#1107 Soft-static allocation of gids for "tcb password shadowing scheme"
Closed: accepted 2 years ago by james. Opened 2 years ago by besser82.

Please add soft-static allocations for groups used by the tcb password shadowing scheme: auth, chkpwd, shadow.

I am planning to propose a system-wide change for Fedora 36 to replace the existing pam_unix module with the less complex - by means of configuration and code-base - pam_tcb module.

These groups are needed for some files being installed by the tcb package and the module to work properly. For this reason the groups need to be present on fresh installed systems (e.g. kickstart) so all needed components can be installed as early in the rpm transaction as possible.

I know there are other ways to assure that, but for the sake of debugging and keeping instalations on different systems as homogeneous as can be, a soft-static allocation should be considered.

There are no preferences to be used from other distributions nor any explicit gids needed, so I choose the proposed gids to be allocated for chkpwd and shadow by next free, and the gid for auth by a free gid, which its digits have a special meaning to me.

Proposed gids to be allocated for use:

group gid
shadow 101
chkpwd 121
auth 197

PR to setup package: https://pagure.io/setup/pull-request/29


EDIT: Update gids with values < 500.


I'd prefer it if these numbers were below 100. Currently setup is... set up to ensure that there are no dynamic allocations below 100. This will somewhat disrupt how soft-static and dynamic sysuser allocations will work at later stages.

Agreed. At the very least below 500.

Looking at the uidgid file in setup, there are no free gids <= 100.

@ngompa and @cyberpear do you agree with the following proposal?

group gid
shadow 101
chkpwd 121
auth 197

Metadata Update from @tibbs:
- Issue tagged with: meeting

2 years ago

I'm fine with that :thumbsup:

This got approved last week.

Metadata Update from @james:
- Issue close_status updated to: accepted
- Issue status updated to: Closed (was: Open)

2 years ago

Login to comment on this ticket.

Metadata