Fedora 16 Will Number UIDs From 1000 124
dotancohen writes "Sharing users between Fedora and Debian-based distros just got a little easier. Beginning with Fedora 16, the Red-Hat based distro will number its human user UIDs starting from 1000, as opposed to the old 500. Though this change is intended to facilitate interoperability with other distros, it risks breaking backward compatibility with older Fedora releases including the newly released Fedora 15."
Re: (Score:2)
The UID:s are a minor issue for any well-seasoned *NIX admin.
But an evolution would be to convert to GUID:s, however that would make things really awkward in some cases and really break compatibility.
Re: (Score:2)
a "well-seasoned *NIX admin" isn't the target market for the "desktop" distributions, anyway.
Re: (Score:2)
What "problem" are you expecting the "n00b" to have with the status quo exactly?
Never mind where the "user" accounts start. There should be standardized values for application ids and those should be part of the LSB.
Re: (Score:2)
Why should I care what UIDs my applications run as?
Re: (Score:2)
The same daemon might run on more than one machine and may need to be aware of more than just the local machine.
Generally, more determinism in a computer is a good thing.
Re: (Score:2)
Doesn't /etc/passwd do an acceptable job of this?
Re: (Score:2)
a "well-seasoned *NIX admin" isn't the target market for the "desktop" distributions, anyway.
When one has to administer them, yes.
This solves nothing for the noob, since the system is assigning UIDs and unless you have just one user on each system, there is no guarantee that the UIDs for the same user will be the same between machines, unless you do them by hand. If you do them by hand, you can make them be whatever you want and this doesn't help.
This is still going to be a problem for me, since my UID for the last 20 years has been below 500 and I've always had to set mine on the desktops and s
Re:This is progress in the Linux world? (Score:5, Funny)
Just be happy they didn't decide to go on multiples of pi.
Still no cure for time_t... (Score:1)
Wake me when we fix something really important.
Re:Still no cure for time_t... (Score:5, Informative)
time_t is fixed for 64-bit systems. And for the 32-bit systems, well, we still have until 2038 to fix that problem.
Re: (Score:2)
time_t is fixed for 64-bit systems. And for the 32-bit systems, well, we still have until 2038 to migrate to 64-bit platforms. Or maybe 128-bit platforms.
FTFY.
Re: (Score:2)
Sorry, even 256-bit is passé
http://en.wikipedia.org/wiki/Transmeta_Crusoe [wikipedia.org]
Re: (Score:2)
So either migrate to 64-bit (or a higher bit count) or perform a hack.
But I suspect that most systems will be 64-bit by then - if we still use computers.
8 bits are still around. (Score:2)
But I suspect that most systems will be 64-bit by then - if we still use computers.
Are most systems even PCs? Some embedded systems still use 8-bit microcontrollers for cost reasons over thirty years after the introduction of the MC68000 CPU, and I imagine that even thirty years into the future, there will still be countless embedded systems that use 32-bit ARM cores for cost reasons.
Re: (Score:2)
If you actually do some thinking you'll realize that's not completely true.
Most embedded systems are running 8 bit risc chips, but how many of them care about the current exact time, and how many of them run unix (which is the combo necessary for this to be unsurmountable).
32bit ARM chips are so low power and so cheap nowadays that I can easily imagine the crappiest embedded processor you can get in 10-15 years will be 4 core, have ~8mb of onboard program memory (as opposed to the 128kb I'm used to today),
Re: (Score:2)
Re: (Score:2)
My microwave doesn't give a crap what year it is.
Reminds me of a particular scare story run by a Norwegian tabloid (Verdens Gang) some time during the y2k-bug craze with the following reasoning:
* Computers are vulnerable
* Even your waffle iron may contain a chip for temperature regulation, this is surely a kind of computer, right?
