* Ludwig Nussel
Guido Berhoerster wrote:
* Jan Engelhardt
[2014-02-17 19:26]: On Monday 2014-02-17 19:02, Guido Berhoerster wrote:
* Dirk Müller
[2014-02-17 18:26]: is there any kind of policy for the name of a user that is created by an opensuse package %pre script? Does it have to match the name of the package? the init script?
https://en.opensuse.org/openSUSE:Packaging_guidelines#Users_and_Groups
is quite vague on that.
Is there a way to "register" usernames ? if so, which one is it? I looked at FHS but couldn't find a good pointer. Is there one?
There isn't, but it would be really helpful to have one, in particular a distribution-wide registry as well as a naming convention that helps to prevent collisions between system user/groupnames and real users.
I was under the impression SUSE had practically thrown that concept out and shifted away from preallocating in /etc/passwd to using %pre+useradd for most of the packages.
I didn't mean preallocating /etc/passwd, just a policy to mandate that system have a certain prefix so admins can easily prevent collisions. A registry could have the form of a wiki page or simple text file so packagers have a quick overview of what names are taken by what package.
I proposed something like that a while ago too¹. The first step towards that direction was to collect the usernames we already have. The list is in rpmlint² now.
That's what I had in mind, good to see it's already implemented. It's not perfect though since a warning only triggers if the package delivers a file or directory owned by the user.
I don't think we can solve that problem alone though. We need to coordinate with other distros to have some weight against upstreams. So what's missing is a policy draft that could be used to talk to others and someone to drive the initiative.
I think that user/group names fall into downstream territory, is there actually any significant amount of packages which are hardcoded to a certain user/group name? If that is the case, it is undesirable and should be fixed anyway as it should be up to admins who install it manually or distro packagers to decide. And although it is a bit smaller than openSUSE's package base there is already precedent with OpenBSD's user and group names using an underscore prefix for all system accouns in the base system and ports collection. How about this simple addition to the packaging policy: The names of users and groups which are created by a package should start with an underscore "_". This policy aims to avoid collisions between the names of users and groups created by packages and those created by the system administrator. aaa_base should be exempt from this since it provides a number of accounts which by convention are expected to be present on a UN*X system such as root, bin, daemon, nodbody, or nogroup. Another question is how to handle the renaming of user/group names in packages. I suppose that could be handled in %pre like this: getent group foo >/dev/null && groupmod -n _foo foo getent group _foo >/dev/null || groupadd -r _foo getent passwd foo >/dev/null && usermod -l _foo foo getent passwd _foo >/dev/null || useradd -r -g _foo -d HOMEDIR -s /sbin/nologin -c "user for PACKAGENAME" _foo but in some later release we might want to get rid of this again easily. A macro might help there but break on older releases. Any ideas how that could be handled?
[1] http://lists.opensuse.org/archive/opensuse-packaging/2011-12/msg00183.html [2] https://build.opensuse.org/package/view_file/openSUSE:Factory/rpmlint/config...
-- Guido Berhoerster -- To unsubscribe, e-mail: opensuse-packaging+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-packaging+owner@opensuse.org