[Fedora-packaging] packages which add user accounts: is fedora-usermgmt the way?

[Enrico Scholz]

aoliva at redhat.com (Alexandre Oliva) writes:

>> These users are created by an rpm, this package contains files owned
>> by them and they are set in global configuration files. So, they must
>> be system accounts.
>
> Err...  The rpm cpio payload contains user ids encoded in the form of
> user/group names, not numbers, I hope, just like tar.  Doesn't it?  If
> so, all it takes to get a single, consistent uid is to add the
> username to the central uid database

"central uid database" implicates something like LDAP or NIS. But as
explained in previous postings, LDAP/NIS is a bad idea for service
accounts.


> before installing the rpms anywhere,

When doing an 'yum install <something>' which adds 100 new packages,
it is impossible to determine which users will be created in this
transaction.


> then the system will find the users to exist and install the contents
> with the right uid.  If you have your hosts configured to trust the
> database over local user info, and you've already installed rpms
> before that chose random uids, then you might have to remove the
> local user by hand and reinstall the packages.

Yes, I remember some 'find -uid ... | xargs chown'. Such actions are
tending to evolve to a huge mess, especially when a '-h' flag was
forgotten or already assigned uids were used...

That's why I prefer (semi)static uids for all service accounts.


>> There is no way to see whether an rpm package creates an account or to
>> determine the parameters of this account.
>
> Should we perhaps think of abstracting out user ids into separate rpm
> packages?

Ok with me, but there are enough people who will complain about added
dependencies...

IMO; created users should be declared in rpm in a way like files and
their creation should be done without explicit scriptlets. But this
enhancement will not happen in the near future.




Enrico