* YOUR WAFFLE IRON WILL STOP WORKING AT JANUARY 1ST 2000!!!111
Funny and sad at the same time. I actually sent an email to the journalist where I politely pointed out how ridiculous this was. His reply was basically that he didn't
Re: (Score:2)
No, not all of them I think. We'll still have a need for smaller CPUs, and we'll still have a need for file systems with small overhead, and we'll still have archived files using older formats.
Re: (Score:1)
We'll be using primates! [wikipedia.org]
Re: (Score:2)
Depends if it's signed or unsigned 32-bit systems.
Re: (Score:2)
time_t is a signed int
Re: (Score:2)
True, but there are a LOT of systems out there that use "unsigned long" for "time_t", and some that use "unsigned long" without a typedef attached. They aren't Unix though.
Time is one of those complex issues that some people think is easy to solve. Ie, a solution that is great for file time stamps may be completely wrong for storing a patient's date of birth. Something that can handle patient ages may be inappropriate for archaeological or scientific use. You get something that's appropriate for archaeo
Re: (Score:2)
Do you really need a entire 64-bit OS to redefine time_t ?
I think its already defined as a long (on 32 bit systems).
Re: (Score:1)
2037? Why rush? It won't be a problem until 19 Jan 2038.
I'm sure we can wait at least until the 15th or the 16th to start working on a fix.
Re: (Score:2)
So it will be start being fixed around 2037...
Anything newer than an Atom N2xx or AMD since I dunno, Athlon 64? will run a 64 bit OS and so probably all future processors too. Even SoC systems probably have more than 4GB of RAM by then...
Am I the only one (Score:2)
I've been a Fedora user since core 5, but I'm on a single use box. Can't you just simply update all the UIDs to add # so they all start at 1000, or is this more complex than I think?
Re: (Score:2)
If you're talking about an upgrade, then no. Change the UIDs and all of the files that were owned by the previous UIDs are now orphans.
Nonetheless, this still seems utterly unimportant.
Re: (Score:2)
Heh.
Don't tell the guys who think Linux is Gnome about the magic keys.
They might take her out for a drive.
Re: (Score:2)
This should use -print0 and -0 on the find and xargs, otherwise it fails on silly paths with spaces or other weird crap in them.
Also, this only solves the issue of who owns the files, not issues related to stupid software with UIDs hard-coded in them...
Really, it's a big problem, but not because the issue is complex, but because people (developers) do stupid stuff and tracking down all the implications and sources of the problems can be difficult.
Re: (Score:1)
Better:
find / -uid 501 -exec chown 1001 {} \;
find / -gid 501 -exec chgrp 1001 {} \;
Or even better would be a short Perl script with a hash mapping old UIDs to new UIDs, and then you only touch each file once, regardless of the number of user accounts on the system.
Re: (Score:1)
Better?? That's actually the worse you can possibly do. It will execute "chmod" once for each entry reported by find. It will take *AGES* to complete. The alternative using xargs will accumulate arguments for chmod and reduce invocations dramatically.
Now, if in your commands above you replace \; by "+", that's a whole different story. In that case "find" alone behaves as "find | xargs" and whether or not that's "better" becomes an issue of personal preference.
Re: (Score:1)
Re: (Score:2)
That is not an issue. xargs will run the command multiple times if necessary.
Re: (Score:2)
Or even better.....
# sed 's/:1001:/:501:/' /etc/passwd >/etc/passwd.new /etc/passwd /etc/passwd.bak /etc/passwd.new /etc/passwd
# cp
# cp
One of benefits of linux is that you don't have live with the arbitrary stylistic decisions of the distro maintainers.
Re: (Score:2)
Yes, the -h option on chown and chgrp is needed to do this right. Also, you'll need to use -print0 on find, and -0 or --null on xargs, to avoid being corrupted by odd file names, including file names with newline characters in them (technically valid).
Re: (Score:2)
I've been through this. Haven't noticed any other replies in any threads that have had to go through this.
I've got tons of backups and drives and external drives and network filesystems... all with my users uids in the low 500's. I left them there... and IMO, that *should* just work.
