[Fedora-packaging] packages which add user accounts: is fedora-usermgmt the way?
Enrico Scholz
enrico.scholz at informatik.tu-chemnitz.de
Wed Sep 7 14:07:19 UTC 2005
aoliva at redhat.com (Alexandre Oliva) writes:
>> These users are created by an rpm, this package contains files owned
>> by them and they are set in global configuration files. So, they must
>> be system accounts.
>
> Err... The rpm cpio payload contains user ids encoded in the form of
> user/group names, not numbers, I hope, just like tar. Doesn't it? If
> so, all it takes to get a single, consistent uid is to add the
> username to the central uid database
"central uid database" implicates something like LDAP or NIS. But as
explained in previous postings, LDAP/NIS is a bad idea for service
accounts.
> before installing the rpms anywhere,
When doing an 'yum install <something>' which adds 100 new packages,
it is impossible to determine which users will be created in this
transaction.
> then the system will find the users to exist and install the contents
> with the right uid. If you have your hosts configured to trust the
> database over local user info, and you've already installed rpms
> before that chose random uids, then you might have to remove the
> local user by hand and reinstall the packages.
Yes, I remember some 'find -uid ... | xargs chown'. Such actions are
tending to evolve to a huge mess, especially when a '-h' flag was
forgotten or already assigned uids were used...
That's why I prefer (semi)static uids for all service accounts.
>> There is no way to see whether an rpm package creates an account or to
>> determine the parameters of this account.
>
> Should we perhaps think of abstracting out user ids into separate rpm
> packages?
Ok with me, but there are enough people who will complain about added
dependencies...
IMO; created users should be declared in rpm in a way like files and
their creation should be done without explicit scriptlets. But this
enhancement will not happen in the near future.
Enrico
More information about the Fedora-packaging
mailing list