| 1 |
On Sun, Jan 19, 2020 at 1:37 PM Michael Orlitzky <mjo@g.o> wrote: |
| 2 |
> |
| 3 |
> On 1/19/20 12:42 PM, Rich Freeman wrote: |
| 4 |
> > |
| 5 |
> > Typically you wouldn't share service accounts across multiple hosts. |
| 6 |
> > I'd think that something like amavisd is going to go on a mail server. |
| 7 |
> > You're not going to be logging into that account to do typical |
| 8 |
> > desktop-oriented functions. |
| 9 |
> > |
| 10 |
> > If you had three mail servers, you probably would want to share |
| 11 |
> > /home/mjo across all of them, but you probably wouldn't want to share |
| 12 |
> > your amavisd config across them. That is why the config goes in /etc. |
| 13 |
> > I don't see how stuff it launches would be any different. |
| 14 |
> |
| 15 |
> The stuff it launches is different because the stuff it launches is |
| 16 |
> different. SpamAssassin, for example, can be run by normal users in a |
| 17 |
> traditional UNIX mail setup. So its configuration goes in $HOME, because |
| 18 |
> that's how it works. When amavis runs spamassassin, the SA configuration |
| 19 |
> comes from $HOME, because that's how it works. |
| 20 |
|
| 21 |
Sure, I completely understand that and have no issues with it. Ditto |
| 22 |
with having some apache module running sendmail, which has some plugin |
| 23 |
which gpg signs emails, which requires a ~/.gnupg for the apache user. |
| 24 |
|
| 25 |
> If you're sharing /home, you also have to be sharing user accounts, |
| 26 |
> unless you want everyone to be assigned a random set of files. |
| 27 |
|
| 28 |
I imagine that most people setting up something like this would only |
| 29 |
be sharing high-value UIDs (>1000 in our case). There is no need for |
| 30 |
postfix on your Gentoo box and postfix on your Debian box to have the |
| 31 |
same UID. You wouldn't be sshing from postfix on the one to postfix |
| 32 |
on the other and expecting to have the same home directory contents. |
| 33 |
|
| 34 |
> And if |
| 35 |
> you're sharing user accounts, you have to start each instance of amavis |
| 36 |
> as a different user, because its configuration is per-user. That's just |
| 37 |
> the way it works. |
| 38 |
|
| 39 |
Since it is a local account, not in /home, then it would be a separate |
| 40 |
user even if the UID is the same (or otherwise). You'd set up amavis |
| 41 |
on each mail server. They might be running different distros. They |
| 42 |
would be using local users. |
| 43 |
|
| 44 |
Don't get me wrong, it would be cleaner if POSIX users had a scope the |
| 45 |
way that an OS like Windows does it, but it isn't a big deal if you |
| 46 |
use high-numbered UIDs for shared users, and low-numbered UIDs for |
| 47 |
local users. |
| 48 |
|
| 49 |
> Everything is fine here, this all works and has worked for 20 years. |
| 50 |
|
| 51 |
Sure, it works fine if you have a single host, or do nothing to share |
| 52 |
your home directories, which I imagine is what 95% of Gentoo users do. |
| 53 |
I doubt most Gentoo users even encrypt /home, even though this has |
| 54 |
been standard for most of those 20 years on just about every major |
| 55 |
distro out there. |
| 56 |
|
| 57 |
If a user wants to put this stuff in /home we should certainly support |
| 58 |
that, and it would work fine if the user sets up the account properly |
| 59 |
before installing the package. They might get a QA warning, but that |
| 60 |
is the user's concern. |
| 61 |
|
| 62 |
-- |
| 63 |
Rich |
Archives