The biggest annoying problem I ran into - GDM wouldn't display those logins. They had the same group bindings, but it wouldn't show them. I dug around all over, and couldn't figure out where to change this "low uid" setting... a
Re:Am I the only one (Score:4, Informative)
I'm perfectly fine with them changing the default... but MAKE IT CONFIGURABLE! It'd just have to be one file in /etc, so one could easily jack with it for migrations. How difficult is that?!? Who knows, maybe it already exists and I just couldn't find it?
You mean like /etc/login.defs?
Re: (Score:2)
I've been thru this years ago with Suse. For a large shop it can be a bitch, best left to
when moving to a new server with the luxury of time. It was easily configurable
in SLES, and still is. In fact I still have some servers running the old uid ranges.
No actual use of uids above 500 by system accounts yet appears in most distros.
But for most systems, we just ran a script to chown the file system.
For a larger shop, I can see where this would be a problem.
The network file systems seem to be the biggest pro
Re:Am I the only one (Score:5, Informative)
If you're talking about an upgrade, then no. Change the UIDs and all of the files that were owned by the previous UIDs are now orphans.
Nonetheless, this still seems utterly unimportant.
Well, actually, that's not exactly true.
I've been thru this with other distros in the past, and in-place upgrades are never really a problem as you mention,
because the same users/groups are retained. Therefore no files become orphans.
New users just start higher when they are added. You can also make a simple setting to continue using 500 as the first user
if you want, you are not forced to start at 1000.
Moving data to a new server is where it gets messy, to say nothing about NFS coordination.
In our case, being a small size installations we opted to simply build a "find and chown" script to be run once, rather than
continuing with the legacy numbering.
Re: (Score:2)
Now I'm not sure about the details of this. Will this actively prevent me from, as root, explicitly creating a user with whatever UID I want?
I assume (but am not sure) that I can force a uid when necessary, and this is only how users are added when the UID isn't explicitly given. Large shops almost always specify the UID, either through custom tools or by pushing a password file around. This won't affect them much.
(Assuming I'm correct in my understanding, of course)
Re: (Score:2)
Your assumption is correct as far as I know.
Other Distros that have converted to a 1000 base in the past, and it was not a problem to create a user using the old numbers, and usually just a minor setting somewhere to continue using the 500 base if you wanted to.
(I believe this is stored in /etc/login.defs in opensuse, might be somewhere else in Fedora.).
That being said, I'm guessing about just how Fedora may implement this. I assume they will follow the industry.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Even THAT GUY trivializes the problem when you have a ton of users and or NFS shares that have to be
coordinated.
And god help you if things get out of hand and people start adding users to the new system before
you move all the old users over and you end up with a patchwork of numbers.
For Joe Random User's laptop, its just not a problem.
More trouble than that. (Score:2)
If you were to change a users UID, you would have to go through all the files in the system an update the UIDs as well. This is simple if all the drives are mounted at the time of the upgrade, and you want them all to be changed. However it becomes more of troublesome you have removable drives. Also, what if one of the mounted drives is a live backup; do you want to change the permissions on that or not. And you have to think about how you are going to handle restoring from a offsite backup with different U
Re: (Score:2)
Don't forget the possibility that you may already have UID's of 1000 on your systems. So simply doing the find commands that several people have recommended is asking for some asshurt.
Re: (Score:1)
Please tell me, when was the last time an upgrade changed the your normal user UIDs? Why would an upgrade do that?
Oh, and there are several ways to extract out the UID from the passwd file, reverse the list, then step through the list using each UID to do the "find exec" above.
Re: (Score:2)
Please tell me, when was the last time an upgrade changed the your normal user UIDs? Why would an upgrade do that?
He's talking about changing UIDs on existing users to move those below 500 up above 1000. An OS upgrade doesn't force that; changing the default UID numbering system does.
Oh, and there are several ways to extract out the UID from the passwd file, reverse the list, then step through the list using each UID to do the "find exec" above.
