On Thu, Feb 01, 2007 at 01:18:52PM +0200, Sarantis Paskalis wrote: > Is there any recommendation for mandating/enforcing/changing etc. user > IDs in (previously) Core packages? There are some rpm packages in the > upcomming merge that hardcode a specific UID in the specfile to use (I > was looking at privoxy, which hardcodes the number 73). Hardcoding is OK, if the user/group has made it into the official list which is /usr/share/doc/setup-*/uidgid. In there privoxy has indeed the uid/gid of 73. > Is it implied that the default /etc/passwd file should contain the > predefined values for the most important packages and the rest should > find an alternative way? What is the procedure of allocating UIDs/GIDs > to those system users (examples are haldaemon, apache, dbus, sshd, rpc > to name a few). First check if they aren't already allocated in the list above. If you really, really need a fixed reservation for a new uid/gid you would have to get the owner (group) of "setup" to concur. I think this is mostly in the hands of the former "cabal" group, e.g. ask one of Bill Nottingham, Jesse Keating or Phil Knirsch, or directly the fesco committee. Theoretically it could belong to the PC's job to assign these, but it hasn't been until now, and it needs someone barking back louder than the PC is able to when someone tries to change the list :) But we should note somewhere in the guidelines who the gatekeeper for these uids/gids is. > Should the packages to be reviewed maintain their existing UIDs/GIDs > hardcoded and document it somewhere? If they are in the list, they should silently pass, if they are not, it should be raised as an issue, perhaps the list is missing some, or others don't need to reserve fixed uids/gids.. > The default values in /etc/passwd and /etc/group are the following > (taken from setup-2.6.2-1.fc7.src.rpm in rawhide): For reference and archival puposes here is the current list in FC6 (/usr/share/doc/setup-2.6.1.1/uidgid). Packages using these uid/gid should be OK. NAME UID GID HOME SHELL PACKAGES root 0 0 /root /bin/bash setup bin 1 1 /bin /sbin/nologin setup daemon 2 2 /sbin /sbin/nologin setup sys - 3 - - setup adm 3 4 /var/adm /bin/bash setup tty - 5 - - setup disk - 6 - - setup lp 4 7 /var/spool/lpd /sbin/nologin setup mem - 8 - - setup kmem - 9 - - setup wheel - 10 - - setup sync 5 (0) /sbin /bin/sync setup shutdown 6 (0) /sbin /sbin/shutdown setup halt 7 (0) /sbin /sbin/halt setup mail 8 12 /var/spool/mail /sbin/nologin setup news 9 13 /var/spool/news - setup uucp 10 14 /var/spool/uucp /sbin/nologin setup operator 11 (0) /root /sbin/nologin setup games 12 (100) /usr/games /sbin/nologin setup gopher 13 30 /usr/lib/gopher-data /sbin/nologin setup ftp 14 50 /var/ftp /sbin/nologin setup man - 15 - - setup floppy - 19 - - dev,MAKEDEV games - 20 - - setup slocate - 21 - - slocate utmp - 22 - - initscripts,libutempter squid 23 23 /var/spool/squid /dev/null squid pvm 24 24 /usr/share/pvm3 /bin/bash pvm named 25 25 /var/named /bin/false bind postgres 26 26 /var/lib/pgsql /bin/bash postgresql-server mysql 27 27 /var/lib/mysql /bin/bash mysql nscd 28 28 / /bin/false nscd rpcuser 29 29 /var/lib/nfs /bin/false nfs-utils console - 31 - - dev rpc 32 32 / /bin/false portmap amanda 33 (6) /var/lib/amanda /bin/false amanda netdump 34 34 /var/crash /bin/bash netdump-client, netdump-server utempter - 35 - - libutempter rpm 37 37 /var/lib/rpm /bin/bash rpm ntp 38 38 /etc/ntp /sbin/nologin ntp dip - 40 - - setup mailman 41 41 /var/mailman /bin/false mailman gdm 42 42 /var/gdm /bin/bash gdm xfs 43 43 /etc/X11/fs /bin/false XFree86-xfs pppusers - 44 - - linuxconf popusers - 45 - - linuxconf slipusers - 46 - - linuxconf mailnull 47 47 /var/spool/mqueue /dev/null sendmail apache 48 48 /var/www /bin/false apache wnn 49 49 /home/wnn /bin/bash FreeWnn smmsp 51 51 /var/spool/mqueue /dev/null sendmail tomcat 53 53 /var/lib/tomcat /sbin/nologin tomcat lock - 54 - - lockdev ldap 55 55 /var/lib/ldap /bin/false openldap-servers frontpage 56 56 /var/www /bin/false mod_frontpage nut 57 57 /var/lib/ups /bin/false nut beagleindex 58 58 /var/cache/beagle /bin/false beagle piranha 60 60 /etc/sysconfig/ha /dev/null piranha wine - 66 - - wine pegasus 66 65 /var/lib/Pegasus /sbin/nologin tog-pegasus webalizer 67 67 /var/www/html/usage /sbin/nologin webalizer haldaemon 68 68 / /sbin/nologin hal vcsa 69 69 - /sbin/nologin dev,MAKEDEV avahi 70 70 / /sbin/nologin avahi privoxy 73 73 /etc/privoxy /bin/bash privoxy sshd 74 74 /var/empty/sshd /sbin/nologin openssh-server radvd 75 75 / /bin/false radvd cyrus 76 (12) /var/imap /bin/bash cyrus-imapd shadow - 76 - - cyrus-imapd pcap 77 77 /var/arpwatch /sbin/nologin arpwatch fax 78 78 /var/spool/fax /sbin/nologin mgetty nocpulse 79 79 /etc/sysconfig/nocpulse /bin/bash nocpulse desktop 80 80 - /sbin/nologin desktop-file-utils dbus 81 81 / /sbin/nologin dbus jonas 82 82 /var/lib/jonas /sbin/nologin jonas clamav 83 83 /tmp /sbin/nologin clamav screen - 84 - - screen quaggavt - 85 - - quagga sabayon 86 86 - /sbin/nologin sabayon winbind_auth - 88 - - samba-common postfix 89 89 /var/spool/postfix /bin/true postfix postdrop - 90 - - postfix majordomo 91 91 /usr/lib/majordomo /bin/bash majordomo quagga 92 92 / /sbin/nologin quagga exim 93 93 /var/spool/exim /sbin/nologin exim distcache 94 94 / /sbin/nologin distcache radiusd 95 95 / /bin/false freeradius hsqldb 96 96 /var/lib/hsqldb /sbin/nologin hsqldb dovecot 97 97 /usr/libexec/dovecot /sbin/nologin dovecot ident 98 98 / /sbin/nologin ident nobody 99 99 / /sbin/nologin setup users - 100 - - setup gnats ? ? ? ? gnats, gnats-db listar ? ? ? ? listar nfsnobody 65534 65534 /var/lib/nfs /sbin/nologin nfs-utils # Note: nfsnobdy is 4294967294 on 64-bit platforms (-2) -- Axel.Thimm at ATrpms.net
Attachment:
pgpQ5UY6SKYIj.pgp
Description: PGP signature
-- Fedora-packaging mailing list Fedora-packaging@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-packaging
