From Wikitech
Jump to navigation Jump to search

reserved UIDs & GIDs

This is most likely not the desired state yet, but just starting out with the current situation on fenari. Should be edited to reflect the desired situation, being equal on all servers.

You can and should now reserve UIDs in the puppet admin module and use systemd-sysuser, like in this example.

  • (table columns are sortable)
UID GID user name
33 33 www-data
48 48 apache
107 112 puppet
110 115 nagios
111 116 mwdeploy
444 444 gerrit2
445 445 rancid
498 498 phd (phabricator)
499 499 trebuchet
903 903 jenkins (defined in admin module!)
904 904 zuul (defined in admin module!)
10002 10002 l10nupdate

permission/security hierarchy

the security hierarchy looks as follows as decribed by TimStarling:

  • root > wikidev > mwdeploy > www-data
    • root can own wikidev but wikidev can't own root
    • wikidev can own mwdeploy but mwdeploy can't own wikidev
    • scripts owned by mwdeploy can only be run by www-data
    • everything has to su to www-data before running maintenance scripts

also see: task T79786