kickstart vs. /etc/login.defs

Michael Hennebry hennebry at web.cs.ndsu.nodak.edu
Thu Jan 26 14:12:36 UTC 2012


On Thu, 26 Jan 2012, Moray Henderson wrote:

> Ah, so I was right to have some of my own programs check login.defs rather
> than relying on a hard-wired 500 everywhere!  That's useful to know.
>
> What fake users are created by the install?  I would expect only system
> accounts to be created at that point, which are supposed to have uid's
> outside the range of normal users.

I don't know.
My current install has 38 fake users, including 0..8, 493..499 and 65534.
With UID_MIN=1000, I'd expect to get some in the range 500..999.
Just changing UID_MIN in %post would put them in the normal user range.
As noted, getting the fixup right would be tricky.

> It would be tricky to do what you want.  /etc/login.defs is part of the
> shadow-utils package.  You would need to create an rpm that would be
> installed onto the system after shadow-utils and before whichever packages
> create the users you are concerned about.

Nyet.
I can barely use an rpm, much less write one.

> In %post, though, you could modify the login.defs file - it will be
> /mnt/sysimage/etc/login.defs while the %post script is running, and use

Something else I didn't know and would have tripped over.

> usermod to change the uid of any user you are particularly concerned about.
> Note: users with explicitly-assigned uids should not be changed.  The --uid

Also, not all fake users have groups IDs the same as the UIDs.
Hard as it would be to get it all right,
knowing that I got it right would be even harder.

> If you're freshly installing a system though, I would really recommend
> leaving the defaults the way they are.

It's looking like I won't have much choice.
There would be too many hills to climb at once.

>From http://docs.fedoraproject.org/en-US/Fedora/16/html/Release_Notes/sect-Release_Notes-Changes_for_Sysadmin.html#id3021598
"If you need to install a new system from scratch, while starting user
accounts from 500 (to connect the system to a network with
globally-defined UIDs), install using a kickstart script that places
/etc/login.defs on the file system before package installation starts."

Yeah right.

BTW hennebry at web.cs.ndsu.NoDak.edu (not my computer) is user 362.
UID_MIN is 1000.
GID_MIN is 100.

-- 
Michael   hennebry at web.cs.ndsu.NoDak.edu
"On Monday, I'm gonna have to tell my kindergarten class,
whom I teach not to run with scissors,
that my fiance ran me through with a broadsword."  --  Lily




More information about the Kickstart-list mailing list