too many predefined UID/GID values? [was: OpenLDAP for OpenSolaris]

[Glenn Brunette]

James Carlson wrote:
> Garrett D'Amore writes:
>> Reserved UIDs for this stuff is probably *not* the best solution.  Some 
>> kind of ephemeral IDs, or a separate numbering space that is guaranteed 
>> not to be used with non-local services would be best.   Since file 
>> ownerships aren't at stake,
> 
> File ownerships are at stake, at least in the case that was originally
> under discussion.  They were allocating yet another UID/GID
> combination, running the daemon with those values, and installing the
> database that way.
> 
> If file ownership really isn't at stake, then everyone can use a
> single UID (such as the existing "noaccess" user), and the problem
> goes away.

That is a non-starter for many of our customers who are looking for 
unique credentials for each of their services -- especially those
that may be running under the same OS instance/zone.  Not only does
this help with accountability (syslog and audit) but having unique
credentials will also help contain a compromise should one
(unprivileged) service be exploited.  If you were running apache and
mysql (for example) as the same UID, a flaw (w/arbitrary code execution)
in one could lead to the direct compromise of the other running service.
Taking away proc_session from each service could help with this however.

g