Re: Policy for 32-bit uids/gids?

To: debian-policy@lists.debian.org
Subject: Re: Policy for 32-bit uids/gids?
From: Colin Watson <cjwatson@debian.org>
Date: Thu, 3 Jul 2003 09:58:12 +0100
Message-id: <[🔎] 20030703085812.GA28604@riva.ucam.org>
Mail-followup-to: debian-policy@lists.debian.org
In-reply-to: <[🔎] 20030702181509.GR12925@tennyson.netexpress.net>
References: <[🔎] 20030702181509.GR12925@tennyson.netexpress.net>

On Wed, Jul 02, 2003 at 01:15:09PM -0500, Steve Langasek wrote:
> [Re-sent due to inability to properly address email.]
> 
> Section 10.2 of policy currently describes uid and gid classes covering
> the range of 0-65535.  This appears to no longer be comprehensive: on a
> current system running a 2.4.18 kernel and libc6 2.3.1-17, I'm able to
> assign 32-bit userids to accounts and reference these accounts in file
> ownerships, su to them, etc.  Should Debian Policy be expanded to
> address this greatly increased range of available ids?

This, together with your specific Samba proposal, sounds like a good
idea, provided that the failures experienced by people with older
kernels will be graceful and reasonably self-explanatory. Is anyone in a
position to test this?

> When I say "reasonable" here, I do mean "able to accomodate the ACL
> needs of a moderate-sized corporate WAN":  the 60000-64999 range
> /might/ be sufficient, if Debian were willing to allocate the whole
> thing to Samba. ;)

You can't have all of it anyway. :)

Reserved uids:
    uid   | name      | description
    ------+-----------+---------------
    63434 | netplan   | netplan
    64000 | ftn       | fidogate
    64001 | mysql     | mysql-server
    64005 | tac-plus  | tac-plus user
    64010 | alias     | qmail alias
    64011 | qmaild    | qmail daemon
    64012 | qmails    | qmail send
    64013 | qmailr    | qmail remove
    64015 | qmailq    | qmail queue
    64016 | qmaill    | qmail log
    64017 | qmailp    | qmail pw
    64020 | asterisk  | asterisk

Reserved gids:
    gid   | name      | description
    ------+-----------+---------------
    63434 | netplan   | netplan
    64000 | ftn       | fidogate
    64001 | mysql     | mysql-server
    64005 | tac-plus  | tac-plus group
    64010 | qmail     | qmail
    64020 | asterisk  | asterisk

(from /usr/share/doc/base-passwd/README)

> However, with the recent availability of 32-bit uids, this seems
> unnecessary.  I would suggest allocating a 16-bit range out of the
> remaining (2^32-2^16) uids for Samba's use, and the same for gids;

Provisionally, seems sensible. Should base-passwd be the registry for
any similar high allocations in the future, or policy?

I'm slightly concerned by how we're going to map onto other systems'
uses of 32-bit uids here, since there will already be some. 0-99 and
60000-64999 were reasonably obvious back in the day, but I don't have a
feel for how big systems are allocating uids now. I would be inclined to
start allocating from near the top, although perhaps not right at the
top to avoid 2^32-1. Perhaps we should reserve something like 2^32-2^24
to 2^32-2^16 (255 chunks) so that we have space for anything else that
may turn out to need similar large block allocations.

I would like to see an initiative to agree this between multiple
distributions via the LSB or similar with input from people running
large systems, otherwise there'll probably be a horrible mess down the
line.

Cheers,

-- 
Colin Watson                                  [cjwatson@flatline.org.uk]

Reply to:

Follow-Ups:
- Re: Policy for 32-bit uids/gids?
  - From: Steve Langasek <vorlon@netexpress.net>
- Re: Policy for 32-bit uids/gids?
  - From: Joey Hess <joeyh@debian.org>

References:
- Policy for 32-bit uids/gids?
  - From: Steve Langasek <vorlon@netexpress.net>

Prev by Date: aren't software authors misestimated?
Next by Date: Re: aren't software authors misestimated?
Previous by thread: Re: Policy for 32-bit uids/gids?
Next by thread: Re: Policy for 32-bit uids/gids?
Index(es):
- Date
- Thread