remove fedora-usermgmt?

Thorsten Leemhuis fedora at leemhuis.info
Sat Mar 10 15:31:56 UTC 2007


Axel Thimm schrieb:
> On Sat, Mar 10, 2007 at 11:25:09AM +0100, Thorsten Leemhuis wrote:
>> Axel Thimm schrieb:

Just a note here: I don't want to advocate for fedora-usrmgmt, I just
want to understand where the problems with it are.

Further: I agree that having a bigger fixed uid space for packages would
be the best solution, but we haven't one ATM afaics.

>>>> Can somebody *please* show me two detailed examples where using
>>>> fedora-usermgmt in a package does something bad/odd on peoples
>>>> systems in the default install (e.g. in case the admin didn't set it
                                          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>>>> up)? tia!
     ^^
>>> Please, there are two infinite threads with examples and arguments in
>>> them.
> [...]
> Of the top of my head, there are more in the thread, feel free to
> setup a wiki page:
> 
> a) package A and B assume the user foo is at base+42. System installs
>    A, admin configures fedora-usrmgmt, system install B => desynced
>    uid assertion

As I said, I wanted examples where the admin did "not* set it up (the
default). Then fedora-usrmgmt works just like a normal useradd, doesn't it?

Further: Is packages A and B both assume  base+42 then we did something
wrong, didn't we? And if the admin configures fedora-usrmgmt so that is
uses a uid-space where some uid's already are used then he did something
wrong, didn't he?

> b) same as above, only that now thge admin wasn't "sloppy", but
>    anaconda installed A.

Can't follow, sorry.

> c) Admin buys fedora-usrmgmt "feature" set and *relies* on keeping foo
>    the same across all his systems, forgets to configure system 23 after
>    the bare bone installation, uids get mixed, possibly exposing
>    sensitive information under another uid.

It's not fedora-usrmgmt's fault if the admin forgets something. He with
fedora-usrmgmt at least has a chance to use the same uid on all his
systems afaics, which he would not have without it. Or am I missing
something?

> d) Packager buys fedora-usrmgmt "feature" and relies on the
>    fixed/semi-fixed approach, but is not aware that on almost 100% of
>    user deployment noone has configured fedora-usrmgmt and therefore
>    fedora-usrmgmt is just plain old useradd. so he tests with
>    different assertions and the package fails on the tyopical user
>    deployment.

I asked for examples where is does harm on users systems.

Further: if it is just plain old useradd then nobody is hurt, isn't it?

> The method is fragile to say the least, and requires iron discipline
> form the admin with no room for errors. [...]

I'd say you are shooting over the top here.

> User management is delicate and fedora-usermgmt is not the way to go.

It solved a problem afaics, that we have no better solution for in RHEL5.

Does it do any harm if not or correctly configured? Don't know, I'm
still looking for two examples that show me where it does.

CU
thl




More information about the epel-devel-list mailing list