| 1 |
<warning type="bikeshed"> |
| 2 |
|
| 3 |
Whissi's patch in itself is a good step forward, but I don't feel it |
| 4 |
goes far enough, nor promotes better defaults for the unmodified cases. |
| 5 |
|
| 6 |
On Mon, Jan 04, 2021 at 02:35:58AM +0100, Thomas Deutschmann wrote: |
| 7 |
> Modifying an existing user is a bad default and makes Gentoo |
| 8 |
> special because it is common for system administrators to make |
| 9 |
> modifications to user (i.e. putting an user into another service's |
| 10 |
> group to allow that user to access service in question) and it |
| 11 |
> would be unexpected to see these changes reverted during normal |
| 12 |
> world upgrade (which could break services). |
| 13 |
> |
| 14 |
> This commit will make Gentoo behave like any other Linux distribution |
| 15 |
> by respecting any user modifications by default. However, we will retain |
| 16 |
> the functionality to reset system user and groups and users interested |
| 17 |
> in this feature can opt-in by setting |
| 18 |
> ACCT_USER_ALLOW_EXISTING_USER_TO_BE_MODIFIED to a non-zero value in |
| 19 |
> their make.conf. |
| 20 |
No default is good, and that's the mess here. The problem has started to |
| 21 |
happen in other distros as well, not just Gentoo. usermod/gpasswd in RPM |
| 22 |
specfiles, as well as Debian controls. |
| 23 |
|
| 24 |
As a sysadmin, I don't want stuff messing with the system users I have |
| 25 |
in place; but if upstream requirements change on a package impacting |
| 26 |
user/group layout, I also expect packaging to track it. Many years ago, |
| 27 |
qmail did this, introducing an additional user to further separate |
| 28 |
privileges. |
| 29 |
|
| 30 |
Unfortunately, these two things are in conflict, and I don't feel there |
| 31 |
is an easy answer. |
| 32 |
|
| 33 |
It's NOT the binary decision of: |
| 34 |
- let packagers change system user |
| 35 |
- force sysadmins to always change users manually |
| 36 |
|
| 37 |
Nor a single knob that selects between that binary. |
| 38 |
|
| 39 |
We need a compromise. |
| 40 |
|
| 41 |
The best I can come up with at the moment, is that any packaging should |
| 42 |
detect if there are user modifications, and provide control to users |
| 43 |
based on that fact. |
| 44 |
|
| 45 |
- if unmodified: interactive, or auto-accept, or deny |
| 46 |
- if modified: interactive, or auto-accept, or deny |
| 47 |
|
| 48 |
These are two distinct config knobs (I'm ok with a default value that |
| 49 |
populates both of them). |
| 50 |
|
| 51 |
This leads to secondary parts: |
| 52 |
- what if the packaging change regarding users/groups is absolutely |
| 53 |
mandatory for the new version of a package to work correctly? |
| 54 |
- what about conflicting user requirements? Antarus raised the HOMEDIR |
| 55 |
of the git user for gitolite vs gitea. |
| 56 |
|
| 57 |
I think in this case, the packages should detect the problematic |
| 58 |
conditions and abort, in pkg_pretend and/or pkg_setup (thinking about |
| 59 |
binpkgs here, pkg_pretend might be too early if acct-user/X needs to |
| 60 |
merged before the check is expected to succeed). |
| 61 |
|
| 62 |
These checks MUST be in the package that consumes/depends on acct-user |
| 63 |
or acct-group packages. Yes, this means constants are likely to be |
| 64 |
duplicated, but I'm ok with that, because they are also likely to be |
| 65 |
specifically versioned. |
| 66 |
|
| 67 |
</warning> |
| 68 |
|
| 69 |
-- |
| 70 |
Robin Hugh Johnson |
| 71 |
Gentoo Linux: Dev, Infra Lead, Foundation Treasurer |
| 72 |
E-Mail : robbat2@g.o |
| 73 |
GnuPG FP : 11ACBA4F 4778E3F6 E4EDF38E B27B944E 34884E85 |
| 74 |
GnuPG FP : 7D0B3CEB E9B85B1F 825BCECF EE05E6F6 A48F6136 |
Archives