[PR #609] [MERGED] fix: add accountGidMin to avoid stealing an account's GID #610

New issue

Closed

opened 2026-05-07 00:21:46 +02:00 by BreizhHardware · 0 comments

BreizhHardware commented

2026-05-07 00:21:46 +02:00

Owner

📋 Pull Request Information

Original PR: https://github.com/ovh/the-bastion/pull/609
Author: @speed47
Created: 1/26/2026
Status: ✅ Merged
Merged: 1/28/2026
Merged by: @speed47

Base: master ← Head: gidshift

📝 Commits (1)

8a73639 fix: add accountGidMin to avoid stealing an account's GID

📊 Changes

7 files changed (+114 additions, -42 deletions)

View changed files

📝 bin/admin/check-consistency.pl (+6 -3)
📝 bin/admin/fix-group-gid.sh (+19 -13)
📝 bin/helper/osh-groupCreate (+12 -4)
📝 doc/sphinx/administration/configuration/bastion_conf.rst (+12 -0)
📝 etc/bastion/bastion.conf.dist (+5 -0)
📝 lib/perl/OVH/Bastion/allowkeeper.inc (+24 -0)
📝 lib/perl/OVH/Bastion/configuration.inc (+36 -22)

📄 Description

Between account system groups (bearing the same GID number than the UID they pertain to) and bastion groups, there might be collisions on bastions with a very high amount of both accounts and groups.

This is only of importance if you're using fixed UIDs to create accounts, and can't let the system pick the UIDs itself (for example because these UIDs are referenced in some other system of your company).

This fix applies a GID shifting to all the bastion groups to ensure they can never take a GID that would pertain to a later-to-be-created account with a fixed GID.

This shift amount is configurable in bastion.conf as accountGidMin, 500000 by default.

Use the updated bin/admin/fix-group-gid.sh script to shift any preexisting group GID that would be out of the new groupGidMin range.

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/ovh/the-bastion/pull/609 **Author:** [@speed47](https://github.com/speed47) **Created:** 1/26/2026 **Status:** ✅ Merged **Merged:** 1/28/2026 **Merged by:** [@speed47](https://github.com/speed47) **Base:** `master` ← **Head:** `gidshift` --- ### 📝 Commits (1) - [`8a73639`](https://github.com/ovh/the-bastion/commit/8a73639f3ddfa7d5e1633b7e59ff2c22bf8b411a) fix: add accountGidMin to avoid stealing an account's GID ### 📊 Changes **7 files changed** (+114 additions, -42 deletions) <details> <summary>View changed files</summary> 📝 `bin/admin/check-consistency.pl` (+6 -3) 📝 `bin/admin/fix-group-gid.sh` (+19 -13) 📝 `bin/helper/osh-groupCreate` (+12 -4) 📝 `doc/sphinx/administration/configuration/bastion_conf.rst` (+12 -0) 📝 `etc/bastion/bastion.conf.dist` (+5 -0) 📝 `lib/perl/OVH/Bastion/allowkeeper.inc` (+24 -0) 📝 `lib/perl/OVH/Bastion/configuration.inc` (+36 -22) </details> ### 📄 Description Between account system groups (bearing the same GID number than the UID they pertain to) and bastion groups, there might be collisions on bastions with a very high amount of both accounts and groups. This is only of importance if you're using fixed UIDs to create accounts, and can't let the system pick the UIDs itself (for example because these UIDs are referenced in some other system of your company). This fix applies a GID shifting to all the bastion groups to ensure they can never take a GID that would pertain to a later-to-be-created account with a fixed GID. This shift amount is configurable in bastion.conf as ``accountGidMin``, 500000 by default. Use the updated bin/admin/fix-group-gid.sh script to shift any preexisting group GID that would be out of the new groupGidMin range. --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>