[Fedora-packaging] packages which add user accounts: is fedora-usermgmt the way?

Enrico Scholz enrico.scholz at informatik.tu-chemnitz.de
Wed Sep 7 09:11:57 UTC 2005


rc040203 at freenet.de (Ralf Corsepius) writes:

>> > My personal feeling (as a sysadmin and a packager) is that doing
>> > something like this in %pre (not %post, if you want files owned by
>> > the new user) is the Right Thing:
>> >
>> >   %pre
>> >   if ! id foo > /dev/null 2>&1 ; then
>> >       /usr/sbin/useradd -r -s /sbin/nologin -c 'BAR' [...] foo
>> >   fi
>> 
>> This does not solve the problem that users will have different UIDs on
>> different machines.
> Note the -r. We are talking about system accounts.

The '-r' makes only

* that the generated UID is in a certain range; the exact values are
  unpredictable and it's highly probably that they differ on different
  machines

* that there is no expiration date for the account (that's why '-r'
  should be used with fedora-usermgmt also)


> I fail to see why system accounts should be shared across networks and
> why there is any need to force unique UIDs on them.

ok, some examples:

* 'vdr' and 'vdradmin' (from livna) are running on different hosts as
  the 'vdr:video' user. Both share configuration files and data which is
  exported by NFS

* some data in a shared filesystem which shall be read by apache only
  but not by other users -> all affected machines will need the same
  uid/gid for apache

* programs (e.g. milters) which are installed in chroot environments and
  use unix-sockets as communication points. Access restrictions can be
  installed easily with filesystem permissions when all chroots are
  seeing the same user-uid pairs

* backup/copying between hosts; when user does not exist at the destination
  yet, resulting files will be readable by the wrong user

* the 'owner' module of iptables requires predictable uids

* it is confusing and unesthetically when users are having different
  identities


> IMO, system users must be local, only.

Yes; but they can access/own files on shared filesystems so all systems
should have the same view about them.

It is easy to create users with predictable uids and fedora-usermgmt
offers a simple method doing this. I am not aware of any drawbacks,
it solves the problem of unpredictable uids and without explicit
configuration it is transparent to users because it has the same
behavior as plain 'useradd' then. So I do not see reasons why it
should not be used.



Enrico




More information about the Fedora-packaging mailing list