* Bernhard Voelker firstname.lastname@example.org [2014-02-28 11:32]:
On 02/28/2014 10:53 AM, Guido Berhoerster wrote:
I'd like to propose the following addition to the packaging policy regarding users and groups (https://en.opensuse.org/openSUSE:Packaging_guidelines#Users_and_Groups):
The names of users and groups which are created by a package should be prefixed with an underscore "_". This creates a safe namespace for the distribution and avoids collisions between system group and usernames which are created by packages and regular group and usernames.
I'm afraid I don't get the point.
What are examples of possible collisions? I mean which of the following are subject to collisions on a typical system?
$ cut -d: -f1 /etc/passwd | head -n -2 | paste -s -d ' ' at avahi bin colord daemon dnsmasq ftp games gdm lp mail man messagebus news nobody nscd ntop ntp obsrun polkitd postfix pulse root rtkit sshd statd svn tftp usbmux uucp vboxadd wwwrun
Have a look at the link I provided, there are 134 usernames and 139 group names. The point is to have a clean separation between the distribution and admin-controlled group and usernames, i.e. an admin should be able to rely on packages not creating non-prefixed usernames (outside aaa_base).
Second, this will be inconsistent anyway because I don't think that anyone will want to rename e.g. 'root' to '_root' (for which someone already proposed an exemption list).
Yes, in the other thread I already said aaa_base should be exempt so that root, nobody, nogroup and a few others are preserved. aaa_base is installed on every system and only provides a few users/groups.
Third, some daemon user names today are already too long (>8) for tools like ps(1) ...
$ ps -fu messagebus | cut -c 1-30 UID PID PPID C STIME message+ 413 1 0 Feb27
... and therefore an additional "_" makes things worse.
If you look at the above list you'll find quite a few that are already longer than 8 characters, I think there has been support for 32 character names at least since glibc 2.0 which would be 1997. ps can display the username without truncation, it just doesn't do so by default for historical reasons, see http://procps.sourceforge.net/faq.html. It also truncates other columns like the command.