Bernhard Voelker wrote:
On 03/27/2014 09:57 AM, Ludwig Nussel wrote:
Otherwise useradd may re-use uids taken by daemons [...]
This topic is about avoiding user name/group clashes. However that is solved (e.g. by the proposed policy/convention), avoiding clashing UIDs is still an open question. (TBH I don't care much about the names - the important thing are the UIDs/GIDs.)
useradd choses a new uid for each user so the uid clash is avoided implicitly by using different user names.
[...] two daemons may use the same uid. That sounds more awkward to me.
Hmm, heretical question: why not? Isn't that what namespaces are for? I didn't play with that very much, but from upstream bug reports from Fedora, I have the impression that they're starting to heavily use namespaces ... and separating daemons would be a perfect reason for this.
Just kidding, but in extreme, one single 'daemon/daemon' user would suffice. ;-)
Feel free to explore that possibility. I don't think the proposed policy conflicts with other ways to achieve privilege separation. cu Ludwig -- (o_ Ludwig Nussel //\ V_/_ http://www.suse.de/ SUSE LINUX Products GmbH, GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer, HRB 16746 (AG Nürnberg) -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org