| 1 |
On Wed, 2019-05-29 at 11:50 +0200, Jaco Kroon wrote: |
| 2 |
> Hi Michal, |
| 3 |
> |
| 4 |
> This sounds sensible and is an interesting approach. I kinda like it. |
| 5 |
> |
| 6 |
> There is only one technical comment I have based on the earlier |
| 7 |
> discussion, not addressed. |
| 8 |
> |
| 9 |
> What if users needs to be created into a centralized UID/GID system to |
| 10 |
> be pulled in via nss? |
| 11 |
> |
| 12 |
> So calling system tools by default is fine, but what if the sysadmin |
| 13 |
> would prefer to have users and groups pushed into ldap? Can we at least |
| 14 |
> accomodate a hook mechanism to allow system administrators not relying |
| 15 |
> on local users to deal with this? |
| 16 |
|
| 17 |
We kinda have hooks already. Just drop your 'useradd' etc. replacements |
| 18 |
into /usr/local/bin, and tadaam! KISS all the way. |
| 19 |
|
| 20 |
> My personal rule of thumb is that system users are (and should be) |
| 21 |
> local. But there are definite use cases where shared "system uids" are |
| 22 |
> a definite legitimate requirement. |
| 23 |
> |
| 24 |
> The one complaint I do have is repo bloat. |
| 25 |
> |
| 26 |
> Further comments below. |
| 27 |
> |
| 28 |
> Kind Regards, |
| 29 |
> Jaco |
| 30 |
> |
| 31 |
> On 2019/05/29 09:28, Michał Górny wrote: |
| 32 |
> > Motivation |
| 33 |
> > ========== |
| 34 |
> > |
| 35 |
> > User management in Gentoo is currently ad-hoc. Users and groups are |
| 36 |
> > created through calling system tools directly in packages needing them. |
| 37 |
> > There is no systematic way of tracking which packages need specific |
| 38 |
> > users or groups, and determining which ones are obsolete. Coordinating |
| 39 |
> > properties of users and groups used by multiple packages must be done |
| 40 |
> > manually by developers. |
| 41 |
> > |
| 42 |
> > GLEP 27 originally attempted to address the problem. Posted in 2004, |
| 43 |
> > it never had reached the reference implementation state, and became |
| 44 |
> > obsolete. [#GLEP27]_ |
| 45 |
> > |
| 46 |
> > A good system user and group management proposal should address: |
| 47 |
> > |
| 48 |
> > 1. Tracking usage of users and groups, and determining which ones |
| 49 |
> > are obsolete. |
| 50 |
> > |
| 51 |
> > 2. Sharing users and groups reliably between different packages. |
| 52 |
> > |
| 53 |
> > 3. Maintaining fixed UIDs/GIDs that are consistent between different |
| 54 |
> > systems. |
| 55 |
> > |
| 56 |
> > 4. Providing local overrides for user/group properties. |
| 57 |
> > |
| 58 |
> > 5. Ensuring that users and groups are not created unnecessarily |
| 59 |
> > at build time. |
| 60 |
> > |
| 61 |
> > At the same time, the proposal should avoid unnecessary complexity |
| 62 |
> > to avoid sharing the fate of GLEP 27. This proposal aims to address |
| 63 |
> > those points without requiring a new EAPI or any changes in the package |
| 64 |
> > manager. |
| 65 |
> |
| 66 |
> This looks good. I'd add "6. Allow for centralized management of users |
| 67 |
> and/or groups" (in order to cover management via for example ldap). |
| 68 |
|
| 69 |
I thought this is implied by other points but I guess saying it |
| 70 |
explicitly doesn't hurt. |
| 71 |
|
| 72 |
> |
| 73 |
> > Maintaining users/groups |
| 74 |
> > ------------------------ |
| 75 |
> > |
| 76 |
> > The primary technical function of user and group packages is to create |
| 77 |
> > the users and groups. This is done via invoking the respective system |
| 78 |
> > tools at ``pkg_preinst`` phase. This is done only if the user/group |
| 79 |
> > does not exist on the system already. |
| 80 |
> |
| 81 |
> I would recommend that this be handled via an eclass that deals with the |
| 82 |
> technicalities. The package then does something like: |
| 83 |
|
| 84 |
This is the plan. There is already an old version in mjo's overlay, |
| 85 |
and I'm planning to put a new one today for review. |
| 86 |
|
| 87 |
> |
| 88 |
> inherit userpackage |
| 89 |
> |
| 90 |
> USER_NAME=mail |
| 91 |
> USER_UID=8 |
| 92 |
> USER_PRIMARY_GROUP=mail |
| 93 |
> USER_FORCE_UID=yes |
| 94 |
> |
| 95 |
> DEPEND=group/mail |
| 96 |
> RDEPEND=group/mail |
| 97 |
> |
| 98 |
> And that ends up being the whole package. Similar for groups. Even the |
| 99 |
> R?DEPEND can probably go into the eclass. |
| 100 |
> |
| 101 |
> The eclass can then potentially support external hooks or something to |
| 102 |
> accomodate 6. above. |
| 103 |
> |
| 104 |
> > User/group name/identifier collision detection |
| 105 |
