On Fri, May 11, 2007 at 08:36:32AM +0200, Thorsten Leemhuis wrote: > On 10.05.2007 22:38, Ville Skyttä wrote: > > On Wednesday 25 April 2007, I wrote: > > > >> The first draft about user and group handling (creation etc) is ready for > >> discussion: http://fedoraproject.org/wiki/PackagingDrafts/UsersAndGroups > > > > As noted in this week's FPC meeting minutes, the draft is probably going to be > > voted on next week. A more fleshed out and cleaned up version which also > > takes into account some findings in the FPC meeting as well as other feedback > > on -maintainers is now online. Comments still welcome. > > Thx for writing this up; some comments (if they were discussed already > then sorry for the noise): > > ---- > > I'd like to see clarifications somewhere for which existing branches we > applies this/what it means to existing packages that use some magic > tools to create users and groups currently. Just as any guideline, they apply to all, and packages will need to conform within a reasonable timeframe. It will most certainly practically not apply anymore to FC5, since this will go EOL almost the next day this guideline may have gotten through all instances. > What does this guideline mean for former Core packages that create > groups and users hardcoded GIDs/UIDs? Get the uid/gid in "setup" (which all of them already do). > "User accounts created by packages are rarely used for interactive > logons, and should thus generally use /sbin/nologin as the user's shell." > > What about those core packages that don't follow this? My system has some: That's why Ville wrote "generally" > sync:x:5:0:sync:/sbin:/bin/sync > shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown > halt:x:7:0:halt:/sbin:/sbin/halt > news:x:9:13:news:/etc/news: > netdump:x:34:34:Network Crash Dump user:/var/crash:/bin/bash > > I suspect there are more in former Core packages. Do they have a good > reason for their doings maybe? Yes. > Should that be handled by the Guideline? No, if they have a good reason, then it's a case-by-case situation, we won't be able to cover every possible sane use. That's why there the guideline talks about "*should* thus *generally* use /sbin/nologin". > Just wondering: Should we have some kind of "user/gid registry" in the > wiki to track packages that create users/groups? Maybe, but this would require the maintainer of "setup" to make painfully sure wiki and "setup" are always in sync. The moment this deviates we're in trouble, so if the maintainer(s) of setup can't commit to simultaneous edits of "setup" and wiki contents, we should better keep "setup" as the only authoritative source. Which can be easily checked from the cvs viewer online I guess, so packagers will be able to check rawhide allocation immediately. > Then sysadmins could create a fedora-meta-users-and-groups package > in their private repo that creates all the users and groups that > Fedora packages might create beforeband with static numbers; There are no such packages other than "setup" in Ville's draft, so it's only one place to look this up (and to modify it) > that workaround could be of interest for sysadmins that want to have > the same UIDs/GIDs everywhere. It's far better for them to get the "setup" src.rpm package, edit it to their liking, and deploy their custom "setup". -- Axel.Thimm at ATrpms.net
Attachment:
pgpoUaeEHB0GV.pgp
Description: PGP signature
-- Fedora-packaging mailing list Fedora-packaging@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-packaging
