From owner-freebsd-ports@FreeBSD.ORG Sun Nov 12 19:17:13 2006 Return-Path: X-Original-To: freebsd-ports@freebsd.org Delivered-To: freebsd-ports@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A75B016A47B; Sun, 12 Nov 2006 19:17:13 +0000 (UTC) (envelope-from simon@zaphod.nitro.dk) Received: from mx.nitro.dk (zarniwoop.nitro.dk [83.92.207.38]) by mx1.FreeBSD.org (Postfix) with ESMTP id B237843DE6; Sun, 12 Nov 2006 19:16:29 +0000 (GMT) (envelope-from simon@zaphod.nitro.dk) Received: from zaphod.nitro.dk (unknown [192.168.3.39]) by mx.nitro.dk (Postfix) with ESMTP id 7040478C23; Sun, 12 Nov 2006 19:16:00 +0000 (UTC) Received: by zaphod.nitro.dk (Postfix, from userid 3000) id AB73311420; Sun, 12 Nov 2006 20:16:28 +0100 (CET) Date: Sun, 12 Nov 2006 20:16:28 +0100 From: "Simon L. Nielsen" To: Florent Thoumie Message-ID: <20061112191628.GD1049@zaphod.nitro.dk> References: <20061111210303.A92042@atlantis.atlantis.dp.ua> <20061111203731.GL1006@zaphod.nitro.dk> <20061111204804.GA26170@xor.obsecurity.org> <20061111210504.GM1006@zaphod.nitro.dk> <20061111211143.GA26524@xor.obsecurity.org> <4556FB41.7080904@FreeBSD.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4556FB41.7080904@FreeBSD.org> User-Agent: Mutt/1.5.11 Cc: Dmitry Pryanishnikov , freebsd-ports@freebsd.org, Kris Kennaway Subject: Re: UID/GID dynamic allocation in net/isc-dhcp3-server: why? X-BeenThere: freebsd-ports@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Porting software to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 12 Nov 2006 19:17:13 -0000 On 2006.11.12 10:45:21 +0000, Florent Thoumie wrote: > Kris Kennaway wrote: > > On Sat, Nov 11, 2006 at 10:05:05PM +0100, Simon L. Nielsen wrote: > >> On 2006.11.11 15:48:05 -0500, Kris Kennaway wrote: > >>> On Sat, Nov 11, 2006 at 09:37:31PM +0100, Simon L. Nielsen wrote: > >>>> On 2006.11.11 21:12:09 +0200, Dmitry Pryanishnikov wrote: > >>>> > >>>>> I don't like the current behaviour of the net/isc-dhcp3-server port > >>>>> of creating 'dhcpd' user and group using dynamic allocation instead of > >>>>> having static one (as specified in /usr/ports/{U,G}IDs). I like the idea > >>>>> of [ug]id ranges, and dynamic allocation doesn't keep within this idea > >>>>> (ids of users and daemons get mixed). Is there specific reason why there > >>>>> is no static [ug]id for net/isc-dhcp3-server? > >>>> Personally I have it precisely the other way around - I find the > >>>> static allocations rather annoying since they are bound to collide > >>>> with existing UID's at some point. > >>>> > >>>> IMO the optimal solution would be to have some magic which auto > >>>> assigns ports/system UID/GID's from different ranges that normal > >>>> users. > >>> Just so :) > >>> > >>> UIDs below 1000 are (and have been for many years) allocated to the > >>> "system" (ports/src), and are not supposed to be allocated by > >>> administrators. This at least works out of the box with some of the > >>> tools we have for allocating new users, so are you aware of any that > >>> don't do this? > >> I know that people are not suposed to use < 1000 and for normal users > >> and I havent seen any FreeBSD tools which uses low UID's for normal > >> users by default. I don't do use low UID's new systems/sites, but > >> sometimes you have "old" systems/sites where that is just not the > >> case. I'm certainly not saying we should bent over backwards to > >> support these legacy systems, I just want to point out that they do > >> exist. I'm really not trying to start a big debate over static > >> vs. dynamic UID/GID allocations, the original mail just made it sound > >> to me like it was a universal truth that ports should use hardcoded > >> UID/GID's and it was always a good thing. > >> > >> And the site where I have UID/GID's in the < 1000 range is called > >> FreeBSD.org :-) (we use UID/GID's from 500 and up). > > > > I dunno what you are suggesting could be done on systems where the > > administrators have chosen to ignore the conventions. Even supposing > > the <1000 range was dynamically remapped to some other range on such > > systems, what's to stop the rogue admin from allocating there too? As I tried to say above, it quite possible we shouldn't do anything to support this, I just wanted to point out that there are issues with statically assigning [GU]ID's. > I have a bsd.port.mk patch in the works to create users/groups > automatically from uids/gids registered in the related files. It > wouldn't be too hard to include a UID_OFFSET/GID_OFFSET parameter so > that the local admin can reserve uids/gids in say range 2000-3000 > instead of 0-1000 (which isn't really 0-1000 but I'm too lazy to check > where system uids/gids stop :-) > > Would it be alright with you Simon? That would be very neat! Of course it would require that the ports doesn't hardcode the allocations from ports/[GU]ID. Packages are of course still something which must be dealt with somehow (though it wouldn't be a problem for me if UID_OFFSET/GID_OFFSET didn't work with packages since I only use packages I build myself)... -- Simon L. Nielsen