1 |
On Wed, 2019-05-29 at 11:50 +0200, Jaco Kroon wrote: |
2 |
> Hi Michal, |
3 |
> |
4 |
> This sounds sensible and is an interesting approach. I kinda like it. |
5 |
> |
6 |
> There is only one technical comment I have based on the earlier |
7 |
> discussion, not addressed. |
8 |
> |
9 |
> What if users needs to be created into a centralized UID/GID system to |
10 |
> be pulled in via nss? |
11 |
> |
12 |
> So calling system tools by default is fine, but what if the sysadmin |
13 |
> would prefer to have users and groups pushed into ldap? Can we at least |
14 |
> accomodate a hook mechanism to allow system administrators not relying |
15 |
> on local users to deal with this? |
16 |
|
17 |
We kinda have hooks already. Just drop your 'useradd' etc. replacements |
18 |
into /usr/local/bin, and tadaam! KISS all the way. |
19 |
|
20 |
> My personal rule of thumb is that system users are (and should be) |
21 |
> local. But there are definite use cases where shared "system uids" are |
22 |
> a definite legitimate requirement. |
23 |
> |
24 |
> The one complaint I do have is repo bloat. |
25 |
> |
26 |
> Further comments below. |
27 |
> |
28 |
> Kind Regards, |
29 |
> Jaco |
30 |
> |
31 |
> On 2019/05/29 09:28, Michał Górny wrote: |
32 |
> > Motivation |
33 |
> > ========== |
34 |
> > |
35 |
> > User management in Gentoo is currently ad-hoc. Users and groups are |
36 |
> > created through calling system tools directly in packages needing them. |
37 |
> > There is no systematic way of tracking which packages need specific |
38 |
> > users or groups, and determining which ones are obsolete. Coordinating |
39 |
> > properties of users and groups used by multiple packages must be done |
40 |
> > manually by developers. |
41 |
> > |
42 |
> > GLEP 27 originally attempted to address the problem. Posted in 2004, |
43 |
> > it never had reached the reference implementation state, and became |
44 |
> > obsolete. [#GLEP27]_ |
45 |
> > |
46 |
> > A good system user and group management proposal should address: |
47 |
> > |
48 |
> > 1. Tracking usage of users and groups, and determining which ones |
49 |
> > are obsolete. |
50 |
> > |
51 |
> > 2. Sharing users and groups reliably between different packages. |
52 |
> > |
53 |
> > 3. Maintaining fixed UIDs/GIDs that are consistent between different |
54 |
> > systems. |
55 |
> > |
56 |
> > 4. Providing local overrides for user/group properties. |
57 |
> > |
58 |
> > 5. Ensuring that users and groups are not created unnecessarily |
59 |
> > at build time. |
60 |
> > |
61 |
> > At the same time, the proposal should avoid unnecessary complexity |
62 |
> > to avoid sharing the fate of GLEP 27. This proposal aims to address |
63 |
> > those points without requiring a new EAPI or any changes in the package |
64 |
> > manager. |
65 |
> |
66 |
> This looks good. I'd add "6. Allow for centralized management of users |
67 |
> and/or groups" (in order to cover management via for example ldap). |
68 |
|
69 |
I thought this is implied by other points but I guess saying it |
70 |
explicitly doesn't hurt. |
71 |
|
72 |
> |
73 |
> > Maintaining users/groups |
74 |
> > ------------------------ |
75 |
> > |
76 |
> > The primary technical function of user and group packages is to create |
77 |
> > the users and groups. This is done via invoking the respective system |
78 |
> > tools at ``pkg_preinst`` phase. This is done only if the user/group |
79 |
> > does not exist on the system already. |
80 |
> |
81 |
> I would recommend that this be handled via an eclass that deals with the |
82 |
> technicalities. The package then does something like: |
83 |
|
84 |
This is the plan. There is already an old version in mjo's overlay, |
85 |
and I'm planning to put a new one today for review. |
86 |
|
87 |
> |
88 |
> inherit userpackage |
89 |
> |
90 |
> USER_NAME=mail |
91 |
> USER_UID=8 |
92 |
> USER_PRIMARY_GROUP=mail |
93 |
> USER_FORCE_UID=yes |
94 |
> |
95 |
> DEPEND=group/mail |
96 |
> RDEPEND=group/mail |
97 |
> |
98 |
> And that ends up being the whole package. Similar for groups. Even the |
99 |
> R?DEPEND can probably go into the eclass. |
100 |
> |
101 |
> The eclass can then potentially support external hooks or something to |
102 |
> accomodate 6. above. |
103 |
> |
104 |
> > User/group name/identifier collision detection |
105 |
