Page MenuHomePhabricator
Create Task
Maniphest T114446

move human users out of UID range for system accounts
Closed, DeclinedPublic
Actions

Description

From the past before the use of the admin module and matching UIDs with Labs UIDs, we still have human shell users with UIDs in the range under 999, which is reserved for system users.

"UID 0 (zero) is reserved for root and UIDs 1-99 are reserved for other predefined accounts. Further UID 100-999 are reserved by system for administrative and system accounts/groups."

We should move these users to a new UID.

Options seem to be:

  • edit their UID in the admin module with a puppet change
  • run a find / .. -exec chmod .. to re-own all their files to the new UID, probably has to run on / on all servers to make sure (!?), or just /home ?

or

  • create new users, give people access to both
  • let them rsync old /home to new /home, copy what they want or do it for them
  • once new user is confirmed ready, delete old user for real with bash commands via salt

or

  • ignore this since it's too much effort to fix and while technically breaking a rule doesn't cause issues that are worth fixing it?

or ...

?

Related Objects

Event Timeline

Dzahn created this task.Oct 1 2015, 10:30 PM
Dzahn raised the priority of this task from to Needs Triage.
Dzahn updated the task description. (Show Details)
Dzahn added a project: acl*sre-team.
Dzahn subscribed.
Restricted Application added subscribers: Matanya, Aklapper. · View Herald TranscriptOct 1 2015, 10:30 PM
Krenair subscribed.Oct 1 2015, 10:31 PM
Dzahn set Security to Other confidential issue.Oct 1 2015, 10:32 PM
Restricted Application changed the visibility from "Public (No Login Required)" to "Custom Policy". · View Herald TranscriptOct 1 2015, 10:32 PM
Restricted Application changed the edit policy from "All Users" to "Custom Policy". · View Herald Transcript
Restricted Application added a project: WMF-NDA. · View Herald Transcript
RobH subscribed.Oct 1 2015, 10:33 PM
Dzahn updated the task description. (Show Details)Oct 1 2015, 10:34 PM
RobH added a comment.Oct 1 2015, 10:43 PM

UIDs in production are based on wikitech/ldap UID. These are sometimes under 999.

Dzahn added a comment.Oct 1 2015, 10:59 PM

That is an issue indeed. I'd say it was technically wrong in wikitech that it started to use these, but we DO want to match the UIDs with labs. And also changing them in labs all of a sudden is a much bigger effort since it, probably, affects way more people.

Dzahn updated the task description. (Show Details)Oct 1 2015, 11:00 PM
Dzahn added a subscriber: chasemp.
Dzahn triaged this task as Medium priority.Oct 19 2015, 11:22 PM
Dzahn added a comment.Apr 15 2016, 3:48 AM

Does this actually have to stay confidential?

Krenair added a comment.Apr 15 2016, 4:00 AM

I don't think so. You created it this way...

Dzahn removed a project: WMF-NDA.Apr 15 2016, 7:39 PM
Dzahn changed the visibility from "Custom Policy" to "Public (No Login Required)".
Dzahn changed the edit policy from "Custom Policy" to "All Users".
Dzahn changed Security from Other confidential issue to None.
zhuyifei1999 subscribed.Dec 6 2017, 8:08 PM

See also T45795

ArielGlenn subscribed.Aug 29 2018, 10:16 AM

Do we know how many current users this impacts in labs? If the number is small, new user + email to move their stuff may not be awful.

Dzahn added a comment.Aug 30 2018, 11:59 PM
In T114446#4541622, @ArielGlenn wrote:

Do we know how many current users this impacts in labs?

I found an answer to this straight with ldapsearch, The answer is 28.

