Bug 5369 - System users conflict with LDAP ones
Summary: System users conflict with LDAP ones
Status: NEW
Alias: None
Product: Infrastructure
Classification: Unclassified
Component: Others (show other bugs)
Version: unspecified
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: Sysadmin Team
QA Contact:
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2012-04-12 14:30 CEST by Pascal Terjan
Modified: 2012-10-21 20:37 CEST (History)
2 users (show)

See Also:
Source RPM:
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Pascal Terjan 2012-04-12 14:30:52 CEST 
Some local users created in puppet for various roles (bcd, mirror) have an uid in the same range than LDAP users

On rabbit if was the case for two of them:

mirror:x:5044:5008:System user use to run mirror scripts:/home/mirror:/bin/bash
bcd:x:5045:5009:User for creating ISOs:/home/bcd:/bin/bash

5044 and 5045 are in use by saispo and jmartin

Surprisingly other are fine:
releasekey:x:517:502:System user to sign Mageia Releases:/var/lib/releasekey:/bin/bash
draklive:x:518:503:User for creating live ISOs:/home/draklive:/bin/bash
youri:x:519:519:Youri Check:/var/lib/youri:/bin/bash

Maybe this is already fixed and was only for older users?

Or should we hardcode some uid in puppet config? It does not seem possible to force a range (http://projects.puppetlabs.com/issues/5726)

Users on valstar look fine:

mirror:x:501:501:System user use to run mirror scripts:/home/mirror:/bin/bash
schedbot:x:516:516:System user used to schedule builds:/var/lib/schedbot:/bin/bash
iurt:x:517:517:System user used to run build bots:/home/iurt:/bin/bash
signbot:x:518:518:System user used to sign packages:/var/lib/signbot:/bin/bash
softwarekey:x:519:519:System user to sign Mageia Software:/var/lib/softwarekey:/bin/bash
maintdb:x:520:520:Maintainers database:/var/lib/maintdb:/bin/bash
binrepo:x:521:521:Binary files repository:/var/lib/binrepo:/bin/bash
mgasoft:x:522:522:System user to publish software:/var/lib/mgasoft:/bin/bash
Comment 1 Buchan Milne 2012-10-21 20:27:02 CEST 
Maybe we should set UID_MAX=5000 and GID_MAX=5000 in /etc/login.defs ?

I don't know if useradd etc. will find the intended gap from 500 to 5000 though.

I note valstar has:
[root@valstar ~]# grep ^.ID_MAX /etc/login.defs 
UID_MAX                  2000
GID_MAX                  2000

Rabbit also has this, but /etc/login.defs was changed recently:

[root@rabbit ~]# grep ^.ID_MAX /etc/login.defs 
UID_MAX                  2000
GID_MAX                  2000
[root@rabbit ~]# ll /etc/login.defs

Can we close this? Or do we need to cleanup existing conflicts?
[root@rabbit ~]# awk -F: '{if ($3 > 5000) print $1,$3}' /etc/passwd
nobody 65534
mirror 5146
draklive 5147
releasekey 5148

CC: (none) => bgmilne

Comment 2 Buchan Milne 2012-10-21 20:37:13 CEST 
BTW., on rabbit it is working correctly at present:
[root@rabbit ~]# useradd bug5369test
[root@rabbit ~]# getent passwd bug5369test
bug5369test:x:517:517::/home/bug5369test:/bin/bash

I don't want to correct the existing incorrect users, as I don't know where they may have files, and don't want to wait for a find to finish now.
Note You need to log in before you can comment on or make changes to this bug.