> > ---------------------------------------------- |
106 |
> > |
107 |
> > The user/group packages can install additional files in subdirectories |
108 |
> > of ``/var/lib`` indicating their respective names and identifiers. |
109 |
> > This ensures that if two packages ever happen to collide, the package |
110 |
> > manager's collision detection mechanism will trigger. |
111 |
> |
112 |
> Ulrich also commented on this. How about enforcing a mapping from |
113 |
> $USER_NAME to package name? (ie, just replace all characters not |
114 |
> allowed in package naming with _ or -. |
115 |
> |
116 |
> Same as Ulrich I struggle to see any use-case where this would be an |
117 |
> issue, but artificial or not it's probably a good idea to deal with it |
118 |
> somehow. |
119 |
|
120 |
This is not so simple. The main concern are names like 'foo-1'. But I |
121 |
guess we can leave it out for now, and address it when we actually have |
122 |
a need for such user/group. |
123 |
|
124 |
> |
125 |
> > Naming rules |
126 |
> > ------------ |
127 |
> > |
128 |
> > It has been pointed out that the package naming rules are more |
129 |
> > restrictive than user/group naming rules. This is why the proposal |
130 |
> > allows for package names to be different from user/group names. |
131 |
> > However, this is strongly discouraged and should only be used when |
132 |
> > really necessary. |
133 |
> |
134 |
> I would personally disallow it and enforce a mapping from username to |
135 |
> package name. The question then however is if two names map to the same |
136 |
> package (which would be confusing to begin with) how to deal with that. |
137 |
> |
138 |
> > User/group updates |
139 |
> > ------------------ |
140 |
> > |
141 |
> > If sysadmin needs to change the properties (e.g. home directory) of some |
142 |
> > user/group, the obvious course of action is to modify the system |
143 |
> > databases directly. The GLEP aims to respect that and disallow altering |
144 |
> > existing user/groups unconditionally. If any updates need to be done, |
145 |
> > the packages need to verify previous values first. |
146 |
> |
147 |
> "If any updates need to be done, the package need to verify previous |
148 |
> values first." conflicts with "disallow altering existing user/groups |
149 |
> unconditionally". I'd rephrase as "If any updates need to be done, |
150 |
> refer those to the system administrator." |
151 |
|
152 |
I suppose the meaning of 'unconditionally' is ambiguous here. |
153 |
|
154 |
> |
155 |
> > User/group removal |
156 |
> > ------------------ |
157 |
> > |
158 |
> > The original proposal attempted to remove user/groups automatically |
159 |
> > when the respective package was unmerged. This required verifying that |
160 |
> > no files are owned by the user/group in question which was both |
161 |
> > expensive in terms of I/O, and fragile. |
162 |
> > |
163 |
> > This GLEP follows the best practice of leaving obsolete user/groups |
164 |
> > accounts intact. This guarantees that no files with stale ownership are |
165 |
> > left (e.g. on unmounted filesystems) and that the same UID/GID is not |
166 |
> > reused for another user/group. |
167 |
> |
168 |
> The type of checks for both this and certain updates contemplated above |
169 |
> are similar. And expensive (resources) as you rightly say. I would |
170 |
> provide the tools to perform these checks but in the ebuild I'd rather |
171 |
> the checks be done asap (pkg_pretend?). If we can fail there and |
172 |
> stating what the admin should do to rectify the issue that would be the |
173 |
> best solution in my personal opinion. Ie, from the package manager I'd |
174 |
> state how, but not actually action these changes. |
175 |
> |
176 |
> I would suggest the GLEP restrict the scope of responsibility in this |
177 |
> respect. I would recommend ensuring that the account is locked at last. |
178 |
|
179 |
Yes, I've forgotten about this part. Locking it out is a good idea. |
180 |
|
181 |
> Would repoman be able to validate unique UID and GID assignments for |
182 |
> these user/ and group/ packages and enforce use of an eclass for these |
183 |
> packages? |
184 |
> |
185 |
|
186 |
Not in the current design. PkgCheck should be able to handle this |
187 |
though. |
188 |
|
189 |
-- |
190 |
Best regards, |
191 |
Michał Górny |