Fedora User Management (revisited)

Enrico Scholz enrico.scholz at informatik.tu-chemnitz.de
Tue Mar 6 20:14:40 UTC 2007 

Axel Thimm <Axel.Thimm at ATrpms.net> writes:

>> Won't work. 'rpm' in RHEL is too old and misses features required by
>> fedora-usermgmt.
>
> what exactly does this tool solve?

I require it in the following cases:

* lot of servers are sharing a bind-mounted directory with unix(7)-sockets
  (e.g. sendmail-mta and milter servers); access restrictions are solved
  best with filesystem permissions and this requires consistent uids in
  each server

* the 'apache-dav' user which writes on an NFS share; NFS4 was promised
  as a solution years ago but I never got it to run correctly

* consistent output in logfiles (e.g. iptables -j LOG --log-uid)

* there does not exist a reliable way to add system users manually;
  nightly 'yum upgrade' can add new users silently and repository can
  not be queried which/whether users will be added


Then, I like it, when:

* machines with identical setup are having identical uid <-> user
  mappings; e.g. two kickstart installations should create the same
  output but do not have to depend on package order (which might be
  different due to updated packages)

* I do not have to 'chown -R -h' partitions when I reinstall a system


Then, 'fedora-usermgmt' was designed in a way which would allow things
like adding the new user to an LDAP directory instead into the local
/etc/passwd. But this is an exotic feature since system users should not
be kept in NIS/LDAP.

For FC4/5, some workarounds were added which solved problems with
incorrect nscd cache-invalidating.

The FC6 version got some enhancements which removed error-prone
stuff (e.g. 'test "$1" = 0' checks, correct 'Requires(...):') from
the scriptlets which have to be written by the packagers.  Same
enhancements are making it possible to establish rules like 'do not
remove user during uninstallation'.

I admit, that rpm should handle user creation completely without manual
scripts. But because this thread is about EPEL, this is not an option.


> Especially if this defaults to normal useradd -r behaviour (does it
> really default to this behaviour?),

yes, it does.


> which means that it is not really *required*.

Is Fedora or ATrpm really *required*?

Fact is, 'fedora-usermgmt' solves some of my problems and does not have
technical drawbacks.


> If it tries to solve the need for *fixed* system uid/gid then we need
> to find another solution than a flaotion uid/gid window.

I can not imagine which solution this could be. The only available
window for fixed system uids (0-99) is nearly full. Rest was/is free
for everybody's use and probably every single uid between 100 and 65535
exists on some system.

We could have more luck in the upper 2^32 range, but I guess this breaks
interaction with other Unixes.



Enrico
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 480 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-maintainers/attachments/20070306/ca3bcf52/attachment.sig>

More information about the Fedora-maintainers mailing list