From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp0 ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms11 with LMTPS id qCMECE/k719SbwAA0tVLHw (envelope-from ) for ; Sat, 02 Jan 2021 03:11:11 +0000 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp0 with LMTPS id AJDQA0/k7197ZgAA1q6Kng (envelope-from ) for ; Sat, 02 Jan 2021 03:11:11 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 4A67F940148 for ; Sat, 2 Jan 2021 03:11:10 +0000 (UTC) Received: from localhost ([::1]:49508 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1kvXJt-0006U3-8O for larch@yhetil.org; Fri, 01 Jan 2021 22:11:09 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:42836) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kvXJm-0006Tl-F5 for bug-guix@gnu.org; Fri, 01 Jan 2021 22:11:02 -0500 Received: from debbugs.gnu.org ([209.51.188.43]:51808) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1kvXJm-0008Q3-6k for bug-guix@gnu.org; Fri, 01 Jan 2021 22:11:02 -0500 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1kvXJm-0001Rc-2M for bug-guix@gnu.org; Fri, 01 Jan 2021 22:11:02 -0500 X-Loop: help-debbugs@gnu.org Subject: bug#45571: Fwd: Re: bug#45571: Support stable uids and gids for all accounts Resent-From: Leo Prikler Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Sat, 02 Jan 2021 03:11:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 45571 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: Danny Milosavljevic Received: via spool by 45571-submit@debbugs.gnu.org id=B45571.16095570135491 (code B ref 45571); Sat, 02 Jan 2021 03:11:02 +0000 Received: (at 45571) by debbugs.gnu.org; 2 Jan 2021 03:10:13 +0000 Received: from localhost ([127.0.0.1]:35121 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kvXIy-0001QU-LE for submit@debbugs.gnu.org; Fri, 01 Jan 2021 22:10:12 -0500 Received: from mailrelay.tugraz.at ([129.27.2.202]:10418) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kvXIw-0001QK-OX for 45571@debbugs.gnu.org; Fri, 01 Jan 2021 22:10:12 -0500 Received: from nijino.local (217-149-174-13.nat.highway.telekom.at [217.149.174.13]) by mailrelay.tugraz.at (Postfix) with ESMTPSA id 4D76ML6zfvz1LLyb; Sat, 2 Jan 2021 04:10:06 +0100 (CET) DKIM-Filter: OpenDKIM Filter v2.11.0 mailrelay.tugraz.at 4D76ML6zfvz1LLyb DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tugraz.at; s=mailrelay; t=1609557007; bh=J46b67v6PnzqjnuGfGVgELC1UnJPdSugWPWgunatRsw=; h=Subject:From:To:Cc:Date:In-Reply-To:References:From; b=UsA2P3FlNUNGZCHDB5byE99bczsqfY9UUTCYKfg1oDRILFpTuRzcCKMVKvHpxPcOV CKn2Se7PpNSAJlMwcgX54CnfEo/fnsyAtxD6ioAWImQlciKWYAAx1g2NMGYAimS2kV NzoroWXWebC7KA/hQ5yYTobJ9r4ny9GENHkdfBEg= Message-ID: <0d5ecae08ad352669fab46858eeefff7f6446998.camel@student.tugraz.at> From: Leo Prikler Date: Sat, 02 Jan 2021 04:10:06 +0100 In-Reply-To: <20210102024054.158bb3ba@scratchpost.org> References: <58174c197a7b42b29927c492d25e28c684d199ea.camel@student.tugraz.at> <90ec1e8c2daab55d0e41b0fcd61706418789b2a8.camel@student.tugraz.at> <20210102024054.158bb3ba@scratchpost.org> Content-Type: text/plain; charset="UTF-8" User-Agent: Evolution 3.34.2 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-TUG-Backscatter-control: bt4lQm5Tva3SBgCuw0EnZw X-Spam-Scanner: SpamAssassin 3.003001 X-Spam-Score-relay: -1.9 X-Scanned-By: MIMEDefang 2.74 on 129.27.10.117 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-guix@gnu.org List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: 45571@debbugs.gnu.org Errors-To: bug-guix-bounces+larch=yhetil.org@gnu.org Sender: "bug-Guix" X-Migadu-Flow: FLOW_IN X-Migadu-Spam-Score: -1.23 Authentication-Results: aspmx1.migadu.com; dkim=fail (headers rsa verify failed) header.d=tugraz.at header.s=mailrelay header.b=UsA2P3Fl; dmarc=fail reason="SPF not aligned (relaxed)" header.from=student.tugraz.at (policy=none); spf=pass (aspmx1.migadu.com: domain of bug-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=bug-guix-bounces@gnu.org X-Migadu-Queue-Id: 4A67F940148 X-Spam-Score: -1.23 X-Migadu-Scanner: scn0.migadu.com X-TUID: qK+14lXoDQ+6 Hi Danny, Am Samstag, den 02.01.2021, 02:40 +0100 schrieb Danny Milosavljevic: > Hi Leo, > > On Sat, 02 Jan 2021 00:16:45 +0100 > Leo Prikler wrote: > > > > And it indeed is possible to add (uid 4711) in the literal and it > > > will work > > > just fine. > > I'm aware you're joking, or at least I hope you are, > > What? It's perfectly reasonable for a distribution to have stable > system > user ids. > > That's what Debian supports, too: > > https://www.debian.org/doc/debian-policy/ch-opersys.html#uid-and-gid-classes > > > 0-99: > > Globally allocated by the Debian project, the same on every Debian > > system. These ids will appear in the passwd and group files of all > > Debian systems, new ids in this range being added automatically as > > the base-passwd package is updated. > > Packages which need a single statically allocated uid or gid should > > use one of these; their maintainers should ask the base-passwd > > maintainer for ids. > > [...] > > > 60000-64999: > > Globally allocated by the Debian project, but only created on > > demand. The ids are allocated centrally and statically, but the > > actual accounts are only >created on users’ systems on demand. > > [...] You do know, that services such as gdm, pulseaudio, avahi, sshd, mpd, and others fall into neither region, do you? > And so does FreeBSD, > see > https://www.freebsd.org/doc/en/books/porters-handbook/users-and-groups.html > and https://github.com/freebsd/freebsd-ports/blob/master/UIDs for the > actual registry. If I had a guixbuilder for every account in that list, that I didn't need, I'd have a lot of guixbuilders. Probably more than I could allocate into a contiguous block under FreeBSD. > For that matter, IANA does this for ports and many other things. And > so on. > > Stable defaults are *good*. So is leaving room for other configurations. Some of the bindings we now consider "default" were only made because other ports were already claimed. Not to mention overlaps, such as port 465. > Right now, the Guix service user user-account record specifies 99% of > the > /etc/passwd entry. I indeed propose to make it 100% for system users > for Guix > system services. What's the remaining 1%? > > but I shouldn't have to point out why hardcoding ids into those > > literals is a > > bad idea. > > You have to point that out to us--especially since Guix service user > accounts > of the account-service-type extension can only be instantiated once > anyway. Unlike in other systems, where you'd expect people to manually fiddle around with such files and tragically fail, in Guix your OS config.scm should reflect the actual state of the system (modulo secrets, that can't be expressed currently). If you claim UID 92 for GDM like FreeBSD does, but people live on installations, that have the old default of 983 (or any other, depending on the number of guixbuilders you have), that's going to cause problems. Perhaps not the same problems that led to the creation of its activation-service, but still. That's not to say, that claiming such IDs is *always* bad, just that it's bad to do so without leaving room for configuration. I should likely have worded that better, but at the same time there was context from which one could have inferred, that I meant hardcoding IDs into unchanging constants. >From the solutions we do have so far, I believe that making user accounts an explicit part of service configuration (in what shape may still be up for debate), with reasonable defaults including numeric UIDs and GIDs (at least) for essential services such as GDM sounds like the best option. WDYT? Regards, Leo