Bug 491899 - please assign a uid and gid for 'nslcd'
please assign a uid and gid for 'nslcd'
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: setup (Show other bugs)
rawhide
All Linux
low Severity medium
: ---
: ---
Assigned To: Ondrej Vasik
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2009-03-24 11:28 EDT by Nalin Dahyabhai
Modified: 2009-03-25 09:46 EDT (History)
2 users (show)

See Also:
Fixed In Version: setup-2.8.2-2.fc11
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-03-25 09:46:12 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Nalin Dahyabhai 2009-03-24 11:28:28 EDT
The nss-ldapd package (package review at bug #491767) includes a daemon which can be run as an unprivileged user, and I'd like to reserve a uid and a gid for that user and its primary group.  In my testing, there's no requirement that they be the same value, so I hope we can scare up a pair (uid 64, gid 31, would probably work).
Comment 1 Ondrej Vasik 2009-03-24 12:04:54 EDT
This pair is not available, uid 64 already reserved by user condor, gid 31 already reserved by group console. What do you think about sharing gid with some existing group - e.g. group 55 (ldap) and share it with open-ldap? Reserved uid could be separate - there is plenty of free uid's left (e.g. 63). I checked available gid's and the only free is 16 (uidgid pair in fact available, 16/16
Comment 2 Nalin Dahyabhai 2009-03-24 12:13:07 EDT
That's probably okay -- nothing the daemon accesses needs to be group-readable or -writable, it just needs to be part of _some_ group.  My only concern would be for other packages which use the group for access control.  For example slapd's configuration file is group-readable, and its contents would be readable from inside of nslcd should it be compromised somehow.  But hey, it's better than nothing.
Comment 3 Ondrej Vasik 2009-03-24 12:39:23 EDT
Will ask openldap maintainer tomorrow if such group sharing is suitable for him (I guess those packages are quite close to share group). If so, will assign uid 63 for "nslcd" user and you will add nss-ldap package to reservation of gid 55 "ldap" group.
Comment 4 Ondrej Vasik 2009-03-25 09:46:12 EDT
Ok, consulted with open-ldap guys, they are generally ok with that group sharing.

Added following reservation record to uidgid file(as I have seen you have chosen uid 65 in spec):
username uid    gid     home            shell           package
nslcd	65	(55)	/		/sbin/nologin	nslcd

Note: group 55 should be created as ldap to prevent troubles for open-ldap.

Built as setup-2.8.2-2.fc11, closing RAWHIDE.

Note You need to log in before you can comment on or make changes to this bug.