UID/GID dynamic allocation in net/isc-dhcp3-server: why?

[Simon L. Nielsen]

On 2006.11.12 10:45:21 +0000, Florent Thoumie wrote:
> Kris Kennaway wrote:
> > On Sat, Nov 11, 2006 at 10:05:05PM +0100, Simon L. Nielsen wrote:
> >> On 2006.11.11 15:48:05 -0500, Kris Kennaway wrote:
> >>> On Sat, Nov 11, 2006 at 09:37:31PM +0100, Simon L. Nielsen wrote:
> >>>> On 2006.11.11 21:12:09 +0200, Dmitry Pryanishnikov wrote:
> >>>>
> >>>>>  I don't like the current behaviour of the net/isc-dhcp3-server port
> >>>>> of creating 'dhcpd' user and group using dynamic allocation instead of
> >>>>> having static one (as specified in /usr/ports/{U,G}IDs). I like the idea
> >>>>> of [ug]id ranges, and dynamic allocation doesn't keep within this idea
> >>>>> (ids of users and daemons get mixed). Is there specific reason why there
> >>>>> is no static [ug]id for net/isc-dhcp3-server?
> >>>> Personally I have it precisely the other way around - I find the
> >>>> static allocations rather annoying since they are bound to collide
> >>>> with existing UID's at some point.
> >>>>
> >>>> IMO the optimal solution would be to have some magic which auto
> >>>> assigns ports/system UID/GID's from different ranges that normal
> >>>> users.
> >>> Just so :)
> >>>
> >>> UIDs below 1000 are (and have been for many years) allocated to the
> >>> "system" (ports/src), and are not supposed to be allocated by
> >>> administrators.  This at least works out of the box with some of the
> >>> tools we have for allocating new users, so are you aware of any that
> >>> don't do this?
> >> I know that people are not suposed to use < 1000 and for normal users
> >> and I havent seen any FreeBSD tools which uses low UID's for normal
> >> users by default.  I don't do use low UID's new systems/sites, but
> >> sometimes you have "old" systems/sites where that is just not the
> >> case.  I'm certainly not saying we should bent over backwards to
> >> support these legacy systems, I just want to point out that they do
> >> exist.  I'm really not trying to start a big debate over static
> >> vs. dynamic UID/GID allocations, the original mail just made it sound
> >> to me like it was a universal truth that ports should use hardcoded
> >> UID/GID's and it was always a good thing.
> >>
> >> And the site where I have UID/GID's in the < 1000 range is called
> >> FreeBSD.org :-) (we use UID/GID's from 500 and up).
> > 
> > I dunno what you are suggesting could be done on systems where the
> > administrators have chosen to ignore the conventions.  Even supposing
> > the <1000 range was dynamically remapped to some other range on such
> > systems, what's to stop the rogue admin from allocating there too?

As I tried to say above, it quite possible we shouldn't do anything to
support this, I just wanted to point out that there are issues with
statically assigning [GU]ID's.

> I have a bsd.port.mk patch in the works to create users/groups
> automatically from uids/gids registered in the related files. It
> wouldn't be too hard to include a UID_OFFSET/GID_OFFSET parameter so
> that the local admin can reserve uids/gids in say range 2000-3000
> instead of 0-1000 (which isn't really 0-1000 but I'm too lazy to check
> where system uids/gids stop :-)
> 
> Would it be alright with you Simon?

That would be very neat!  Of course it would require that the ports
doesn't hardcode the allocations from ports/[GU]ID.  Packages are of
course still something which must be dealt with somehow (though it
wouldn't be a problem for me if UID_OFFSET/GID_OFFSET didn't work with
packages since I only use packages I build myself)...

-- 
Simon L. Nielsen