On Wed, 2005-09-07 at 11:11 +0200, Enrico Scholz wrote:
rc040203(a)freenet.de (Ralf Corsepius) writes:
>> > My personal feeling (as a sysadmin and a packager) is that doing
>> > something like this in %pre (not %post, if you want files owned by
>> > the new user) is the Right Thing:
>> > %pre
>> > if ! id foo > /dev/null 2>&1 ; then
>> > /usr/sbin/useradd -r -s /sbin/nologin -c 'BAR' [...] foo
>> > fi
>> This does not solve the problem that users will have different UIDs on
>> different machines.
> Note the -r. We are talking about system accounts.
The '-r' makes only
* that the generated UID is in a certain range; the exact values are
unpredictable and it's highly probably that they differ on different
Yes, but ... who cares? All that matters is using consistent ranges in
> I fail to see why system accounts should be shared across
> why there is any need to force unique UIDs on them.
ok, some examples:
* 'vdr' and 'vdradmin' (from livna) are running on different hosts as
the 'vdr:video' user. Both share configuration files and data which is
exported by NFS
Then these UID/GIDs probably better should be ordinary uids,
* some data in a shared filesystem which shall be read by apache
but not by other users -> all affected machines will need the same
uid/gid for apache
To me this is a classical case of a customized network setup.
admin's responsibility to synchronize the uids.
I am doing the same with other dirs on my local network.
* programs (e.g. milters) which are installed in chroot environments
use unix-sockets as communication points. Access restrictions can be
installed easily with filesystem permissions when all chroots are
seeing the same user-uid pairs
I can't comment on these.
* backup/copying between hosts; when user does not exist at the
yet, resulting files will be readable by the wrong user
Yes, local network admin
* the 'owner' module of iptables requires predictable uids
I can't comment on this.
* it is confusing and unesthetically when users are having different
Let me turn this coin around: You are trying to be stylish and seem
be trying to project your personal conventions to the public.
You are missing:
* These points are irrelevant in heterogenious networks. Each OS has
different conventions, so any convention is always somehow wrong and
* Using fixed uids unnecessarily restricts the number of available uids.
You will sooner or later face the problems of all fixed-table based
* There is nothing which prevents you to generate consistent uids in
> IMO, system users must be local, only.
Yes; but they can access/own files on shared filesystems so all systems
should have the same view about them.
I don't understand.
It is easy to create users with predictable uids and fedora-usermgmt
offers a simple method doing this. I am not aware of any drawbacks,
it solves the problem of unpredictable uids and without explicit
configuration it is transparent to users because it has the same
behavior as plain 'useradd' then. So I do not see reasons why it
should not be used.
Frankly speaking, I am no friend of fedora-usermgmt. To the same extent
it might help you, it interferes with my demands.