Bug 491899

Summary: please assign a uid and gid for 'nslcd'
Product: [Fedora] Fedora Reporter: Nalin Dahyabhai <nalin>
Component: setupAssignee: Ondrej Vasik <ovasik>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: rawhideCC: ovasik, pknirsch
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: setup-2.8.2-2.fc11 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-03-25 13:46:12 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Nalin Dahyabhai 2009-03-24 15:28:28 UTC 
The nss-ldapd package (package review at bug #491767) includes a daemon which can be run as an unprivileged user, and I'd like to reserve a uid and a gid for that user and its primary group.  In my testing, there's no requirement that they be the same value, so I hope we can scare up a pair (uid 64, gid 31, would probably work).
Comment 1 Ondrej Vasik 2009-03-24 16:04:54 UTC 
This pair is not available, uid 64 already reserved by user condor, gid 31 already reserved by group console. What do you think about sharing gid with some existing group - e.g. group 55 (ldap) and share it with open-ldap? Reserved uid could be separate - there is plenty of free uid's left (e.g. 63). I checked available gid's and the only free is 16 (uidgid pair in fact available, 16/16
Comment 2 Nalin Dahyabhai 2009-03-24 16:13:07 UTC 
That's probably okay -- nothing the daemon accesses needs to be group-readable or -writable, it just needs to be part of _some_ group.  My only concern would be for other packages which use the group for access control.  For example slapd's configuration file is group-readable, and its contents would be readable from inside of nslcd should it be compromised somehow.  But hey, it's better than nothing.
Comment 3 Ondrej Vasik 2009-03-24 16:39:23 UTC 
Will ask openldap maintainer tomorrow if such group sharing is suitable for him (I guess those packages are quite close to share group). If so, will assign uid 63 for "nslcd" user and you will add nss-ldap package to reservation of gid 55 "ldap" group.
Comment 4 Ondrej Vasik 2009-03-25 13:46:12 UTC 
Ok, consulted with open-ldap guys, they are generally ok with that group sharing.

Added following reservation record to uidgid file(as I have seen you have chosen uid 65 in spec):
username uid    gid     home            shell           package
nslcd	65	(55)	/		/sbin/nologin	nslcd

Note: group 55 should be created as ldap to prevent troubles for open-ldap.

Built as setup-2.8.2-2.fc11, closing RAWHIDE.