1 |
<warning type="bikeshed"> |
2 |
|
3 |
Whissi's patch in itself is a good step forward, but I don't feel it |
4 |
goes far enough, nor promotes better defaults for the unmodified cases. |
5 |
|
6 |
On Mon, Jan 04, 2021 at 02:35:58AM +0100, Thomas Deutschmann wrote: |
7 |
> Modifying an existing user is a bad default and makes Gentoo |
8 |
> special because it is common for system administrators to make |
9 |
> modifications to user (i.e. putting an user into another service's |
10 |
> group to allow that user to access service in question) and it |
11 |
> would be unexpected to see these changes reverted during normal |
12 |
> world upgrade (which could break services). |
13 |
> |
14 |
> This commit will make Gentoo behave like any other Linux distribution |
15 |
> by respecting any user modifications by default. However, we will retain |
16 |
> the functionality to reset system user and groups and users interested |
17 |
> in this feature can opt-in by setting |
18 |
> ACCT_USER_ALLOW_EXISTING_USER_TO_BE_MODIFIED to a non-zero value in |
19 |
> their make.conf. |
20 |
No default is good, and that's the mess here. The problem has started to |
21 |
happen in other distros as well, not just Gentoo. usermod/gpasswd in RPM |
22 |
specfiles, as well as Debian controls. |
23 |
|
24 |
As a sysadmin, I don't want stuff messing with the system users I have |
25 |
in place; but if upstream requirements change on a package impacting |
26 |
user/group layout, I also expect packaging to track it. Many years ago, |
27 |
qmail did this, introducing an additional user to further separate |
28 |
privileges. |
29 |
|
30 |
Unfortunately, these two things are in conflict, and I don't feel there |
31 |
is an easy answer. |
32 |
|
33 |
It's NOT the binary decision of: |
34 |
- let packagers change system user |
35 |
- force sysadmins to always change users manually |
36 |
|
37 |
Nor a single knob that selects between that binary. |
38 |
|
39 |
We need a compromise. |
40 |
|
41 |
The best I can come up with at the moment, is that any packaging should |
42 |
detect if there are user modifications, and provide control to users |
43 |
based on that fact. |
44 |
|
45 |
- if unmodified: interactive, or auto-accept, or deny |
46 |
- if modified: interactive, or auto-accept, or deny |
47 |
|
48 |
These are two distinct config knobs (I'm ok with a default value that |
49 |
populates both of them). |
50 |
|
51 |
This leads to secondary parts: |
52 |
- what if the packaging change regarding users/groups is absolutely |
53 |
mandatory for the new version of a package to work correctly? |
54 |
- what about conflicting user requirements? Antarus raised the HOMEDIR |
55 |
of the git user for gitolite vs gitea. |
56 |
|
57 |
I think in this case, the packages should detect the problematic |
58 |
conditions and abort, in pkg_pretend and/or pkg_setup (thinking about |
59 |
binpkgs here, pkg_pretend might be too early if acct-user/X needs to |
60 |
merged before the check is expected to succeed). |
61 |
|
62 |
These checks MUST be in the package that consumes/depends on acct-user |
63 |
or acct-group packages. Yes, this means constants are likely to be |
64 |
duplicated, but I'm ok with that, because they are also likely to be |
65 |
specifically versioned. |
66 |
|
67 |
</warning> |
68 |
|
69 |
-- |
70 |
Robin Hugh Johnson |
71 |
Gentoo Linux: Dev, Infra Lead, Foundation Treasurer |
72 |
E-Mail : robbat2@g.o |
73 |
GnuPG FP : 11ACBA4F 4778E3F6 E4EDF38E B27B944E 34884E85 |
74 |
GnuPG FP : 7D0B3CEB E9B85B1F 825BCECF EE05E6F6 A48F6136 |