So you start by changing UID 500 to UID 1000, and then you get to your 500'th existing user who happens to have UID 1000. You happily find all the files belonging to UID 1000 and change them to 1500. Including the files that originally belonged to UID 500 that you changed to 1000 just a few minutes ago...
It doesn't even take having 500
Re: (Score:1)
I suspect you missed the purpose of reversing the list.
Re: (Score:1)
First off, there will be no existing users if the system is a new install. Second, if the system is already installed, then it is an OS upgrade. Third, even if it is an upgrade with UIDs over 1000, there is no problem because the UID system takes the lowest AVAILABLE UID over the limit.
On a new system, the UIDs will start at 1000.
Re: (Score:1)
Why the hell would you change a user's UID?
Re: (Score:3)
Why the hell would you change a user's UID?
My suspicion is we're about to have a script unleashed upon us that whines when it sees files owned by UID inside a certain range anywhere but inside /home and /tmp, or a magic partition finder that finds /home by looking for uids in a certain range, or every file inside a certain UID range gets wiped out of /tmp with a different timeout than UIDs outside that range, or only files within a certain UID will be backed up (because its dumb to waste backup time and storage on /bin/ls, especially if it got haxor
Re: (Score:2)
Re: (Score:1)
use kdm and have that user not pictured.
Re: (Score:1)
why the hell would you change anything? This UID=500 is yet another in the long line of redcrap stupidities (and I'm RHCE4), but you *CAN* create users with UID of 500 if you want to.
And if you're upgrading, I doubt if they would erase /etc/passwd unless that's SOP for redcrap upgrades. it's been so long since I have to suffer through redcrap.
A script could do for mounted filesystems, but (Score:2)
Re: (Score:2)
An important element is, as often, totally ignored in the summary :
We are not in situation that 500 IDs for system accounts ought to be enough for anybody.
Actually, it was not 500. It was 299 because range 0-200 is for reserved IDs.
There are 799 non reserved IDs for system accounts available after this
change.
Re: (Score:2)
Actually a .deb is an 'ar' archive which contains a text file and two compressed 'tar' files.
Re: (Score:2)
Actually an .rpm is a binary with metadata headers and a 'cpio' archive which contains the files.
And RHEL (Score:2)
Re: (Score:1)
At this rate, Fedoras 14 - 22 will be rolled into RHEL7.
RHEL6 is based on the word done in Fedoras 7 - 12/13.
RHEL5 was based on work up to FC6.
Compatibility (Score:2)
Re: (Score:2)
Re: (Score:2)
Not to mention the security implications of this. Tripwire, and I'm sure a number of other policy auditing systems, expect user accounts to start at 500, and do system wide permissions checking, and user_id -> service based auditing on this. Including running processes etc. This won't be too much of a pain to fix, but it will have to be fixed none the less. Oh well, C'est la vie.
Re: (Score:1)
It is absolutely trivial to fix. You pick the first free UID over when grabbing a UID for a new service. There is no reason to hardcode a UID, ever.
Re: (Score:2)
It is absolutely trivial to fix. You pick the first free UID over when grabbing a UID for a new service. There is no reason to hardcode a UID, ever.
That's fine when you're using an existing system, but if you install a new OS, and suddenly discover that /etc/passwd already has entries in the 500's, you'll have some extra work chown'ing/chgrp'ing a bunch of user files on /home, /usr/people, etc. Not a huge issue, but it's something you have to keep in mind for Fedora16 now.
Re: (Score:2)
I agree, just takes time that's all. And I guess I've seen 500 as a fundamental constant in the universe, so when it get's changed I'm not really sure yet, what the ramifications could be.
Re: (Score:2)
How about all the UIDs and GIDs on back up tapes?
Any one who says this is all just trivial doesn't work with big enough systems. And when the auditors ask for the whole process to be documented?
This may need to be done. But if it does I am not sure we should stop at 1000. I wouldn't want to go through this again in 5 years.
