Classification: UNCLASSIFIED Caveats: NONE
https://lists.fedoraproject.org/pipermail/devel/2011-May/151663.html
Will UID_MIN and GID_MIN default to 1000 in RHEL7 as well? I have not had (and do not have, sadly) time to check out the RHEL7 beta, but a quick search of several of the documentation pages didn't mention this. I would imagine so, given things like:
https://bugzilla.redhat.com/show_bug.cgi?id=907312
If so, should we expect the STIG for RHEL7 to reflect this, counting everything 1000 and below as a "system" account/group for relevant rules? Just trying to get a head start on potentially necessary UID/GID changes.
Thanks,
-- Ray Shaw (Contractor, STG) Army Research Laboratory CIO, Unix Support
Classification: UNCLASSIFIED Caveats: NONE
On my RHEL7-beta box, these defaults are 1000, which is a change from my RHEL6 production machine.
Andrew
On Wed, Jan 8, 2014 at 8:51 AM, Shaw, Ray V CTR USARMY ARL (US) < ray.v.shaw.ctr@mail.mil> wrote:
Classification: UNCLASSIFIED Caveats: NONE
https://lists.fedoraproject.org/pipermail/devel/2011-May/151663.html
Will UID_MIN and GID_MIN default to 1000 in RHEL7 as well? I have not had (and do not have, sadly) time to check out the RHEL7 beta, but a quick search of several of the documentation pages didn't mention this. I would imagine so, given things like:
https://bugzilla.redhat.com/show_bug.cgi?id=907312
If so, should we expect the STIG for RHEL7 to reflect this, counting everything 1000 and below as a "system" account/group for relevant rules? Just trying to get a head start on potentially necessary UID/GID changes.
Thanks,
-- Ray Shaw (Contractor, STG) Army Research Laboratory CIO, Unix Support
Classification: UNCLASSIFIED Caveats: NONE
scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
On Wednesday, January 08, 2014 03:51:58 PM Shaw, Ray V CTR USARMY ARL wrote:
Classification: UNCLASSIFIED Caveats: NONE
https://lists.fedoraproject.org/pipermail/devel/2011-May/151663.html
Will UID_MIN and GID_MIN default to 1000 in RHEL7 as well?
Yes.
I have not had (and do not have, sadly) time to check out the RHEL7 beta, but a quick search of several of the documentation pages didn't mention this. I would imagine so, given things like:
https://bugzilla.redhat.com/show_bug.cgi?id=907312
If so, should we expect the STIG for RHEL7 to reflect this, counting everything 1000 and below as a "system" account/group for relevant rules? Just trying to get a head start on potentially necessary UID/GID changes.
It should be adjusted to this new boundary if its not already fixed.
-Steve
On 1/8/14, 1:28 PM, Steve Grubb wrote:
On Wednesday, January 08, 2014 03:51:58 PM Shaw, Ray V CTR USARMY ARL wrote:
Classification: UNCLASSIFIED Caveats: NONE
https://lists.fedoraproject.org/pipermail/devel/2011-May/151663.html
Will UID_MIN and GID_MIN default to 1000 in RHEL7 as well?
Yes.
I have not had (and do not have, sadly) time to check out the RHEL7 beta, but a quick search of several of the documentation pages didn't mention this. I would imagine so, given things like:
https://bugzilla.redhat.com/show_bug.cgi?id=907312
If so, should we expect the STIG for RHEL7 to reflect this, counting everything 1000 and below as a "system" account/group for relevant rules? Just trying to get a head start on potentially necessary UID/GID changes.
It should be adjusted to this new boundary if its not already fixed.
It's on the list. A number of things will need to be updated (audit rules, account creation guidance, etc).
On 1/8/14, 10:51 AM, Shaw, Ray V CTR USARMY ARL (US) wrote:
Classification: UNCLASSIFIED Caveats: NONE
https://lists.fedoraproject.org/pipermail/devel/2011-May/151663.html
Will UID_MIN and GID_MIN default to 1000 in RHEL7 as well? I have not had (and do not have, sadly) time to check out the RHEL7 beta, but a quick search of several of the documentation pages didn't mention this. I would imagine so, given things like:
https://bugzilla.redhat.com/show_bug.cgi?id=907312
If so, should we expect the STIG for RHEL7 to reflect this, counting everything 1000 and below as a "system" account/group for relevant rules? Just trying to get a head start on potentially necessary UID/GID changes.
Great question. Yes, they'll default to 1000 and the RHEL7 STIG will reflect. Feel free to send in a patch if you're so inclined :)
Admittedly things will get interesting in legacy environments which support both RHEL6 and RHEL7. As RHEL7 progresses we'll make note of this... perhaps issue some kind of "RHEL6 to RHEL7 migration issues" FAQ.
I know I'm jumping in here late but is there a suggested correct procedure for migrating users to the 1000+ range without causing mass chaos across your systems?
Just trying to see if I'm missing something obvious or it's just a case of doing it the old fashioned way.
Thanks,
Trevor
On Wed, Jan 22, 2014 at 10:16 PM, Shawn Wells shawn@redhat.com wrote:
On 1/8/14, 10:51 AM, Shaw, Ray V CTR USARMY ARL (US) wrote:
Classification: UNCLASSIFIED Caveats: NONE
https://lists.fedoraproject.org/pipermail/devel/2011-May/151663.html
Will UID_MIN and GID_MIN default to 1000 in RHEL7 as well? I have not had (and do not have, sadly) time to check out the RHEL7 beta, but a quick search of several of the documentation pages didn't mention this. I would imagine so, given things like:
https://bugzilla.redhat.com/show_bug.cgi?id=907312
If so, should we expect the STIG for RHEL7 to reflect this, counting everything 1000 and below as a "system" account/group for relevant rules? Just trying to get a head start on potentially necessary UID/GID changes.
Great question. Yes, they'll default to 1000 and the RHEL7 STIG will reflect. Feel free to send in a patch if you're so inclined :)
Admittedly things will get interesting in legacy environments which support both RHEL6 and RHEL7. As RHEL7 progresses we'll make note of this... perhaps issue some kind of "RHEL6 to RHEL7 migration issues" FAQ.
scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
On 2/7/14, 7:54 PM, Trevor Vaughan wrote:
I know I'm jumping in here late but is there a suggested correct procedure for migrating users to the 1000+ range without causing mass chaos across your systems?
Just trying to see if I'm missing something obvious or it's just a case of doing it the old fashioned way.
RHEL7 GA is a long ways away, much of the docs are still being built out. Outside of SCAP content, I'm far out of the loop on the broader documentation being built; I sent out an internal note and will report back.
If possible, I'd *highly* recommend you send a note to your TAM requesting such documentation be created.
scap-security-guide@lists.fedorahosted.org
-
Andrew Gilmore -
Shaw, Ray V CTR USARMY RDECOM ARL (US) -
Shawn Wells -
Steve Grubb -
Trevor Vaughan