diff options
Diffstat (limited to '')
| -rw-r--r-- | docs/UIDS-GIDS.md | 32 |
1 files changed, 16 insertions, 16 deletions
diff --git a/docs/UIDS-GIDS.md b/docs/UIDS-GIDS.md index db4cac4..d52a5b8 100644 --- a/docs/UIDS-GIDS.md +++ b/docs/UIDS-GIDS.md @@ -21,7 +21,7 @@ validity for GIDs too. In theory, the range of the C type `uid_t` is 32bit wide on Linux, i.e. 0…4294967295. However, four UIDs are special on Linux: -1. 0 → The `root` super-user +1. 0 → The `root` super-user. 2. 65534 → The `nobody` UID, also called the "overflow" UID or similar. It's where various subsystems map unmappable users to, for example file systems @@ -57,20 +57,20 @@ Distributions generally split the available UID range in two: 2. 1000…65533 and 65536…4294967294 → Everything else, i.e. regular (human) users. -Note that most distributions allow changing the boundary between system and -regular users, even during runtime as user configuration. Moreover, some older -systems placed the boundary at 499/500, or even 99/100. In `systemd`, the -boundary is configurable only during compilation time, as this should be a -decision for distribution builders, not for users. Moreover, we strongly -discourage downstreams to change the boundary from the upstream default of -999/1000. +Some older systems placed the boundary at 499/500, or even 99/100, +and some distributions allow the boundary between system and regular users to be changed +via local configuration. +In `systemd`, the boundary is configurable during compilation time +and is also queried from `/etc/login.defs` at runtime, +if the `-Dcompat-mutable-uid-boundaries=true` compile-time setting is used. +We strongly discourage downstreams from changing the boundary from the upstream default of 999/1000. Also note that programs such as `adduser` tend to allocate from a subset of the -available regular user range only, usually 1000..60000. And it's also usually -user-configurable, too. +available regular user range only, usually 1000..60000. +This range can also be configured using `/etc/login.defs`. Note that systemd requires that system users and groups are resolvable without -networking available — a requirement that is not made for regular users. This +network — a requirement that is not made for regular users. This means regular users may be stored in remote LDAP or NIS databases, but system users may not (except when there's a consistent local cache kept, that is available during earliest boot, including in the initrd). @@ -155,15 +155,15 @@ The most important boundaries of the local system may be queried with `pkg-config`: ``` -$ pkg-config --variable=systemuidmax systemd +$ pkg-config --variable=system_uid_max systemd 999 -$ pkg-config --variable=dynamicuidmin systemd +$ pkg-config --variable=dynamic_uid_min systemd 61184 -$ pkg-config --variable=dynamicuidmax systemd +$ pkg-config --variable=dynamic_uid_max systemd 65519 -$ pkg-config --variable=containeruidbasemin systemd +$ pkg-config --variable=container_uid_base_min systemd 524288 -$ pkg-config --variable=containeruidbasemax systemd +$ pkg-config --variable=container_uid_base_max systemd 1878982656 ``` |