aoliva(a)redhat.com (Alexandre Oliva) writes:
> These users are created by an rpm, this package contains files
> by them and they are set in global configuration files. So, they must
> be system accounts.
Err... The rpm cpio payload contains user ids encoded in the form of
user/group names, not numbers, I hope, just like tar. Doesn't it? If
so, all it takes to get a single, consistent uid is to add the
username to the central uid database
"central uid database" implicates something like LDAP or NIS. But as
explained in previous postings, LDAP/NIS is a bad idea for service
before installing the rpms anywhere,
When doing an 'yum install <something>' which adds 100 new packages,
it is impossible to determine which users will be created in this
then the system will find the users to exist and install the
with the right uid. If you have your hosts configured to trust the
database over local user info, and you've already installed rpms
before that chose random uids, then you might have to remove the
local user by hand and reinstall the packages.
Yes, I remember some 'find -uid ... | xargs chown'. Such actions are
tending to evolve to a huge mess, especially when a '-h' flag was
forgotten or already assigned uids were used...
That's why I prefer (semi)static uids for all service accounts.
> There is no way to see whether an rpm package creates an account
> determine the parameters of this account.
Should we perhaps think of abstracting out user ids into separate rpm
Ok with me, but there are enough people who will complain about added
IMO; created users should be declared in rpm in a way like files and
their creation should be done without explicit scriptlets. But this
enhancement will not happen in the near future.