On Fri, May 11, 2007 at 08:36:32AM +0200, Thorsten Leemhuis wrote:
On 10.05.2007 22:38, Ville Skyttä wrote:
> On Wednesday 25 April 2007, I wrote:
>> The first draft about user and group handling (creation etc) is ready for
>> discussion: http://fedoraproject.org/wiki/PackagingDrafts/UsersAndGroups
> As noted in this week's FPC meeting minutes, the draft is probably going to be
> voted on next week. A more fleshed out and cleaned up version which also
> takes into account some findings in the FPC meeting as well as other feedback
> on -maintainers is now online. Comments still welcome.
Thx for writing this up; some comments (if they were discussed already
then sorry for the noise):
I'd like to see clarifications somewhere for which existing branches we
applies this/what it means to existing packages that use some magic
tools to create users and groups currently.
Just as any guideline, they apply to all, and packages will need to
conform within a reasonable timeframe. It will most certainly
practically not apply anymore to FC5, since this will go EOL almost
the next day this guideline may have gotten through all instances.
What does this guideline mean for former Core packages that create
groups and users hardcoded GIDs/UIDs?
Get the uid/gid in "setup" (which all of them already do).
"User accounts created by packages are rarely used for
logons, and should thus generally use /sbin/nologin as the user's shell."
What about those core packages that don't follow this? My system has some:
That's why Ville wrote "generally"
netdump:x:34:34:Network Crash Dump user:/var/crash:/bin/bash
I suspect there are more in former Core packages. Do they have a good
reason for their doings maybe?
Should that be handled by the Guideline?
No, if they have a good reason, then it's a case-by-case situation, we
won't be able to cover every possible sane use. That's why there the
guideline talks about "*should* thus *generally* use /sbin/nologin".
Just wondering: Should we have some kind of "user/gid
registry" in the
wiki to track packages that create users/groups?
Maybe, but this would require the maintainer of "setup" to make
painfully sure wiki and "setup" are always in sync. The moment this
deviates we're in trouble, so if the maintainer(s) of setup can't
commit to simultaneous edits of "setup" and wiki contents, we should
better keep "setup" as the only authoritative source. Which can be
easily checked from the cvs viewer online I guess, so packagers will
be able to check rawhide allocation immediately.
Then sysadmins could create a fedora-meta-users-and-groups package
in their private repo that creates all the users and groups that
Fedora packages might create beforeband with static numbers;
There are no such packages other than "setup" in Ville's draft, so
it's only one place to look this up (and to modify it)
that workaround could be of interest for sysadmins that want to have
the same UIDs/GIDs everywhere.
It's far better for them to get the "setup" src.rpm package, edit it
to their liking, and deploy their custom "setup".
Axel.Thimm at ATrpms.net