| 1 |
On 1/19/20 2:02 PM, Rich Freeman wrote: |
| 2 |
> |
| 3 |
>> If you're sharing /home, you also have to be sharing user accounts, |
| 4 |
>> unless you want everyone to be assigned a random set of files. |
| 5 |
> |
| 6 |
> I imagine that most people setting up something like this would only |
| 7 |
> be sharing high-value UIDs (>1000 in our case). There is no need for |
| 8 |
> postfix on your Gentoo box and postfix on your Debian box to have the |
| 9 |
> same UID. You wouldn't be sshing from postfix on the one to postfix |
| 10 |
> on the other and expecting to have the same home directory contents. |
| 11 |
> |
| 12 |
|
| 13 |
You can't do that. If you're going to mount files from one system onto |
| 14 |
another system, using only an integer <--> username mapping as your |
| 15 |
access control mechanism, then you'd better be damn sure that those |
| 16 |
integers and usernames match on all systems. Otherwise I might wind up |
| 17 |
sharing /home/mjo to rich0 because the "mjo" and "rich0" groups both |
| 18 |
have gid 1000 locally. |
| 19 |
|
| 20 |
|
| 21 |
> Since it is a local account, not in /home, then it would be a separate |
| 22 |
> user even if the UID is the same (or otherwise). You'd set up amavis |
| 23 |
> on each mail server. They might be running different distros. They |
| 24 |
> would be using local users. |
| 25 |
> |
| 26 |
> Don't get me wrong, it would be cleaner if POSIX users had a scope the |
| 27 |
> way that an OS like Windows does it, but it isn't a big deal if you |
| 28 |
> use high-numbered UIDs for shared users, and low-numbered UIDs for |
| 29 |
> local users. |
| 30 |
|
| 31 |
It's a huge deal. Random users/groups can access your files if the |
| 32 |
databases don't agree. The local/remote user distinction does not exist. |
| 33 |
|
| 34 |
|
| 35 |
>> Everything is fine here, this all works and has worked for 20 years. |
| 36 |
> |
| 37 |
> Sure, it works fine if you have a single host, or do nothing to share |
| 38 |
> your home directories, which I imagine is what 95% of Gentoo users do. |
| 39 |
> I doubt most Gentoo users even encrypt /home, even though this has |
| 40 |
> been standard for most of those 20 years on just about every major |
| 41 |
> distro out there. |
| 42 |
> |
| 43 |
> If a user wants to put this stuff in /home we should certainly support |
| 44 |
> that, and it would work fine if the user sets up the account properly |
| 45 |
> before installing the package. They might get a QA warning, but that |
| 46 |
> is the user's concern. |
| 47 |
|
| 48 |
We've talked this to death. Barring any new evidence, /home still seems |
| 49 |
like the best place for these, and I don't want to put them in the wrong |
| 50 |
spot (forcing users to migrate) just to appease a QA warning from before |
| 51 |
GLEP81 was a thing. |
Archives