GNU bug report logs - #45571
Support stable uids and gids for system accounts in a container

Previous Next

Package: guix;

Reported by: Jason Conroy <conjaroy <at> gmail.com>

Date: Thu, 31 Dec 2020 18:20:01 UTC

Severity: normal

Full log

Message #17 received at 45571 <at> debbugs.gnu.org (full text, mbox):

From: Danny Milosavljevic <dannym <at> scratchpost.org>
To: Jason Conroy <conjaroy <at> gmail.com>
Cc: 45571 <at> debbugs.gnu.org
Subject: Re: bug#45571: Support stable uids and gids for all accounts
Date: Fri, 1 Jan 2021 18:36:37 +0100

[Message part 1 (text/plain, inline)]
Hi Jason,

>Still, I wonder if this could introduce support challenges for packages that
>incorrectly assume UIDs are 16 bits wide, since they traditionally were that
>way in UNIX,

I don't think that these 16 bit problems are common at all since all the
getuid() syscalls I've ever seen, even in traditional UNIXes, have "int" as
return value--and nowadays that's at least 32 bits; and also because UNIX
configuration is usually in text files, which would read and store the stuff
using "%d".  That said, it's possible that it could happen in some seriously
strange configurations (I doubt it).

> and since other Linux distros still seem to prefer small UIDs in
> their packaging. By comparison, my earlier idea of declaring static UIDs/GIDs
> in the operating-system is decidedly less elegant, but it avoids this particular
> risk. 

If we did something like that, I would prefer for guix services to just specify
a fixed UID/GID for each of the entries in gnu/services/*.scm.  We can even
reuse existing system uids and gids that have been statically allocated
already by FreeBSD and Debian and be even uid/gid compatible to those.

For example, change Guix to do (similarly for all Guix services using user
accounts):

diff --git a/gnu/services/monitoring.scm b/gnu/services/monitoring.scm
index 5123a8c441..45d3f4ad17 100644
--- a/gnu/services/monitoring.scm
+++ b/gnu/services/monitoring.scm
@@ -71,6 +71,7 @@
 
 (define %darkstat-accounts
   (list (user-account
+         (uid 4711)
          (name "darkstat")
          (group "darkstat")
          (system? #t)
@@ -78,6 +79,7 @@
          (home-directory "/var/lib/darkstat")
          (shell (file-append shadow "/sbin/nologin")))
         (user-group
+         (id 4711)
          (name "darkstat")
          (system? #t))))

And other constants for other user names.

Or use hashes.  Whichever.  The point is that the ids are deterministic--not
necessarily that we need to use hashes.  The advantage of using a hash is that
we don't need a central registry and this problem will be out of our life once
and for all.

Anyway, as a workaround for your immediate problem, I suggest to preserve
/etc/passwd, /etc/group and /etc/shadow--present entries in those will be
preferred by Guix to even its own configuration.  (I'm not sure whether that's
currently easy to do with guix system container, however)

[Message part 2 (application/pgp-signature, inline)]
This bug report was last modified 4 years and 96 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.