Date: Sun, 12 Nov 2006 10:45:21 +0000 From: Florent Thoumie <flz@FreeBSD.org> To: Kris Kennaway <kris@obsecurity.org> Cc: Dmitry Pryanishnikov <dmitry@atlantis.dp.ua>, freebsd-ports@freebsd.org, "Simon L. Nielsen" <simon@FreeBSD.org> Subject: Re: UID/GID dynamic allocation in net/isc-dhcp3-server: why? Message-ID: <4556FB41.7080904@FreeBSD.org> In-Reply-To: <20061111211143.GA26524@xor.obsecurity.org> References: <20061111210303.A92042@atlantis.atlantis.dp.ua> <20061111203731.GL1006@zaphod.nitro.dk> <20061111204804.GA26170@xor.obsecurity.org> <20061111210504.GM1006@zaphod.nitro.dk> <20061111211143.GA26524@xor.obsecurity.org>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enig5118D0F9067A5454C2B2110C
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Kris Kennaway wrote:
> On Sat, Nov 11, 2006 at 10:05:05PM +0100, Simon L. Nielsen wrote:
>> On 2006.11.11 15:48:05 -0500, Kris Kennaway wrote:
>>> On Sat, Nov 11, 2006 at 09:37:31PM +0100, Simon L. Nielsen wrote:
>>>> On 2006.11.11 21:12:09 +0200, Dmitry Pryanishnikov wrote:
>>>>
>>>>> I don't like the current behaviour of the net/isc-dhcp3-server por=
t
>>>>> of creating 'dhcpd' user and group using dynamic allocation instead=
of
>>>>> having static one (as specified in /usr/ports/{U,G}IDs). I like the=
idea
>>>>> of [ug]id ranges, and dynamic allocation doesn't keep within this i=
dea
>>>>> (ids of users and daemons get mixed). Is there specific reason why =
there
>>>>> is no static [ug]id for net/isc-dhcp3-server?
>>>> Personally I have it precisely the other way around - I find the
>>>> static allocations rather annoying since they are bound to collide
>>>> with existing UID's at some point.
>>>>
>>>> IMO the optimal solution would be to have some magic which auto
>>>> assigns ports/system UID/GID's from different ranges that normal
>>>> users.
>>> Just so :)
>>>
>>> UIDs below 1000 are (and have been for many years) allocated to the
>>> "system" (ports/src), and are not supposed to be allocated by
>>> administrators. This at least works out of the box with some of the
>>> tools we have for allocating new users, so are you aware of any that
>>> don't do this?
>> I know that people are not suposed to use < 1000 and for normal users
>> and I havent seen any FreeBSD tools which uses low UID's for normal
>> users by default. I don't do use low UID's new systems/sites, but
>> sometimes you have "old" systems/sites where that is just not the
>> case. I'm certainly not saying we should bent over backwards to
>> support these legacy systems, I just want to point out that they do
>> exist. I'm really not trying to start a big debate over static
>> vs. dynamic UID/GID allocations, the original mail just made it sound
>> to me like it was a universal truth that ports should use hardcoded
>> UID/GID's and it was always a good thing.
>>
>> And the site where I have UID/GID's in the < 1000 range is called
>> FreeBSD.org :-) (we use UID/GID's from 500 and up).
>=20
> I dunno what you are suggesting could be done on systems where the
> administrators have chosen to ignore the conventions. Even supposing
> the <1000 range was dynamically remapped to some other range on such
> systems, what's to stop the rogue admin from allocating there too?
I have a bsd.port.mk patch in the works to create users/groups
automatically from uids/gids registered in the related files. It
wouldn't be too hard to include a UID_OFFSET/GID_OFFSET parameter so
that the local admin can reserve uids/gids in say range 2000-3000
instead of 0-1000 (which isn't really 0-1000 but I'm too lazy to check
where system uids/gids stop :-)
Would it be alright with you Simon?
--=20
Florent Thoumie
flz@FreeBSD.org
FreeBSD Committer
--------------enig5118D0F9067A5454C2B2110C
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFFVvtBMxEkbVFH3PQRAushAJwIIOfu7BH8HexKxA9E4L3mWMKF7gCfTblI
YJdxT9/UdR2m35J7xXDbMgc=
=soWy
-----END PGP SIGNATURE-----
--------------enig5118D0F9067A5454C2B2110C--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4556FB41.7080904>