Guido Berhoerster wrote:
* Ludwig Nussel
[2014-02-18 13:36]: Guido Berhoerster wrote:
* Jan Engelhardt
[2014-02-17 19:26]: On Monday 2014-02-17 19:02, Guido Berhoerster wrote:
* Dirk Müller
[2014-02-17 18:26]: is there any kind of policy for the name of a user that is created by an opensuse package %pre script? Does it have to match the name of the package? the init script?
https://en.opensuse.org/openSUSE:Packaging_guidelines#Users_and_Groups
is quite vague on that.
Is there a way to "register" usernames ? if so, which one is it? I looked at FHS but couldn't find a good pointer. Is there one?
There isn't, but it would be really helpful to have one, in particular a distribution-wide registry as well as a naming convention that helps to prevent collisions between system user/groupnames and real users.
I was under the impression SUSE had practically thrown that concept out and shifted away from preallocating in /etc/passwd to using %pre+useradd for most of the packages.
I didn't mean preallocating /etc/passwd, just a policy to mandate that system have a certain prefix so admins can easily prevent collisions. A registry could have the form of a wiki page or simple text file so packagers have a quick overview of what names are taken by what package.
I proposed something like that a while ago too¹. The first step towards that direction was to collect the usernames we already have. The list is in rpmlint² now.
That's what I had in mind, good to see it's already implemented. It's not perfect though since a warning only triggers if the package delivers a file or directory owned by the user.
Yes. It could be extended to look at the %pre script and check for useradd of course.
I don't think we can solve that problem alone though. We need to coordinate with other distros to have some weight against upstreams. So what's missing is a policy draft that could be used to talk to others and someone to drive the initiative.
I think that user/group names fall into downstream territory, is there actually any significant amount of packages which are hardcoded to a certain user/group name? If that is the case, it is undesirable and should be fixed anyway as it should be up to admins who install it manually or distro packagers to decide. And although it is a bit smaller than openSUSE's package base there is already precedent with OpenBSD's user and group names using an underscore prefix for all system accouns in the base system and ports collection.
If there's already an established method to solve the problem that is even better. Do we know if the openbsd method has downsides? Does any other system use the same schema?
Another question is how to handle the renaming of user/group names in packages. I suppose that could be handled in %pre like this:
getent group foo >/dev/null && groupmod -n _foo foo getent group _foo >/dev/null || groupadd -r _foo getent passwd foo >/dev/null && usermod -l _foo foo getent passwd _foo >/dev/null || useradd -r -g _foo -d HOMEDIR -s /sbin/nologin -c "user for PACKAGENAME" _foo
Assuming that system users are always in /etc/passwd the most simple way would be sed -i -e "/^foo:/s/^/_/" /etc/passwd I wouldn't enforce that right away though. Having a policy in place for new packages would be a big step already. Btw, having system users in /etc/passwd also is kind of ugly as that file is meant to be modified by the admin (like anything in /etc). I was thinking whether it would be feasible to have packages drop a file with their user specification somewhere and have the name service switch read that. cu Ludwig -- (o_ Ludwig Nussel //\ V_/_ http://www.suse.de/ SUSE LINUX Products GmbH, GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer, HRB 16746 (AG Nürnberg) -- To unsubscribe, e-mail: opensuse-packaging+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-packaging+owner@opensuse.org