On Thu, Feb 01, 2007 at 01:18:52PM +0200, Sarantis Paskalis wrote:
Is there any recommendation for mandating/enforcing/changing etc.
user
IDs in (previously) Core packages? There are some rpm packages in the
upcomming merge that hardcode a specific UID in the specfile to use (I
was looking at privoxy, which hardcodes the number 73).
Hardcoding is OK, if the user/group has made it into the official list
which is /usr/share/doc/setup-*/uidgid. In there privoxy has indeed
the uid/gid of 73.
Is it implied that the default /etc/passwd file should contain the
predefined values for the most important packages and the rest should
find an alternative way? What is the procedure of allocating UIDs/GIDs
to those system users (examples are haldaemon, apache, dbus, sshd, rpc
to name a few).
First check if they aren't already allocated in the list above. If you
really, really need a fixed reservation for a new uid/gid you would
have to get the owner (group) of "setup" to concur. I think this is
mostly in the hands of the former "cabal" group, e.g. ask one of Bill
Nottingham, Jesse Keating or Phil Knirsch, or directly the fesco
committee.
Theoretically it could belong to the PC's job to assign these, but it
hasn't been until now, and it needs someone barking back louder than
the PC is able to when someone tries to change the list :)
But we should note somewhere in the guidelines who the gatekeeper for
these uids/gids is.
Should the packages to be reviewed maintain their existing UIDs/GIDs
hardcoded and document it somewhere?
If they are in the list, they should silently pass, if they are not,
it should be raised as an issue, perhaps the list is missing some, or
others don't need to reserve fixed uids/gids..
The default values in /etc/passwd and /etc/group are the following
(taken from setup-2.6.2-1.fc7.src.rpm in rawhide):
For reference and archival puposes here is the current list in FC6
(/usr/share/doc/setup-2.6.1.1/uidgid). Packages using these uid/gid
should be OK.
NAME UID GID HOME SHELL PACKAGES
root 0 0 /root /bin/bash setup
bin 1 1 /bin /sbin/nologin setup
daemon 2 2 /sbin /sbin/nologin setup
sys - 3 - - setup
adm 3 4 /var/adm /bin/bash setup
tty - 5 - - setup
disk - 6 - - setup
lp 4 7 /var/spool/lpd /sbin/nologin setup
mem - 8 - - setup
kmem - 9 - - setup
wheel - 10 - - setup
sync 5 (0) /sbin /bin/sync setup
shutdown 6 (0) /sbin /sbin/shutdown setup
halt 7 (0) /sbin /sbin/halt setup
mail 8 12 /var/spool/mail /sbin/nologin setup
news 9 13 /var/spool/news - setup
uucp 10 14 /var/spool/uucp /sbin/nologin setup
operator 11 (0) /root /sbin/nologin setup
games 12 (100) /usr/games /sbin/nologin setup
gopher 13 30 /usr/lib/gopher-data /sbin/nologin setup
ftp 14 50 /var/ftp /sbin/nologin setup
man - 15 - - setup
floppy - 19 - - dev,MAKEDEV
games - 20 - - setup
slocate - 21 - - slocate
utmp - 22 - - initscripts,libutempter
squid 23 23 /var/spool/squid /dev/null squid
pvm 24 24 /usr/share/pvm3 /bin/bash pvm
named 25 25 /var/named /bin/false bind
postgres 26 26 /var/lib/pgsql /bin/bash postgresql-server
mysql 27 27 /var/lib/mysql /bin/bash mysql
nscd 28 28 / /bin/false nscd
rpcuser 29 29 /var/lib/nfs /bin/false nfs-utils
console - 31 - - dev
rpc 32 32 / /bin/false portmap
amanda 33 (6) /var/lib/amanda /bin/false amanda
netdump 34 34 /var/crash /bin/bash netdump-client, netdump-server
utempter - 35 - - libutempter
rpm 37 37 /var/lib/rpm /bin/bash rpm
ntp 38 38 /etc/ntp /sbin/nologin ntp
dip - 40 - - setup
mailman 41 41 /var/mailman /bin/false mailman
gdm 42 42 /var/gdm /bin/bash gdm
xfs 43 43 /etc/X11/fs /bin/false XFree86-xfs
pppusers - 44 - - linuxconf
popusers - 45 - - linuxconf
slipusers - 46 - - linuxconf
mailnull 47 47 /var/spool/mqueue /dev/null sendmail
apache 48 48 /var/www /bin/false apache
wnn 49 49 /home/wnn /bin/bash FreeWnn
smmsp 51 51 /var/spool/mqueue /dev/null sendmail
tomcat 53 53 /var/lib/tomcat /sbin/nologin tomcat
lock - 54 - - lockdev
ldap 55 55 /var/lib/ldap /bin/false openldap-servers
frontpage 56 56 /var/www /bin/false mod_frontpage
nut 57 57 /var/lib/ups /bin/false nut
beagleindex 58 58 /var/cache/beagle /bin/false beagle
piranha 60 60 /etc/sysconfig/ha /dev/null piranha
wine - 66 - - wine
pegasus 66 65 /var/lib/Pegasus /sbin/nologin tog-pegasus
webalizer 67 67 /var/www/html/usage /sbin/nologin webalizer
haldaemon 68 68 / /sbin/nologin hal
vcsa 69 69 - /sbin/nologin dev,MAKEDEV
avahi 70 70 / /sbin/nologin avahi
privoxy 73 73 /etc/privoxy /bin/bash privoxy
sshd 74 74 /var/empty/sshd /sbin/nologin openssh-server
radvd 75 75 / /bin/false radvd
cyrus 76 (12) /var/imap /bin/bash cyrus-imapd
shadow - 76 - - cyrus-imapd
pcap 77 77 /var/arpwatch /sbin/nologin arpwatch
fax 78 78 /var/spool/fax /sbin/nologin mgetty
nocpulse 79 79 /etc/sysconfig/nocpulse /bin/bash nocpulse
desktop 80 80 - /sbin/nologin desktop-file-utils
dbus 81 81 / /sbin/nologin dbus
jonas 82 82 /var/lib/jonas /sbin/nologin jonas
clamav 83 83 /tmp /sbin/nologin clamav
screen - 84 - - screen
quaggavt - 85 - - quagga
sabayon 86 86 - /sbin/nologin sabayon
winbind_auth - 88 - - samba-common
postfix 89 89 /var/spool/postfix /bin/true postfix
postdrop - 90 - - postfix
majordomo 91 91 /usr/lib/majordomo /bin/bash majordomo
quagga 92 92 / /sbin/nologin quagga
exim 93 93 /var/spool/exim /sbin/nologin exim
distcache 94 94 / /sbin/nologin distcache
radiusd 95 95 / /bin/false freeradius
hsqldb 96 96 /var/lib/hsqldb /sbin/nologin hsqldb
dovecot 97 97 /usr/libexec/dovecot /sbin/nologin dovecot
ident 98 98 / /sbin/nologin ident
nobody 99 99 / /sbin/nologin setup
users - 100 - - setup
gnats ? ? ? ? gnats, gnats-db
listar ? ? ? ? listar
nfsnobody 65534 65534 /var/lib/nfs /sbin/nologin nfs-utils
# Note: nfsnobdy is 4294967294 on 64-bit platforms (-2)
--
Axel.Thimm at
ATrpms.net