Re: (Score:2)
Re: (Score:2)
NO, there's absolutely a way to deal with this, things are just going to have be changed is all. And that takes time and attention to detail. It's all part of the job, but it's one more thing none the less. SELinux is finally settled down, and now we've got systemd, and base UID changes, as we'll as virtualization and significantly heavier use of kernel cgroups. I'm just saying it's one more thing on the list to deal with in an already complicated and busy few years. The amount of effort required to go fr
Re: (Score:2)
Re: (Score:2)
Missed opportunity (Score:2)
They should have started UID's at 9001 to make RedHat MEME compliant.
Re: (Score:2)
Re: (Score:2)
Yet how will this interoperate with the Japanese version of RedHat MEME when that starts at UID 8000?
Well, actually, this will be fully compatible to the Japanese version; The docs state that compliant implementations start the UIDs at over 8000, which 9001 clearly is.
I am not a UID! (Score:1)
I am a free man!
Re: (Score:1)
You are unique and special, just like everyone else...
Good for Samba/Windows interoperability (Score:1)
Re: (Score:2)
LDAP and Kerberos (Score:2)
Since it only takes about 30 minutes to set up network wide single signon with LDAP and kerberos, even (especially?) at home, I'm not seeing this as having much impact. I use afs so I don't much care about the NFS/UID nightmare either.
I was recently thinking about this, and the last time I added a user to my LDAP and kerberos at home was when my daughter was born (figured she'd need it a couple years later, and in fact now she does). To add another user at home, not only would I have to look up again how
Re: (Score:2)
Since it only takes about 30 minutes to set up network wide single signon with LDAP and kerberos, even (especially?) at home, I'm not seeing this as having much impact. I use afs so I don't much care about the NFS/UID nightmare either.
The problem is, where do you put the database? I don't have any low-power machines reliable enough for the job. I suspect most people have even less :p
Re:LDAP and Kerberos (Score:5, Funny)
Since it only takes about 30 minutes to set up network wide single signon with LDAP and kerberos
Ah yes, I remember this particular book: "Setting up LDAP in 30 minutes". You'd expect it to be a technical manual, but it's actually a novella about a sysadmin who set up LDAP in 15 minutes. Driven by his passion for a single sign on solution and pressed for time he did a quick setup, and things were great. That is until he was supposed to link those userids back to e-mail accounts for the e-mail server, which coincidentally didn't support his particular LDAP layout.
"It's okay," he spoke, "I've still got 15 minutes to spare. In that time I'm sure I can read the manpages for sendmail, qmail and postfix and still have time to stroke my manly beard.".
And thus he read the manpages, setup his particular mailserver of choice properly, and stroked his manly beard. Now that every user could connect with SSH to the servers they needed to be on, mail was being delivered, and the manly beard was stroked his manager approached him.
"Hey, I was trying to access www.testyourmanagementskills.com, but I get this weird error saying Access Denied. I think the Internets are broken, I've never been denied access to the Internets before. Could you come have a look?"
"Sure thing, I'll be with you in a sec.", the sysadmin answered still enjoying the rough sensation of stroking his manly beard.
Sure enough, the squid proxy server was not configured yet to authenticate through the LDAP server and was now broken. "I'll be right back," the sysadmin told his manager, "I have to fix the internets". And sure enough, once the sysadmin had dug through the manpages of his clustered setup of squid proxy servers a few hours later everything was up and running smoothly except for those few glitches, but the url for testyourmanagementskills.com passed through the proxy logs so the most important part was taken care of.
"Time to stroke my manly beard again", the sysadmin thought, but before he had the chance to grab for his manly attribute he was quickly interrupted by the secretary who was trying to update the intranet. "I think the intranets are broken too," she complained in a nagging voice, "I was trying to upload pictures of kittens to improve the mood now that half of the IT stuff isn't working, but if the intranets are down I can't do that. FIX MY KITTENS!". Sure enough, the apache server running the intranet site hadn't loaded mod_ldap, hadn't set up in any other way than ye olde htpasswd password files, and sure enough some of the applications on the intranet site needed to be reprogrammed as well to handle the new and improved magnificent single sign on. Luckily for him the mod_ldap page explained pretty well what needed to be changed, so after a quick lunchbreak the apache server was up and running again (except for a few nasty PHP errors, but the kittens were back on the intranets, so who cares?)
