From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 04C4B138350 for ; Sun, 19 Jan 2020 19:27:30 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 06502E09A8; Sun, 19 Jan 2020 19:27:27 +0000 (UTC) Received: from smtp.gentoo.org (mail.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 9F10CE099B for ; Sun, 19 Jan 2020 19:27:26 +0000 (UTC) Received: from [192.168.1.100] (c-98-218-46-55.hsd1.md.comcast.net [98.218.46.55]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: mjo) by smtp.gentoo.org (Postfix) with ESMTPSA id BF6A134E255 for ; Sun, 19 Jan 2020 19:27:25 +0000 (UTC) Subject: Re: [gentoo-dev] GLEP81 and /home To: gentoo-dev@lists.gentoo.org References: <825bd707-faa2-f956-edbb-a11a8d82296b@gentoo.org> <2313c928-6c17-394c-d437-b5ad1f76ecea@gentoo.org> <4c60e5c5-92ce-09f0-09c5-a7338bb9cfb3@gentoo.org> From: Michael Orlitzky Message-ID: <21efee36-dcc8-bb14-9fb9-0d6b2abf8c8d@gentoo.org> Date: Sun, 19 Jan 2020 14:27:23 -0500 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.4.1 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit X-Archives-Salt: 54eeccb7-c93a-4818-b662-0d215b929ba2 X-Archives-Hash: aa95b65a1243d71684600c59a5faad30 On 1/19/20 2:02 PM, Rich Freeman wrote: > >> If you're sharing /home, you also have to be sharing user accounts, >> unless you want everyone to be assigned a random set of files. > > I imagine that most people setting up something like this would only > be sharing high-value UIDs (>1000 in our case). There is no need for > postfix on your Gentoo box and postfix on your Debian box to have the > same UID. You wouldn't be sshing from postfix on the one to postfix > on the other and expecting to have the same home directory contents. > You can't do that. If you're going to mount files from one system onto another system, using only an integer <--> username mapping as your access control mechanism, then you'd better be damn sure that those integers and usernames match on all systems. Otherwise I might wind up sharing /home/mjo to rich0 because the "mjo" and "rich0" groups both have gid 1000 locally. > Since it is a local account, not in /home, then it would be a separate > user even if the UID is the same (or otherwise). You'd set up amavis > on each mail server. They might be running different distros. They > would be using local users. > > Don't get me wrong, it would be cleaner if POSIX users had a scope the > way that an OS like Windows does it, but it isn't a big deal if you > use high-numbered UIDs for shared users, and low-numbered UIDs for > local users. It's a huge deal. Random users/groups can access your files if the databases don't agree. The local/remote user distinction does not exist. >> Everything is fine here, this all works and has worked for 20 years. > > Sure, it works fine if you have a single host, or do nothing to share > your home directories, which I imagine is what 95% of Gentoo users do. > I doubt most Gentoo users even encrypt /home, even though this has > been standard for most of those 20 years on just about every major > distro out there. > > If a user wants to put this stuff in /home we should certainly support > that, and it would work fine if the user sets up the account properly > before installing the package. They might get a QA warning, but that > is the user's concern. We've talked this to death. Barring any new evidence, /home still seems like the best place for these, and I don't want to put them in the wrong spot (forcing users to migrate) just to appease a QA warning from before GLEP81 was a thing.