From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-dev+bounces-90108-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by finch.gentoo.org (Postfix) with ESMTPS id 311B8138350
	for <garchives@archives.gentoo.org>; Tue, 21 Jan 2020 18:24:24 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id 55E34E083D;
	Tue, 21 Jan 2020 18:24:19 +0000 (UTC)
Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by pigeon.gentoo.org (Postfix) with ESMTPS id F36F5E01B5
	for <gentoo-dev@lists.gentoo.org>; Tue, 21 Jan 2020 18:24:18 +0000 (UTC)
Received: from grubbs.orbis-terrarum.net (localhost [127.0.0.1])
	(using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits))
	(No client certificate requested)
	by smtp.gentoo.org (Postfix) with ESMTPS id BB25A34DEDA
	for <gentoo-dev@lists.gentoo.org>; Tue, 21 Jan 2020 18:24:17 +0000 (UTC)
Received: (qmail 23631 invoked by uid 10000); 21 Jan 2020 18:24:16 -0000
Date: Tue, 21 Jan 2020 18:24:16 +0000
From: "Robin H. Johnson" <robbat2@gentoo.org>
To: gentoo-dev@lists.gentoo.org
Subject: Re: [gentoo-dev] [PATCH 0/2] allow acct-user home directories in
 /home
Message-ID: <robbat2-20200121T181138-154464208Z@orbis-terrarum.net>
References: <20200120034350.27108-1-mjo@gentoo.org>
 <w6gblqyk3v8.fsf@kph.uni-mainz.de>
 <d3732f3e-046c-f56f-b6e4-5cbec73797df@gentoo.org>
 <CAAr7Pr9czBqdiVPo9J2hySrr8HzuUKq05STCgzuJY13fZTYjwA@mail.gmail.com>
 <bc1c64bf-0669-6005-408a-e3b3dce26e12@gentoo.org>
Precedence: bulk
List-Post: <mailto:gentoo-dev@lists.gentoo.org>
List-Help: <mailto:gentoo-dev+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-dev+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-dev+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-dev.gentoo.org>
X-BeenThere: gentoo-dev@lists.gentoo.org
Reply-to: gentoo-dev@lists.gentoo.org
X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha512;
	protocol="application/pgp-signature"; boundary="zHDeOHGDnzKksZSU"
Content-Disposition: inline
In-Reply-To: <bc1c64bf-0669-6005-408a-e3b3dce26e12@gentoo.org>
X-Archives-Salt: 274727c2-e5e5-4dfa-a0bb-9952c4093520
X-Archives-Hash: 65616b4fc10c8662d1f6991ac6311f0d


--zHDeOHGDnzKksZSU
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Mon, Jan 20, 2020 at 06:07:06PM -0500, Michael Orlitzky wrote:
> As I've said, a human uses the "amavis" account.
I think this statement here needs a bit of expansion, and thus it more
clarity happens.

Your aforementioned human generally doesn't use the 'amavis' account in
the same way that they might use a normal account. They don't expect to
login to it with GNOME/SSH and run typical user applications
(Libreoffice, Nethack etc.).

It's a system account that CAN get configured by a human manually
becoming that user. Either by login or means of changing effective UID
(su, sudo, doas, ksu, pmrun, runas, ...).

For a more secure environment, I would expect amavis to never have a
password and thus not be subject to normal login flows.

Gentoo Infra manages amavis & spamd without logging in as a human:
configuration management is used to change settings & files.

=46rom this, I posit that something OUTSIDE of /home is the most-correct
location. /srv or /var.

Upstream uses /var/amavis
Debian uses /var/lib/amavis

I'm sympathetic to past users who have /home/amavisd and need to
migrate it, but such is the nature of sysadmin life.

--=20
Robin Hugh Johnson
Gentoo Linux: Dev, Infra Lead, Foundation Treasurer
E-Mail   : robbat2@gentoo.org
GnuPG FP : 11ACBA4F 4778E3F6 E4EDF38E B27B944E 34884E85
GnuPG FP : 7D0B3CEB E9B85B1F 825BCECF EE05E6F6 A48F6136

--zHDeOHGDnzKksZSU
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
Comment: Robbat2 @ Orbis-Terrarum Networks - The text below is a digital signature. If it doesn't make any sense to you, ignore it.

iQKTBAABCgB9FiEEveu2pS8Vb98xaNkRGTlfI8WIJsQFAl4nQc9fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEJE
RUJCNkE1MkYxNTZGREYzMTY4RDkxMTE5Mzk1RjIzQzU4ODI2QzQACgkQGTlfI8WI
JsTvNhAAk3HnUDE1dusKU3tDVtOaC29GEPElJCFFOm+NnIywdQWyVIMDh6XVFdKY
enlQ4yN/aAr5rE4NYQ/gTpvsSpGmp0EHY+pszPmpwLrBQYu0BKv4C0STR3Nfekl2
gX3/IlzxVwLfLmAdl2YuPKUdk+/szBpI3h2ZtgH6Dk98wHgoQxzfKQUpbM1tJpmS
81Nbm9jVhkxPfzEeyr8ce2/x7e2Cz0dim0RcSHmGNsU6DcCQMyLYG1MWMaZSkMPD
yFzjEH/nO9wusy/CcS2I7Voyxf/N7m6i+r9gOQgMOonfE4vM8WA7fBPFMvIehviL
mP4PjYH5+39fFZKaLdiv4/UAhAF/qOQPdCbaZVjIK3E+Gw6BEya1wXYfP9RdGdo4
2T5X7mKf2IYzUPtEiK5zu5PW2+FZpVUVlohoF/zwPLbczGgaDjXx/22Pgtl3QqTv
bNMoyMeYyVVfHIxdtEzsqcp1PDU/+K8U7ATZbr4bLd4t0B5/7R7uZT/5Xnv0vu3X
71w2/vsDxmbC0fphWUHDSsdgAtf4pkxEVS5X3q9NWewrauC2cZc2q+qJLgqIJmNM
h4C3QVGumIirWBegUWzyGAuCquTsUo7vX++IC4G7drbMCkg4tuA6FXaOvprD7leQ
rz5yL+U9K8ZpDxJ2aDSoEjj53lI1chJIRXZhjiPWAsjjCn/ySvg=
=wTxs
-----END PGP SIGNATURE-----

--zHDeOHGDnzKksZSU--