"You know, " spoke the accountant, "I've got to hand it to you. You managed to fix a lot of stuff today that broke all of a sudden, but I still can't access the accounting excel sheets. I need to update the invoices and I just can't seem to do that.". Sure enough, the samba server hosting the accounting files wasn't configured for LDAP either. The sysadmin quickly went to work, and grabbed the samba documentation, and that is where the real problem began. You see, gentle reader, the documentation for samba isn't just a 3 page document saying "put this here, this here, and that there, and then /etc/init.d/smb restart" but a hefty document gently introducing you into the world of "domain controllers" and "shares" and the various quircks and oddities, such things as WINS servers and all that fun jazz. Oh, the original setup was never anything complicated, but a good LDAP setup for samba (or rather a good samba setup for LDAP) requires a bit of planning and care especially if you have a lot of users.
After reading through the various manuals and the small hand
Re: (Score:3)
Although long-winded, the post has a point. Anyone who has ever tried to set up any sort of non-basic authentication on a unix box doing anything other than really basic desktop shit will have run into similar problems. Getting the OS to log you in using LDAP is the easy part. Getting all the related services to use LDAP (and doing a full audit before hand without missing anything to ensure that everything can be configured for LDAP) is not.
Maybe its simpler if you're starting out from scratch and hav
Re: (Score:1)
AFS volume based backup *shudder*.
AFS is great as long as you don't need performance.
However, there is some interesting developments in AFS+OSD, but this is also mostly for those who painted themselves into a corner.
Personally I'd much rather "suffer" and use something like GlusterFS (which suffers in small file I/O), but not big files.
Only AFS and NFS does CacheFS.
!news (Score:2)
How is this news at all?
Fedora and RedHat have had the ability to explicitly set UIDs and GIDs for years.
I've been explicitly starting UIDs at 1000 doing that since like 1998. Its not a big fucking deal, tripwire or otherwise.
And any distro that has a problem with non-system UIDs starting at 500 should be aborted as being hopelessly broken.
minor change really (Score:2)
Noobs and year of linux desktop (Score:2)
This is an almost-good idea, but could be better (Score:1)
You tore me away from Oprah's final show for this? Not for long...
Oh yeah? (Score:2)
MY distro goes to ELEVEN hundred. :-)
UIDs *used to be* 0-255, or even 0-127, PIDs 30K (Score:2)
such progress...
uid's used to be encoded in 8bits, 0-255 and some software would break with 128-255 being wrongly converted into a negative integer...
now we start at 1000... I guess it took a while to access the impact of PIDs going beyond 30000...
Compromise (Score:2)
Hmm, now I'm left wondering what UID scheme Fuduntu [fuduntu.org] uses.
Wonderful decision (Score:1)
Re: (Score:2)
if you're trying to order them and do something like if(uid>=magic) you need a trip to unix re-education camp.
Yep. It's trying to implement number magic instead of having user groups like local_users, remote_users, daemons etc. to determine what to show where. Welcome to poor design 101, I remember trying to add a ftp server to my box, reusing user and file system permissions is fine but every user I added also appeared on my login screen. They should be in an ftp_users group, nowhere else. But instead we'll use a UID that we can't easily change and can't belong to multiple groups, sigh...
Re: (Score:2)
uids on Debian derived systems start with 1000. If you build a system based on either RedHat or Debian standards right now, the uid numbers are going to be in a completely different range. This makes it even more annoying than usual to do things like create shared volumes where the file permissions are right, when mounted by two different servers running different distributions.
It's also a hassle on dual-boot systems, or ones where you converted from one distribution to the other, too. For example, last