[arch-dev-public] policykit install problem

Aaron Griffin aaronmgriffin at gmail.com
Sun Oct 5 18:45:05 EDT 2008 

On Sun, Oct 5, 2008 at 5:06 PM, Jan de Groot <jan at jgc.homeip.net> wrote:
> On Sun, 2008-10-05 at 16:31 -0500, Aaron Griffin wrote:
>> On Sun, Oct 5, 2008 at 7:35 AM, Roman Kyrylych <roman.kyrylych at gmail.com> wrote:
>> > 2008/9/27 Dan McGee <dpmcgee at gmail.com>:
>> >> Guys, we have some big problems with groups.
>> >>
>> >> ( 9/31) installing policykit                        [---------------------] 100%
>> >> groupadd: GID 102 is not unique
>> >> useradd: unknown group policykit
>> >> chgrp: invalid group: `policykit'
>> >> chown: invalid user: `policykit'
>> >> chown: invalid user: `policykit:policykit'
>> >> chown: invalid user: `policykit'
>> >> chgrp: invalid group: `policykit'
>> >> chgrp: invalid group: `policykit'
>> >> chgrp: invalid group: `policykit'
>> >> chgrp: invalid group: `policykit'
>> >> chgrp: invalid group: `policykit'
>> >>
>> >> Taking a peek at /etc/groups I saw this:
>> >>
>> >> kvm:x:101:
>> >> tex:x:102:
>> >>
>> >> We really shouldn't be creating groups above 100, should we? Even more
>> >> of a problem is explicitly specifying 102 in the policykit install
>> >> script. These are reserved for user use. Your input is definitely
>> >> welcome on this.
>> >
>> > http://bugs.archlinux.org/task/11589
>> >
>> > We have user UIDs starting from 1000, but GIDs only from 100.
>> > The most correct would be to have user-created GIDs start from 1000 too,
>> > but then users that already have created 1xx groups should recreate
>> > them and re-chgrp all files/dirs :-/
>>
>> Mind filing a FR for that? I believe it would require changes in
>> shadow... but we need to be careful to warn all users to modify their
>> custom groups. It will be a headache, but I agree we should do it
>
> Ehm, why do we get ourselves in trouble like this?
> We have an amount of static uid/gid combinations. UIDs below 1000 have
> been reserved for system things for a long while, GIDs below 100 have
> been reserved for system things also.
> We've been using static UID/GIDs in packages for now. This has always
> brought up weird issues with people that have other users using these
> UID/GID combinations.
> When I take a look at the Debian boxes I maintain, I see these groups:
> crontab:x:101:
> ssh:x:102:
> ntp:x:103:
> ssl-cert:x:104:
> postfix:x:105:
> postdrop:x:106:
>
> When I look on a different debian box, I see these numbers are in a
> different order, or different users assigned to these GIDs. I think it's
> better to change packages like policykit instead to add groups and
> change ownership and permission in post_install and post_upgrade.

Are you suggesting we actually forget about reserved GIDs and UIDs
altogether and do it all dynamically?

That doesn't sound like too bad of an idea. Opinions?

More information about the arch-dev-public mailing list