[oi-dev] uid/gid policy
Adam Števko
adam.stevko at gmail.com
Thu Nov 7 14:01:18 UTC 2013
Hi,
I added openvpn hid 62 (I forgot about) and it is up-to-date now. You can assign UIDs/GIDs from this table, but please don’t forget to update it like i did.
I wanted to propose to raise user ids start from 1000, but I was stopped with existing installs. So we are stick to UIDs under 100, which is needed for backwards compatibility.
However, the available number of UIDs might seem to be low. Delivering RBAC role for every service sounds like a solution, but it most cases it’s tricky.
For example, openvpn can drop its privileges itself. It needs to be started as a root, so it can create/delete tun/tap interfaces. If I start it with openvpn role in SMF, it complains that it can’t manipulate with tun/tap interface.
There is a solution to this and to specify privileges, but I pretty that is something most people won’t do and it’s easier to deliver ordinary user accounts rather than roles.
IMHO, we should go the way of creating RBAC roles and specifying needed privileges. It’ adds some complexity, but on the other hand we are making a use of technology illumos provides, which I see as a benefit.
Any other thoughts on this?
Cheers,
Adam
On Nov 7, 2013, at 2:23 PM, Alexander Pyhalov <alp at rsu.ru> wrote:
> On 11/07/2013 17:12, Adam Števko wrote:
>> Hi,
>>
>> something like this already exists. At least it was created on first userland hackathion.
>>
>> http://wiki.openindiana.org/oi/UIDs+and+GIDs
>>
>> This should be the list. However, I think that not many are aware of it.
>>
>> Cheers,
>> Adam
>>
>
> Is this page is up to date (or a kind of)? What about assigning additional uids? For, example, could I take the first unreserved (e.g., 91)? What will we do when we run out of 100 lower uids?
> --
> Best regards,
> Alexander Pyhalov,
> system administrator of Computer Center of Southern Federal University
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://openindiana.org/pipermail/oi-dev/attachments/20131107/5500c538/attachment-0005.bin>
More information about the oi-dev
mailing list