ignore UIDs created as a result of CTF mishap #239
Conversation
During the CTF, a user was created with UID 13371337 for a challenge, which resulted in new users being created with UIDs > 13370000. Ignore all such users when calculating the next UID to generate (the current users in that UID range will keep their UIDs).
If we can migrate these users to lower UIDs, maybe that would be more robust in the longer run... |
|
ocf had a ctf? as in capture the flag? |
To be entirely honest this PR is just to stop new accounts from continuing to be registered with high UIDs, and the only way I really see to fix the problem is to either make the UID selection logic more robust (which will take a while), carve out and document a block of UIDs for future "system" accounts, or both.
As far as I can tell yes; we already have many UIDs >16bits, so there shouldn't:tm: be any problems here
I'm not sure how that's relevant here since this just prevents the UID selection logic from picking these UIDs (unless you're referring to the high UIDs themselves, which is a valid concern)
I definitely agree, however that carries some risk while merging this ASAP would at least decrease the number of users we'd need to migrate (though we'd probably need to also go carve out another block in a lower range to migrate to) |
|
Personally, I would make a permanent change to ignore all UIDs above perhaps 2 million, so this particular problem can't happen again. But if that's not immediately desired, I would LGTM this change. In either case, I would advocate for trying to migrate the created accounts down to lower numbers if possible, after we've stopped the bleeding. |
During the CTF, a user was created with UID 13371337 for a challenge, which resulted in new users being created with UIDs > 13370000. Ignore all such users when calculating the next UID to generate (the current users in that UID range will keep their UIDs).