[Fedora-packaging] packages which add user accounts: is fedora-usermgmt the way?
enrico.scholz at informatik.tu-chemnitz.de
Tue Sep 6 22:29:56 UTC 2005
steve at silug.org (Steven Pritchard) writes:
> My personal feeling (as a sysadmin and a packager) is that doing
> something like this in %pre (not %post, if you want files owned by
> the new user) is the Right Thing:
> if ! id foo > /dev/null 2>&1 ; then
> /usr/sbin/useradd -r -s /sbin/nologin -c 'BAR' [...] foo
This does not solve the problem that users will have different UIDs on
> And then just *don't touch the account* on removal.
This rule is ok with me.
> If for some reason useradd will not work, doing this in %pre should
> make package installation fail, right? Then the sysadmin can go add
> the user in LDAP/NIS/whatever and reinstall the package.
IMO, managing service-accounts with LDAP/NIS is a bad idea. It is ideal
for normal users but I do not want to rely on them for services. You will
run into bootstrap issues (e.g. think of slapd which tries to resolve the
'ldap' user), configuration errors like outdated TLS certificates (which
make LDAP lookups impossible) or added complexity for critical services
(I saw enough problems with nss_ldap and nscd).
Additionally, there is no way to see whether users are created by an
rpm package or which parameters are used for these users. So it is not
possible to create users on the LDAP server *before* the package is
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 480 bytes
Desc: not available
More information about the Fedora-packaging