Bug#905817: UID range of DyanmicUser overlaps with existing definitions in debian-policy

Sean Whitton spwhitton at spwhitton.name
Sat Sep 15 16:47:19 BST 2018 

[copying in debian-policy]

Hello,

On Fri 10 Aug 2018 at 08:23AM +0200, Michael Biebl wrote:

> Currently, DynamicUser gets a uid from within the following range:
> 61184 - 65519. Those values can be configured during build time via
> -Ddynamic-uid-min= and -Ddynamic-uid-max.
>
> The debian policy has a section about uids and gids:
> https://www.debian.org/doc/debian-policy/ch-opersys.html#uid-and-gid-classes
>
> The overlapping ranges are:
> 60000-64999:
>  Globally allocated by the Debian project, but only created on demand.
>  The ids are allocated centrally and statically, but the actual accounts
>  are only created on users’ systems on demand.
>
>  These ids are for packages which are obscure or which require many
>  statically-allocated ids. These packages should check for and create the
>  accounts in /etc/passwd or /etc/group (using adduser if it has this
>  facility) if necessary. Packages which are likely to require further
>  allocations should have a “hole” left after them in the allocation, to
>  give them room to grow.
>
> 65000-65533:
>  Reserved.
>
> We don't meet the requirement of the 60000-64999 range, which says that
> the ids need to be allocated statically (DynamicUser generated ids are
> ephemeral).
> The 65000-65533 range doesn't go into more detail, what purpose it is
> reserved.

I don't know why it's reserved either, but ISTM this is rather too small
a range for systemd's DynamicUser.  Would you agree?

> There is also:
> 65536-4294967293:
>  Dynamically allocated user accounts. By default adduser will not
>  allocate UIDs and GIDs in this range, to ease compatibility with legacy
>  systems where uid_t is still 16 bits.
>
> I'm not sure if it would be more suitable to pick the DynamicUser ids
> from this range.

This strikes me as suitable.  We could either just change systemd's
configuration, or allocate a section of that range to systemd.

We probably don't need the legacy systems compatibility anymore.  So
maybe at some point adduser will start creating users in this range.  So
maybe we should carve out a section of that range for systemd, for
future proofing?

-- 
Sean Whitton
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 832 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-systemd-maintainers/attachments/20180915/a3db47f9/attachment.sig>

More information about the Pkg-systemd-maintainers mailing list