From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 19540 invoked by uid 1002); 31 May 2003 09:33:12 -0000 Mailing-List: contact gentoo-dev-help@gentoo.org; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@gentoo.org Received: (qmail 18502 invoked from network); 31 May 2003 09:33:11 -0000 From: Paul de Vrieze To: gentoo-dev@gentoo.org Date: Sat, 31 May 2003 11:32:51 +0200 User-Agent: KMail/1.5.2 References: <87ptm0il9z.fsf@nb-acer.better-com.de> <1054307893.20338.17.camel@orange-pc.ces.clemson.edu> <87el2fijj2.fsf@nb-acer.better-com.de> In-Reply-To: <87el2fijj2.fsf@nb-acer.better-com.de> MIME-Version: 1.0 Content-Type: multipart/signed; protocol="application/pgp-signature"; micalg=pgp-sha1; boundary="Boundary-02=_UbH2+o8nTAR/3vu"; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Message-Id: <200305311133.08651.pauldv@gentoo.org> X-Spam-Status: No, hits=-5.1 required=5.0 X-Spam-Level: X-Virus-Scanned: by amavisd-milter (http://amavis.org/) Subject: Re: [gentoo-dev] Assigning unique system uid/gid for new ebuild X-Archives-Salt: 32e6c640-92a8-4cf0-ba8a-8ec4ba74f1cd X-Archives-Hash: 35c16b463898e56644c6072bddf0cd9f --Boundary-02=_UbH2+o8nTAR/3vu Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Description: signed data Content-Disposition: inline On Saturday 31 May 2003 10:53, Martin Lesser wrote: > > 1. Several uid's/gid's differ from other distris (debian i.e. assigns > 31/32 for postgres, gentoo uses 70/70 for postgres but 31/31 for > squid, so having both distris on different hosts leads to really > 'funny' results if you also use a central user repository or try to > merge both passwd-files, see 3.) > > If you have a access to a running debian system look at > /usr/share/base-passwd/passwd.master IMHO applications should not care about the actual uid's gid's they have, o= nly=20 that they can find theirs from the passwd database. Applications that need= =20 hard uids/gids should be patched. (Of course it should be possible to ensur= e=20 the existence of a particular username /groupname before the configuration= =20 step. But that is possible in current portage. > > 2. In /etc/passwd from baselayout there are several users predefined > which are really unnecessary on many systems. Why do I need a user > games? Or squid on a host which never runs a proxy or another proxy > like oops? Etc. > You are right, apps should request their own users/groups if needed. > 3. If one runs openldap for authentification and nss one don't want to > maintain two sources of uid/gid's which - if you run different > distris - may conflict in an odd way. > Normally in such a setup it makes very much sense to have system users such= as=20 root and service users (for daemons) to be still in passwd, and have only=20 real users (uid>1000 or whatever is defined) be served by the ldap database= =2E=20 This makes sure that the system is still working even if the ldap server is= =20 offline. (Also put at least one acount in passwd that allows ssh logins) > IMO a clearer approach could be: > > 1. The predefined entries in /etc/passwd should be reduced to exactly 1 > entry for root, all other (system-)users could be created dynamicly > by the ebuilds without assigning a fixed uid/gid. > Almost agreed, users like nobody and others are also required in baselayout= ,=20 but the idea is ok. > 2. The current ebuilds which assign _fixed_ uids/gids could be fixed so > they don't use the appropriate useradd/groupadd options any longer. They should be indeed. > I don't see any benefits of developing and/or maintaining a predefined > /etc/passwd with more than exactly one entry for root. Agreed except the need for a few more predefined users /groups (The users=20 group is for example also required) Paul =2D-=20 Paul de Vrieze Researcher Mail: pauldv@cs.kun.nl Homepage: http://www.devrieze.net --Boundary-02=_UbH2+o8nTAR/3vu Content-Type: application/pgp-signature Content-Description: signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) iD8DBQA+2HbUbKx5DBjWFdsRAlWrAKC7memVMCDCFa3S9nwNds/w4gVuzwCeL/ab A+/h2tCLbs+Jd0nNKSAthb4= =WODW -----END PGP SIGNATURE----- --Boundary-02=_UbH2+o8nTAR/3vu--