Fedora User Management (revisited)
Enrico Scholz
enrico.scholz at informatik.tu-chemnitz.de
Sat Mar 10 11:45:36 UTC 2007
Axel Thimm <Axel.Thimm at ATrpms.net> writes:
>> >> When a package/daemon writes files and/or reads files which are protected
>> >> by file permissions, it is a good candidate for fixed uids.
>> >
>> > Don't userdel the user.
>>
>> ??? When I install a package on machine A and machine B, I do not use
>> 'userdel' overall.
>
> "a package/daemon writes files and/or reads files which are protected
> by file permissions" does not do so by default from machine A to
> machine B, right?
Perhaps not "by default"; but this package might be used in a setup
which shares network resources betwen A and B.
>> > Check out httpd, a prominent package which can have sensitive data
>> > underneath its user.
>>
>> 'httpd' has the comfort to have a really fixed uid < 100...
>
> Even if not, it would not relocate the uid because it simply does not
> delete the user when uninstalling.
I do not see why you want to delete the user resp. why you are speaking
about this. Problem happens when 'httpd' has uid 100 on A, uid 101 on B
and both are using a common, NFS-shared /srv/www.
Or, when /srv/www is on the local machine, contains an huge amount of
data, and the system must be reinstalled for some reason.
'fedora-usermgmt' solves this problem by allowing the adminstrator to
use a fixed window for daemon uids. With this setup, 'httpd' will have
same uid on machine A and B, and after the reinstallation.
Enrico
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 480 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-maintainers/attachments/20070310/642a96ec/attachment.sig>
More information about the Fedora-maintainers
mailing list