Usercreation-policy

Enrico Scholz enrico.scholz at informatik.tu-chemnitz.de
Wed Sep 24 19:43:14 UTC 2003 

notting at redhat.com (Bill Nottingham) writes:

>> Ok, does this mean that the Fedora Project has a packaging guideline:
>> 
>> | A package MUST NOT delete users or groups in its scriptlets
>
> We have lots of them. A few of them are even recorded somewhere. :)

For the Fedora Project it would be really nice, when these guidelines
are at a public place where they can be read by QA people and packagers.


> It's still not completely portable across systems without intervention/
> cooperation of some sort. I.e., out of the box, it doesn't 'just work'
> right.

For "out of the box" (or now: "magazine"), my proposal will work in the
same way like the traditional method, since the semi-static UID will be
ignored on default.

But for administrators (of non-trivial systems) it makes a difference.


It would be possible also, to fill /etc/fedora/usermgmt/baseuid with the
value of a broadcast-query in %post, or to use a proprietary DHCP option
for it.

Or, for kickstart, you could add an option which sets this values, or
use some magic in %pre for it.


The fedora-usermgmt method is very flexibly since it depends on the
content of 2 small files only...



>> Using static UIDs between 100 and 500 for Fedora Extras packages will
>> break update of existing systems, since those UIDs can be assigned there
>> already. So you can not simply expand the range of 'system' users.
>> 
>> With my baseuid approach the administrator could choose a free area and
>> put a fitting value into /etc/fedora/usermgmt/baseuid before doing the
>> update.
>
> That will *still* break upgrades, as it will conflict somewhere.

In all good administrated systems, there are policies about UID-ranges
and it is easy to reserve a small, currently unused area for Fedora
Extras users. E.g. on my systems, baseuid is 63000.


> Anything that requires admin intervention in the intermediary of the
> upgrade transaction isn't really workable.

It requires intervention *before* the upgrade transaction (e.g. 'echo
42000 >/etc/fedora/usermgmt/baseuid'). Nothing, which could not be
solved with a trivial script.




Enrico

More information about the devel mailing list