aoliva@xxxxxxxxxx (Alexandre Oliva) writes: >> These users are created by an rpm, this package contains files owned >> by them and they are set in global configuration files. So, they must >> be system accounts. > > Err... The rpm cpio payload contains user ids encoded in the form of > user/group names, not numbers, I hope, just like tar. Doesn't it? If > so, all it takes to get a single, consistent uid is to add the > username to the central uid database "central uid database" implicates something like LDAP or NIS. But as explained in previous postings, LDAP/NIS is a bad idea for service accounts. > before installing the rpms anywhere, When doing an 'yum install <something>' which adds 100 new packages, it is impossible to determine which users will be created in this transaction. > then the system will find the users to exist and install the contents > with the right uid. If you have your hosts configured to trust the > database over local user info, and you've already installed rpms > before that chose random uids, then you might have to remove the > local user by hand and reinstall the packages. Yes, I remember some 'find -uid ... | xargs chown'. Such actions are tending to evolve to a huge mess, especially when a '-h' flag was forgotten or already assigned uids were used... That's why I prefer (semi)static uids for all service accounts. >> There is no way to see whether an rpm package creates an account or to >> determine the parameters of this account. > > Should we perhaps think of abstracting out user ids into separate rpm > packages? Ok with me, but there are enough people who will complain about added dependencies... IMO; created users should be declared in rpm in a way like files and their creation should be done without explicit scriptlets. But this enhancement will not happen in the near future. Enrico -- Fedora-packaging mailing list Fedora-packaging@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-packaging
