[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#329701: Local (non-NIS) users and groups



Mark Brown <broonie@sirena.org.uk> writes:

I submit that this is not a problem in practice since I'd bet no one
using NIS has created more than 400 local groups that must not be
exported.

And it's not like this would be changed on a running system, right?
It would just be the default value in /var/yp/Makefile for new package
installations for new NIS master servers.

> > Noone needs to wait for debian-policy before changing their
> > packages.  The way to change the Debian policy is to change the
> > workings of the relevant packages (in this case just "nis") and
> > then report this fact to debian-policy as an agreed-upon policy by
> > the maintainers in question.
> 
> Unfortunately, this affects any package which creates a group since
> that's the range those groups come from.  If things were changed such
> that the 100-999 range were split into a 100-499 local range and a
> 500-999 exported range

You mean changed in the Debian Policy, I take it.

> that would be addressed and I'd have no problem with making the
> change you request.

That's not how changes happen in Debian Policy, as I understand it.
Instead, package maintainers change their packages' behavior and then
present their working changes to debian-policy as a fait accompli.
Policy reflect package behavior, not the reverse.  So the policy
change you are asking for can only come after you change the package.

And I'm not actually seeing a conflict with policy in this case, since
policy does not mention NIS exporting at all.

If you want to touch ground you (as the actual maintainer you might
get more responses than I got) could ask debian-policy if anyone would
OBJECT to the change.  (From what I can see, absolutely no one on
-policy cares about this, since I have asked about this on two
occasions now and both times gotten no reply whatsoever.)

The only thing I can foresee delaying this change is if you really
want to be CERTAIN that no one does "adduser --system --group" 400
times and suddenly gets into the exported GID range (not that I see
anyone actually doing that, but...).  If you want to avoid even that
remote possibility, this change should be coordinated with a change in
the "adduser" package to lower LAST_SYSTEM_UID in /etc/adduser.conf.
Is this what you want?  Would you be willing to make the change if the
maintainers for "adduser" were, too?

(Note that "adduser --system" by itself does not add more group IDs;
it places system users in the "nogroup" group by default.  The
additional "--group" option is needed to consume group IDs, and this
would have to be done more than 400 times to actually overflow.)

/Teddy



Reply to: