* Ludwig Nussel email@example.com [2014-02-19 11:57]:
Guido Berhoerster wrote:
I think that user/group names fall into downstream territory, is there actually any significant amount of packages which are hardcoded to a certain user/group name? If that is the case, it is undesirable and should be fixed anyway as it should be up to admins who install it manually or distro packagers to decide. And although it is a bit smaller than openSUSE's package base there is already precedent with OpenBSD's user and group names using an underscore prefix for all system accouns in the base system and ports collection.
If there's already an established method to solve the problem that is even better. Do we know if the openbsd method has downsides? Does
I'm not aware of anything, from the vcs log this was introduced in 2002 for the base system and has been madatory for ports since 2003. It does require a bit of work, I did a quick analysis of a checked out ports tree, there are 210 packages introducing system users or groups, approximately 93 have some kind of modification related to user/group names (configuration file, patches), 77 of those have patches related to user/group names, 47 of the patches modify configuration files, 22 patches actually modify code.
any other system use the same schema?
Looking at my FreeBSD system there seems to be some prefixed accounts but that's probably from code imported from OpenBSD e.g. dhclient, I'm not aware of any other systems using such a scheme.
Another question is how to handle the renaming of user/group names in packages. I suppose that could be handled in %pre like this:
getent group foo >/dev/null && groupmod -n _foo foo getent group _foo >/dev/null || groupadd -r _foo getent passwd foo >/dev/null && usermod -l _foo foo getent passwd _foo >/dev/null || useradd -r -g _foo -d HOMEDIR -s /sbin/nologin -c "user for PACKAGENAME" _foo
Assuming that system users are always in /etc/passwd the most simple way would be sed -i -e "/^foo:/s/^/_/" /etc/passwd
I wouldn't enforce that right away though. Having a policy in place for new packages would be a big step already.
Yes, only a gradual transition is possible.
Btw, having system users in /etc/passwd also is kind of ugly as that file is meant to be modified by the admin (like anything in /etc). I was thinking whether it would be feasible to have packages drop a file with their user specification somewhere and have the name service switch read that.
Lets exclude that for now since it is not related to the issue and it opens a whole new can of worms.