[gentoo-dev] RFC: UID/GID rspamd

[gentoo-dev] RFC: UID/GID rspamd

[Petr Vaněk]

Hi,

I was recently asked to migrate rspamd UID/GID to the new GLEP-81 [1].
The FreeBSD uses 236/236 for rspamd [2], but we already set tox for
236/236. However, archlinux sets 199/199 for toxcore [3], which seems to
be equivalent of our net-libs/tox and it seems to be free currently.

Would it be possible to move tox to 199/199 and set rspamd to 236/236 to
be more compatible with other distributions, or should I chose some
other UID/GID?

Thanks,
Petr

[1] https://github.com/gentoo/gentoo/pull/13770#discussion_r352630383
[2] https://svnweb.freebsd.org/ports/head/UIDs?view=co
[3] https://wiki.archlinux.org/index.php/DeveloperWiki:UID_/_GID_Database

Re: [gentoo-dev] RFC: UID/GID rspamd

[Michael Orlitzky]

On 12/2/19 10:23 AM, Petr Vaněk wrote:
> 
> Would it be possible to move tox to 199/199 and set rspamd to 236/236 to
> be more compatible with other distributions, or should I chose some
> other UID/GID?
> 

Changing an existing UID/GID isn't possible. It's technically infeasible
-- not just that we left it out of the eclass or something -- so you'll
have to pick another one.

(This is the reason we require a mailing list review for the assignments.)

Re: [gentoo-dev] RFC: UID/GID rspamd

[Petr Vaněk]

On Mon, Dec 02, 2019 at 10:26:37AM -0500, Michael Orlitzky wrote:
> On 12/2/19 10:23 AM, Petr Vaněk wrote:
> > 
> > Would it be possible to move tox to 199/199 and set rspamd to 236/236 to
> > be more compatible with other distributions, or should I chose some
> > other UID/GID?
> > 
> 
> Changing an existing UID/GID isn't possible. It's technically infeasible
> -- not just that we left it out of the eclass or something -- so you'll
> have to pick another one.

Ok, I would like to reserve 237/237 for rspamd in that case, it is next
available.

Btw, I am just curios about the situation when there is a foo overlay
with acct-{user,group}/foo using UID/GID already set in main gentoo
overlay and later on we would like to move it to the main gentoo
overlay. It would be necessary to chose different UID/GID for
acct-{user,group}/foo.  So, my question is, would it be technically
feasible to do the migration for users of the foo overlay?  I can
imagine this scenario will occur once in the future and it is UID/GID
change.

Thanks,
Petr

Re: [gentoo-dev] RFC: UID/GID rspamd

[Michael Orlitzky]

On 12/3/19 5:41 AM, Petr Vaněk wrote:
> 
> Btw, I am just curios about the situation when there is a foo overlay
> with acct-{user,group}/foo using UID/GID already set in main gentoo
> overlay and later on we would like to move it to the main gentoo
> overlay. It would be necessary to chose different UID/GID for
> acct-{user,group}/foo.  So, my question is, would it be technically
> feasible to do the migration for users of the foo overlay?  I can
> imagine this scenario will occur once in the future and it is UID/GID
> change.
> 

The GLEP81 eclasses will reuse an existing account (with the "old" UID)
if the name matches. When migrating from an overlay, things should keep
working for the overlay users -- they just won't get the new UID.
Regular users of ::gentoo won't notice anything out of the ordinary.

What doesn't work is trying to fix the existing UID/GID to match the new
one. To do that, you'd need to know every file on the system that's
owned by the old UID, so that you can switch them to the new UID.
There's no good way to do that, and definitely no secure way to chown
them afterwards. So, we can't do it in the eclasses in the main tree.

But, if you're working on something in an overlay and if you know how
the software works and are comfortable finding/deleting all of its files
and wiping its entry out of /etc/passwd, then in that specific case, you
can even switch the UIDs. Just manually erase all traces of the user
from your system, and then emerge the ebuild from ::gentoo.