P7503 users with uid < 999
1[mwmaint1001:~] $ ldapsearch -x "uidNumber<=999" uid uidNumber
2# extended LDIF
3#
4# LDAPv3
5# base <dc=wikimedia,dc=org> (default) with scope subtree
6# filter: uidNumber<=999
7# requesting: uid uidNumber
8#
9
10# brion, people, wikimedia.org
11dn: uid=brion,ou=people,dc=wikimedia,dc=org
12uid: brion
13uidNumber: 500
14
15# avar, people, wikimedia.org
16dn: uid=avar,ou=people,dc=wikimedia,dc=org
17uid: avar
18uidNumber: 534
19
20# tstarling, people, wikimedia.org
21dn: uid=tstarling,ou=people,dc=wikimedia,dc=org
22uid: tstarling
23uidNumber: 501
24
25# erik, people, wikimedia.org
26dn: uid=erik,ou=people,dc=wikimedia,dc=org
27uid: erik
28uidNumber: 503
29
30# midom, people, wikimedia.org
31dn: uid=midom,ou=people,dc=wikimedia,dc=org
32uid: midom
33uidNumber: 527
34
35# mark, people, wikimedia.org
36dn: uid=mark,ou=people,dc=wikimedia,dc=org
37uid: mark
38uidNumber: 531
39
40# rainman, people, wikimedia.org
41dn: uid=rainman,ou=people,dc=wikimedia,dc=org
42uid: rainman
43uidNumber: 538
44
45# daniel, people, wikimedia.org
46dn: uid=daniel,ou=people,dc=wikimedia,dc=org
47uid: daniel
48uidNumber: 545
49
50# aaron, people, wikimedia.org
51dn: uid=aaron,ou=people,dc=wikimedia,dc=org
52uid: aaron
53uidNumber: 544
54
55# laner, people, wikimedia.org
56dn: uid=laner,ou=people,dc=wikimedia,dc=org
57uid: laner
58uidNumber: 553
59
60# catrope, people, wikimedia.org
61dn: uid=catrope,ou=people,dc=wikimedia,dc=org
62uid: catrope
63uidNumber: 546
64
65# tparscal, people, wikimedia.org
66dn: uid=tparscal,ou=people,dc=wikimedia,dc=org
67uid: tparscal
68uidNumber: 541
69
70# ariel, people, wikimedia.org
71dn: uid=ariel,ou=people,dc=wikimedia,dc=org
72uid: ariel
73uidNumber: 543
74
75# fvassard, people, wikimedia.org
76dn: uid=fvassard,ou=people,dc=wikimedia,dc=org
77uid: fvassard
78uidNumber: 542
79
80# nimishg, people, wikimedia.org
81dn: uid=nimishg,ou=people,dc=wikimedia,dc=org
82uid: nimishg
83uidNumber: 549
84
85# pdhanda, people, wikimedia.org
86dn: uid=pdhanda,ou=people,dc=wikimedia,dc=org
87uid: pdhanda
88uidNumber: 547
89
90# hcatlin, people, wikimedia.org
91dn: uid=hcatlin,ou=people,dc=wikimedia,dc=org
92uid: hcatlin
93uidNumber: 550
94
95# awjrichards, people, wikimedia.org
96dn: uid=awjrichards,ou=people,dc=wikimedia,dc=org
97uid: awjrichards
98uidNumber: 552
99
100# ezachte, people, wikimedia.org
101dn: uid=ezachte,ou=people,dc=wikimedia,dc=org
102uid: ezachte
103uidNumber: 523
104
105# jeluf, people, wikimedia.org
106dn: uid=jeluf,ou=people,dc=wikimedia,dc=org
107uid: jeluf
108uidNumber: 518
109
110# py, people, wikimedia.org
111dn: uid=py,ou=people,dc=wikimedia,dc=org
112uid: py
113uidNumber: 559
114
115# sumanah, people, wikimedia.org
116dn: uid=sumanah,ou=people,dc=wikimedia,dc=org
117uid: sumanah
118uidNumber: 578
119
120# lcarr, people, wikimedia.org
121dn: uid=lcarr,ou=people,dc=wikimedia,dc=org
122uid: lcarr
123uidNumber: 582
124
125# sgeadmin, people, wikimedia.org
126dn: uid=sgeadmin,ou=people,dc=wikimedia,dc=org
127uid: sgeadmin
128uidNumber: 600
129
130# vagrant, people, wikimedia.org
131dn: uid=vagrant,ou=people,dc=wikimedia,dc=org
132uid: vagrant
133uidNumber: 601
134
135# mwdeploy, people, wikimedia.org
136dn: uid=mwdeploy,ou=people,dc=wikimedia,dc=org
137uid: mwdeploy
138uidNumber: 603
139
140# trebuchet, people, wikimedia.org
141dn: uid=trebuchet,ou=people,dc=wikimedia,dc=org
142uid: trebuchet
143uidNumber: 604
144
145# shinken, people, wikimedia.org
146dn: uid=shinken,ou=people,dc=wikimedia,dc=org
147uid: shinken
148uidNumber: 606
149
150# search result
151search: 2
152result: 0 Success
153
154# numResponses: 29
155# numEntries: 28

Phabricator_maintenance moved this task from Backlog to Acknowledged on the SRE board.Jan 26 2019, 8:20 PM
RobH unsubscribed.Mar 3 2020, 6:04 PM
Dzahn mentioned this in T163667: Fix UIDs for deployment server users.Dec 2 2022, 8:32 PM
LSobanski added a project: Infrastructure-Foundations.Dec 5 2022, 11:48 AM
LSobanski subscribed.

The list Daniel posted above is still more or less accurate and the originally stated question is still valid.

LSobanski closed this task as Declined.Oct 6 2025, 2:47 PM

This one falls into "too much effort to fix and while technically breaking a rule doesn't cause issues that are worth fixing it"

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits