[822] in athena10
The low UID/GID problem
daemon@ATHENA.MIT.EDU (Tim Abbott)
Sat Jan 10 17:29:10 2009
Date: Sat, 10 Jan 2009 17:28:12 -0500 (EST)
From: Tim Abbott <tabbott@MIT.EDU>
To: debathena@mit.edu, athena10@mit.edu
cc: ops@mit.edu
Message-ID: <alpine.DEB.2.00.0901101653110.21723@opus.mit.edu>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; format=flowed; charset=US-ASCII
Along with the "mit" group problem that broder just sent mail about, there
is a broader but much easier problem with Athena users with low UIDs that
might conflict with the UID of a system user on a Debathena machine at
some point in the future (which would prevent them from logging in).
I think that this is a problem that we'll want to solve soon, rather than
waiting for users to complain that they can't log in.
/mit/tabbott/Public/users-who-lose contains a list of the 52 Athena
accounts with a uid below 200 (I'm ignoring accounts such as "Mr Kernel"
that probably cannot log in).
I think the right solution to this is to renumber these 52 people's
accounts and change Moira to no longer assign UIDs to new accounts below
200 (if it still does). It's a small enough list that we could feasibly
renumber their accounts, and it should protect us from UID conflicts with
system groups for a long time.
The other UID range that might have potential problems is 1000-1100, the
range where local UNIX users would be assigned. It would be good to
reserve these in Moira as well, so that when accounts in that range expire
they do not get replaced. But this range is less critical as it won't
affect cluster machines.
There's also groups that might conflict with system groups (see
/mit/tabbott/Public/groups-who-lose for all 24 of them below 200). These
groups simply will be useless on Debathena machines that have a system
group with the same number. Renumbering those of these other than "mit"
is probably easier than renumbering users, because they should not appear
in AFS (as all Athena users have gid 101), but it is also less critical
than the UID problem.
I've CCed ops on this thread, since they would likely be involved in any
renumberings.
-Tim Abbott