| 1 |
On Mon, Jan 20, 2020 at 6:20 AM Michael Orlitzky <mjo@g.o> wrote: |
| 2 |
|
| 3 |
> On 1/20/20 2:02 AM, Ulrich Mueller wrote: |
| 4 |
> >>>>>> On Mon, 20 Jan 2020, Michael Orlitzky wrote: |
| 5 |
> > |
| 6 |
> >> install-qa-check.d: allow acct-user home directories under /home. |
| 7 |
> > |
| 8 |
> > Nope. As you've been told, /home is site specific and can be setup in |
| 9 |
> > multiple ways that are incompatible with the package manager installing |
| 10 |
> > things there (the only exception being baselayout creating the directory |
| 11 |
> > itself). |
| 12 |
> |
| 13 |
> I haven't been given a single technical reason why using /home would |
| 14 |
> cause a problem. What specific incompatibilities are you talking about? |
| 15 |
> |
| 16 |
|
| 17 |
So I can describe in detail one example, but its not running Gentoo; so I'm |
| 18 |
not sure if you care in practice. |
| 19 |
|
| 20 |
At work we had sec=krb5 NFS v3 mounted home directories. They were mounted |
| 21 |
in /home (via the automounter.) So if these machines ran Gentoo and you |
| 22 |
went to do something like "create /home/amavisd" it would fail because the |
| 23 |
root user doesn't have the ability to make home directories in /home (uid=0 |
| 24 |
is mapped to nobody, who doesn't have +w on /home.) All home directories |
| 25 |
were created by a business application and there were specific hosts where |
| 26 |
root was not squashed (and we used sec=sys instead of krb5) and so root on |
| 27 |
the admin host would have +w on /home and not be squashed to nobody.) |
| 28 |
|
| 29 |
In practice in that enterprise environment, if we needed something like |
| 30 |
/home/web/ (which I think did exist at one point) we would create a role |
| 31 |
account in LDAP (www-data is a common user for example), assign it a uid, |
| 32 |
create the homedirectory (/home/web) and it would be owned by |
| 33 |
www-data:www-data. Then we would configure the web front ends to use |
| 34 |
www-data instead of the normal user (apache or nginx or whatever.) |
| 35 |
|
| 36 |
In practice: |
| 37 |
(1) These environments are what I'd consider legacy; if I was crafting an |
| 38 |
enterprise environment today I would not design one quite like this[0]. |
| 39 |
(2) I don't think most people running Gentoo are running these |
| 40 |
environments, which is why you don't see many practical objections on the |
| 41 |
list. I think it's reasonable to avoid service account homedirs in /home |
| 42 |
not because of fancy examples like above (that maybe 10 companies in the |
| 43 |
world run) and instead just focus on this idea that "system stuff doesn't |
| 44 |
go in /home." Its somewhat arbitrary as mgorny points out earlier in the |
| 45 |
thread. |
| 46 |
|
| 47 |
-A |
| 48 |
|
| 49 |
[0] Linux has really poor machine trust by default and while you can build |
| 50 |
a ragtag set of primitives to trust machines and identities; I think the |
| 51 |
effort is better spent shelling out money for some kind of real identity |
| 52 |
management provider that isn't just 'hey here is a uid + ip' which is how |
| 53 |
we did things in the 90s man. It was an innocent time ;) |
| 54 |
|
| 55 |
|
| 56 |
|
| 57 |
> |
| 58 |
> > Quoting FHS-3.0 again: |
| 59 |
> > |
| 60 |
> > | On large systems (especially when the /home directories are shared |
| 61 |
> > | amongst many hosts using NFS) it is useful to subdivide user home |
| 62 |
> > | directories. Subdivision may be accomplished by using subdirectories |
| 63 |
> > | such as /home/staff, /home/guests, /home/students, etc. |
| 64 |
> > |
| 65 |
> > So, how are you going to detect if such a scheme is used on the system, |
| 66 |
> > and in which subdirectory the amavis user should be placed? |
| 67 |
> |
| 68 |
> The same way we detect that scheme before setting a home directory to |
| 69 |
> /var/lib/whatever, which you may notice, is not under /home/guests or |
| 70 |
> anything like that. Does this cause a real technical problem, or is it |
| 71 |
> just more FUD? |
| 72 |
> |
| 73 |
> |
| 74 |
> > I also wonder why you would send this patch, when there wasn't a single |
| 75 |
> > voice supporting your proposition in the other thread and several |
| 76 |
> > opposing ones. |
| 77 |
> |
| 78 |
> I don't want to just complain without offering a solution. |
| 79 |
> |
| 80 |
> No one has pointed out any problems with it. |
| 81 |
> |
| 82 |
> This stuff is already in /home, and I'd like to get off user.eclass |
| 83 |
> without introducing a new QA warning for a keepdir file. |
| 84 |
> |
| 85 |
> |
Archives