On Thu, 2007-06-14 at 13:21 -0400, Simo Sorce wrote:
On Thu, 2007-06-14 at 17:25 +0200, Axel Thimm wrote:
> On Thu, Jun 14, 2007 at 08:40:16AM -0500, Tom spot Callaway wrote:
> > On Thu, 2007-06-14 at 10:19 +0200, Axel Thimm wrote:
> > > On Wed, Jun 13, 2007 at 11:45:27PM -0500, Tom spot Callaway wrote:
> > > > I'm not quite sure I'm ready to bring this to the FPC for a
vote, but
> > > > I've been working on a modified version of Ville's draft:
> > > >
> > > >
http://fedoraproject.org/wiki/TomCallaway/UsersAndGroupsDraft
> > > >
> > > > While this is more complicated, I think it more adequately covers
the
> > > > corner cases of adding users and groups. Thoughts?
> > >
> > > It is far too complicated, Ville's version did the job already quite
> > > well. You're also introducing non-standard tools again. :/
> >
> > Not really. The tools I introduced are helper scripts.
> >
> > Ville's draft only created the user/group if it didn't exist, and if
> > not, didn't, but left the files owned as that user/group. That security
> > issue concerns me.
Actually, I like Ville's proposal because of
it's simplicity and don't
see the potential security risk as critical, because user/group and
uid/gid handling always will require admin intervention.
> Yes, but the proposed complicated apparatus does not justify
> this. Better to have %pre fail then and deal with the transaction
> mess. After all how often will a sysadmin have created a non-system
> user "amanda" (and accidentially install amanda w/o remembeing that he
> had such a user)?
Axel, you couldn't choose a worst example :)
The worst case probably is using a "last name is username" convention
and your last name being "Root", "Mail" or "Windows" ;)
It is also entirely possible that the admin does not know that such
user
exists as users may come from ldap,nis,winbindd and not created by such
admin but by someone else.
I think at least a check to see if the "amanda" user is < 1000 would
make a lot of sense.
I think restricting all rpm-created uids to < a limit (the value is
debatable) and presuming them to be local would be a reasonable
compromise
Ralf