Fedora User Management (revisited)

Simo Sorce ssorce at redhat.com
Sat Mar 10 15:47:39 UTC 2007 

On Sat, 2007-03-10 at 12:16 +0100, Enrico Scholz wrote:
> Simo Sorce <ssorce at redhat.com> writes:
> 
> > Why do we need fixed uids at all? is it so difficult to use
> > getpwnam() ??
> 
> Most filesystems store only the uid/gid, not the name of a user.

Do you read what people write at all? Do you know what getpwnam() do ?

> I create predictable uids; when I install a package which creates user
> 'foo' on machine A and on machine B, user 'foo' should have the same
> uid (e.g. because they share filesystem resources). I like it too, to
> reinstall a system without the need of complicated 'chown -rh' orgies
> to make huge data partitions from previous installation usable.

Your package worsen the problem does not solve it. If I specify 2
different ranges on 2 machines the UID/GID space still do not match, and
you have both the problems of a dynamic uid/gid and those of a variable
uid/gid. To me, your solution is still plain broken.

Instead if you force packages to use A) dynamic uid/gids, B) to not
delete user/groups on removal, then you force them to check for the
existing user on installation (just in case you do a reinstall. This way
all you have to do on machines that have to share the uid/gid space is
to synchronized /etc/passwd and /etc/group _before_ you install the
packages on the second machine, and the second machine will be
automagically ok. And this is the only system the make any sense to me.

> > Either an application needs a fixed uid/gid for some particular reason
> > or it just can allocate an uid/gid dynamically.
> 
> Most daemons are candidates for fixed uid/gid; unfortunately, there is
> only a small range (0-100) available. 'fedora-usermgmt' *allows* the
> administrator to use a free range of uids for service users.

No, most daemons are not, I am sorry, there is no technical reason for
them to have a fixed uid/gid.
After this discussion for example I am going to release one of the
uid/gid I reserved for the samba packages, because it simply make no
sense to reserve it, I can add 2 lines in the spec file to detect the
user if it already exist or useradd one on the fly.

> 'fedora-usermgmt' is completely transparent transparent: either you know
> about it and use it, or it behaves like a plain 'useradd'.

Do you realize this phrase means exactly that:
fedora-usermgmt == useradd
for all practical purposes ?

I think it is even a danger for who is aware of it. What happen to your
scheme if you reserve 5000-6000 and then it happens that adding normal
users you end up going over that space? Any application that rely on
fedore-usermgmt at that point will break as it will try to use normal
user's uid/gids ... 

Simo.

More information about the Fedora-maintainers mailing list