Fedora User Management (revisited)
Enrico Scholz
enrico.scholz at informatik.tu-chemnitz.de
Tue Mar 6 20:14:40 UTC 2007
Axel Thimm <Axel.Thimm at ATrpms.net> writes:
>> Won't work. 'rpm' in RHEL is too old and misses features required by
>> fedora-usermgmt.
>
> what exactly does this tool solve?
I require it in the following cases:
* lot of servers are sharing a bind-mounted directory with unix(7)-sockets
(e.g. sendmail-mta and milter servers); access restrictions are solved
best with filesystem permissions and this requires consistent uids in
each server
* the 'apache-dav' user which writes on an NFS share; NFS4 was promised
as a solution years ago but I never got it to run correctly
* consistent output in logfiles (e.g. iptables -j LOG --log-uid)
* there does not exist a reliable way to add system users manually;
nightly 'yum upgrade' can add new users silently and repository can
not be queried which/whether users will be added
Then, I like it, when:
* machines with identical setup are having identical uid <-> user
mappings; e.g. two kickstart installations should create the same
output but do not have to depend on package order (which might be
different due to updated packages)
* I do not have to 'chown -R -h' partitions when I reinstall a system
Then, 'fedora-usermgmt' was designed in a way which would allow things
like adding the new user to an LDAP directory instead into the local
/etc/passwd. But this is an exotic feature since system users should not
be kept in NIS/LDAP.
For FC4/5, some workarounds were added which solved problems with
incorrect nscd cache-invalidating.
The FC6 version got some enhancements which removed error-prone
stuff (e.g. 'test "$1" = 0' checks, correct 'Requires(...):') from
the scriptlets which have to be written by the packagers. Same
enhancements are making it possible to establish rules like 'do not
remove user during uninstallation'.
I admit, that rpm should handle user creation completely without manual
scripts. But because this thread is about EPEL, this is not an option.
> Especially if this defaults to normal useradd -r behaviour (does it
> really default to this behaviour?),
yes, it does.
> which means that it is not really *required*.
Is Fedora or ATrpm really *required*?
Fact is, 'fedora-usermgmt' solves some of my problems and does not have
technical drawbacks.
> If it tries to solve the need for *fixed* system uid/gid then we need
> to find another solution than a flaotion uid/gid window.
I can not imagine which solution this could be. The only available
window for fixed system uids (0-99) is nearly full. Rest was/is free
for everybody's use and probably every single uid between 100 and 65535
exists on some system.
We could have more luck in the upper 2^32 range, but I guess this breaks
interaction with other Unixes.
Enrico
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 480 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-maintainers/attachments/20070306/ca3bcf52/attachment.sig>
More information about the Fedora-maintainers
mailing list