> > ---------------------------------------------- |
| 106 |
> > |
| 107 |
> > The user/group packages can install additional files in subdirectories |
| 108 |
> > of ``/var/lib`` indicating their respective names and identifiers. |
| 109 |
> > This ensures that if two packages ever happen to collide, the package |
| 110 |
> > manager's collision detection mechanism will trigger. |
| 111 |
> |
| 112 |
> Ulrich also commented on this. How about enforcing a mapping from |
| 113 |
> $USER_NAME to package name? (ie, just replace all characters not |
| 114 |
> allowed in package naming with _ or -. |
| 115 |
> |
| 116 |
> Same as Ulrich I struggle to see any use-case where this would be an |
| 117 |
> issue, but artificial or not it's probably a good idea to deal with it |
| 118 |
> somehow. |
| 119 |
|
| 120 |
This is not so simple. The main concern are names like 'foo-1'. But I |
| 121 |
guess we can leave it out for now, and address it when we actually have |
| 122 |
a need for such user/group. |
| 123 |
|
| 124 |
> |
| 125 |
> > Naming rules |
| 126 |
> > ------------ |
| 127 |
> > |
| 128 |
> > It has been pointed out that the package naming rules are more |
| 129 |
> > restrictive than user/group naming rules. This is why the proposal |
| 130 |
> > allows for package names to be different from user/group names. |
| 131 |
> > However, this is strongly discouraged and should only be used when |
| 132 |
> > really necessary. |
| 133 |
> |
| 134 |
> I would personally disallow it and enforce a mapping from username to |
| 135 |
> package name. The question then however is if two names map to the same |
| 136 |
> package (which would be confusing to begin with) how to deal with that. |
| 137 |
> |
| 138 |
> > User/group updates |
| 139 |
> > ------------------ |
| 140 |
> > |
| 141 |
> > If sysadmin needs to change the properties (e.g. home directory) of some |
| 142 |
> > user/group, the obvious course of action is to modify the system |
| 143 |
> > databases directly. The GLEP aims to respect that and disallow altering |
| 144 |
> > existing user/groups unconditionally. If any updates need to be done, |
| 145 |
> > the packages need to verify previous values first. |
| 146 |
> |
| 147 |
> "If any updates need to be done, the package need to verify previous |
| 148 |
> values first." conflicts with "disallow altering existing user/groups |
| 149 |
> unconditionally". I'd rephrase as "If any updates need to be done, |
| 150 |
> refer those to the system administrator." |
| 151 |
|
| 152 |
I suppose the meaning of 'unconditionally' is ambiguous here. |
| 153 |
|
| 154 |
> |
| 155 |
> > User/group removal |
| 156 |
> > ------------------ |
| 157 |
> > |
| 158 |
> > The original proposal attempted to remove user/groups automatically |
| 159 |
> > when the respective package was unmerged. This required verifying that |
| 160 |
> > no files are owned by the user/group in question which was both |
| 161 |
> > expensive in terms of I/O, and fragile. |
| 162 |
> > |
| 163 |
> > This GLEP follows the best practice of leaving obsolete user/groups |
| 164 |
> > accounts intact. This guarantees that no files with stale ownership are |
| 165 |
> > left (e.g. on unmounted filesystems) and that the same UID/GID is not |
| 166 |
> > reused for another user/group. |
| 167 |
> |
| 168 |
> The type of checks for both this and certain updates contemplated above |
| 169 |
> are similar. And expensive (resources) as you rightly say. I would |
| 170 |
> provide the tools to perform these checks but in the ebuild I'd rather |
| 171 |
> the checks be done asap (pkg_pretend?). If we can fail there and |
| 172 |
> stating what the admin should do to rectify the issue that would be the |
| 173 |
> best solution in my personal opinion. Ie, from the package manager I'd |
| 174 |
> state how, but not actually action these changes. |
| 175 |
> |
| 176 |
> I would suggest the GLEP restrict the scope of responsibility in this |
| 177 |
> respect. I would recommend ensuring that the account is locked at last. |
| 178 |
|
| 179 |
Yes, I've forgotten about this part. Locking it out is a good idea. |
| 180 |
|
| 181 |
> Would repoman be able to validate unique UID and GID assignments for |
| 182 |
> these user/ and group/ packages and enforce use of an eclass for these |
| 183 |
> packages? |
| 184 |
> |
| 185 |
|
| 186 |
Not in the current design. PkgCheck should be able to handle this |
| 187 |
though. |
| 188 |
|
| 189 |
-- |
| 190 |
Best regards, |
| 191 |
Michał Górny |
Archives