[822] in athena10

home help back first fref pref prev next nref lref last post

The low UID/GID problem

daemon@ATHENA.MIT.EDU (Tim Abbott)
Sat Jan 10 17:29:10 2009

Date: Sat, 10 Jan 2009 17:28:12 -0500 (EST)
From: Tim Abbott <tabbott@MIT.EDU>
To: debathena@mit.edu, athena10@mit.edu
cc: ops@mit.edu
Message-ID: <alpine.DEB.2.00.0901101653110.21723@opus.mit.edu>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; format=flowed; charset=US-ASCII

Along with the "mit" group problem that broder just sent mail about, there 
is a broader but much easier problem with Athena users with low UIDs that 
might conflict with the UID of a system user on a Debathena machine at 
some point in the future (which would prevent them from logging in).

I think that this is a problem that we'll want to solve soon, rather than 
waiting for users to complain that they can't log in.

/mit/tabbott/Public/users-who-lose contains a list of the 52 Athena 
accounts with a uid below 200 (I'm ignoring accounts such as "Mr Kernel" 
that probably cannot log in).

I think the right solution to this is to renumber these 52 people's 
accounts and change Moira to no longer assign UIDs to new accounts below 
200 (if it still does).  It's a small enough list that we could feasibly 
renumber their accounts, and it should protect us from UID conflicts with 
system groups for a long time.

The other UID range that might have potential problems is 1000-1100, the 
range where local UNIX users would be assigned.  It would be good to 
reserve these in Moira as well, so that when accounts in that range expire 
they do not get replaced.  But this range is less critical as it won't 
affect cluster machines.

There's also groups that might conflict with system groups (see 
/mit/tabbott/Public/groups-who-lose for all 24 of them below 200).  These 
groups simply will be useless on Debathena machines that have a system 
group with the same number.  Renumbering those of these other than "mit" 
is probably easier than renumbering users, because they should not appear 
in AFS (as all Athena users have gid 101), but it is also less critical 
than the UID problem.

I've CCed ops on this thread, since they would likely be involved in any 

 	-Tim Abbott

home help back first fref pref prev next nref lref last post