[arch-dev-public] Fixing groupadd

Allan McRae allan at archlinux.org
Sat Feb 27 20:24:41 EST 2010 

On 27/02/10 08:30, Aaron Griffin wrote:
> On Thu, Feb 25, 2010 at 7:08 PM, Allan McRae<allan at archlinux.org>  wrote:
>> On 23/02/10 15:06, Allan McRae wrote:
>>>
>>> On 23/02/10 04:49, Roman Kyrylych wrote:
>>>>
>>>> On Mon, Feb 22, 2010 at 17:19, Allan McRae<allan at archlinux.org>  wrote:
>>>>>
>>>>> Hi,
>>>>>
>>>>> At the moment, groupadd always creates system groups with GID=99.
>>>>> (http://bugs.archlinux.org/task/16092).
>>>>>
>>>>> We can fix this by adding something quite standard like:
>>>>> SYS_UID_MIN = 100
>>>>> SYS_GID_MIN = 100
>>>>> SYS_UID_MAX = 999
>>>>> SYS_GID_MAX = 999
>>>>> in /etc/login.defs
>>>>>
>>>>> But this will lead to possible issues with packages using fixed GID>=
>>>>> 100.
>>>>> e.g. I could create a bunch system groups and then install a package who
>>>>> has predetermined that an already used group ID is for it.
>>>>>
>>>>> There are two possible solutions:
>>>>> 1) Set SYS_{U,G}ID_MIN to (e.g.) 500 and have all packages use
>>>>> numbers below
>>>>> 500.
>>>>> 2) Have the packages create a group without a specified ID. Anything
>>>>> requiring a fixed group ID at compile time (e.g. mailman) must use a
>>>>> number
>>>>> <  100.
>>>>>
>>>>> I am in favour of #2 (slightly) as it seems the better solution, but #1
>>>>> would only require shadow to be fixed and no rebuilds for other packages
>>>>> (the number of rebuilds for #2 would be very small). Opinions?
>>>>
>>>> I prefer #2 too, but there is a priblem: the space of GID<  100 is
>>>> crowded,
>>>> and some packages (e.g. gdm) switched to not using fixed GIDs due to
>>>> this.
>>>> UIDs up to 1000 are reserved for system purposes,
>>>> would be nice to increase the number of reserved GIDs too.
>>>
>>> This reserves GID<  1000 for system use, but only GID<  100 are "fixed".
>>> The rest are assigned dynamically. Do we really need more fixed GIDs?
>>> Most packages requiring a new group can have group ID generated on
>>> install. Anyone know what other distros do here?
>>
>> Any other opinions on this?
>>
>> That packages that create groups>  100 that would require rebuilt for option
>> #1 are:
>
> I like the idea of increasing the *ID_MIN (option #1), but don't other
> distros use 1000 for system groups?

So looking into this further, other distro do not set any of the SYS_* 
variables and rely on it calculating the defaults.  Debian and Gentoo 
use GID_MIN = 100 so must also have the issue with adding system groups 
as described in FS#16092.  Fedora sets GID_MIN at 500.

I am going for a compromise:

SYS_UID_MIN 500
SYS_UID_MAX 999
UID_MIN     1000
UID_MAX     60000

SYS_GID_MIN 500
SYS_GID_MAX 999
GID_MIN	    1000
GID_MAX	    60000

That means people can use groupadd --system and get a group id in the 
500-999 range and we can specify group ids up to 499 in packaging.  As 
we have no package using the 500-999 group id range, no rebuilds will 
need done.

Once all packages creating groups with GID>100 are adjusted to create 
their group using groupadd --system rather than a predetermined group 
number, we may want to revisit the lower limit for the SYS values.

Allan

More information about the arch-dev-public mailing list