I'd like to propose the following addition to the packaging
policy regarding users and groups
The names of users and groups which are created by a package
should be prefixed with an underscore "_". This creates a
safe namespace for the distribution and avoids collisions
between system group and usernames which are created by
packages and regular group and usernames.
Existing users and groups can be renamed with the following
getent group GROUP >/dev/null && groupmod -n _GROUP GROUP
getent group _GROUP >/dev/null || groupadd -r _GROUP
getent passwd USER >/dev/null && usermod -l _USER USER
getent passwd _USER >/dev/null || useradd -r -g _GROUP -d HOMEDIR -s
/sbin/nologin -c "user for PACKAGENAME" _USER
Group or username collisions can be problematic, if a username
required for a package already exists, the pre-scriptlet will
silently re-use the user/group for the package.
While YaST apparently contains a blacklist preventing the
creation of known system users/goups, this is tedious to maintain
manually and doesn't cover the case where an administrator
creates accounts via useradd/groupadd or maintains users/groups
in LDAP. The lack of a separate namespace also prevents the use
of certain group or usernames which might be desired.
There is precedent for the above policy, it has been implemented
in OpenBSD since 2002/2003 where it requires changes to about
half of the packages that provide users and/or groups. However,
the overwhelming majority are simple configuration file changes
and one-line patches to change hard-coded names (see also
for a the numbers and
for the group and usernames currently in use). This policy should
only be enforced for new packages while existing packages can be
gradually converted, I'd be willing to help with that.
To unsubscribe, e-mail: opensuse-packaging+unsubscribe(a)opensuse.org
To contact the owner, e-mail: opensuse-packaging+owner(a)opensuse.org