury
redwolfe@gmail.com

--001a113d729eae1705054718b5ef
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><br><div class=3D"gmail_extra"><br><div class=3D"gmail_quo=
te">On Fri, Jan 27, 2017 at 1:52 PM, Rich Freeman <span dir=3D"ltr">&lt;<a =
href=3D"mailto:rich0@gentoo.org" target=3D"_blank">rich0@gentoo.org</a>&gt;=
</span> wrote:<br><blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .=
8ex;border-left:1px #ccc solid;padding-left:1ex"><span class=3D"">On Fri, J=
an 27, 2017 at 12:54 PM, Michael Orlitzky &lt;<a href=3D"mailto:mjo@gentoo.=
org">mjo@gentoo.org</a>&gt; wrote:<br>
&gt;<br>
&gt; You don&#39;t really have to care what UID/GID is assigned, because ea=
ch<br>
&gt; user/group will only be created once and referenced by name (as $PN). =
By<br>
&gt; default, we could pick the first available UID in most packages.<br>
<br>
</span>I might be not following correctly, but due to how filesystems/etc<b=
r>
work it is probably desirable to have consistent UID/GIDs as much as<br>
reasonably possible.=C2=A0 Things like NFS, chroots, containers, and so on<=
br>
can be a bit simpler if these are consistent, because they involve one<br>
system having visibility into a filesystem hosted on another, and<br>
usually in these cases the UID/GID is what is kept constant, not the<br>
name.=C2=A0 (IMO UID/GID namespace is one of those areas where<br>
Linux/POSIX/etc has some weaknesses.)<br>
<br>
This doesn&#39;t really seem like a problem though.=C2=A0 Just have a table=
<br>
somewhere (wiki?) to track who is using what UID/GID and encode those<br>
defaults into the ebuild that creates those users.--=C2=A0<br></blockquote>=
</div><div class=3D"gmail_signature" data-smartmail=3D"gmail_signature"><di=
v dir=3D"ltr"><div><br></div><div>There should be a division of the system =
managed UID space:</div><div>1) =C2=A0constant/consistent UID/GID for major=
 things (portage, etc.)</div><div>2) =C2=A0variable space for per package g=
roups/users that generally don&#39;t care=C2=A0</div><div>=C2=A0 =C2=A0 =C2=
=A0 about consistency</div><div><br></div><div>A quick look at /etc/passwd =
shows that many of the system UIDs are</div><div>under 250 (portage) and a =
few scattered above 400. GIDs are similar,</div><div>though some are &quot;=
fixed&quot; and some are assigned going down from 999.</div><div><br></div>=
<div>Some eclasses may need to be scrutinized for what behavior they are us=
ing.</div><div><br></div><div>--=C2=A0</div><div>G.Wolfe Woodbury</div><div=
><a href=3D"mailto:redwolfe@gmail.com" target=3D"_blank">redwolfe@gmail.com=
</a></div></div></div>
</div></div>

--001a113d729eae1705054718b5ef--