On Tue, Feb 19, 2002 at 01:09:10AM -0600, Chris Lawrence wrote: > Let's put it this way: making uid/gid 1 a requirement means Debian > probably will never conform to the spec, because of the problem of > breaking existing installs. Only apply the changes to new installs. Alternatively, create a configlet script for the Sysadmin to use while in single-user mode to change over things. We're not changing root here, just bin and daemon. I don't know any application that runs as daemon that still runs in single user mode. #!/bin/sh # # swap uid/gid btwn bin & daemon users/groups # # DISCLAIMER -- this is a hack intended for sysadmins willing to get # their hands dirty once and a while. # >/etc/nologin groupmod -gid 1 -o bin groupmod -gid 2 -o daemon usermod -uid 1 -gbin bin usermod -uid 2 -gdaemon daemon find / -uid 1 -gid 1 -exec chown 2:1 \{\} \; -print > /tmp/2:1.list find / -uid 2 -gid 2 -exec chown 1:1 \{\} \; # already found the files...chown them again to their final uid:gid cat /tmp/2:1.list | xargs chown 2:2 rm /tmp/2:1.list rm /etc/nologin If we have to, we could create/choose a high, random uid that isn't being used as the swap point. > It also creates problems for people who want to use NIS across > multiple systems, as Solaris uses uid/gid 2 for bin (like Debian), or > running LSB apps on Solaris/x86, which could be conformant if Sun or a > third party wanted to do the work. IMHO, you should not be sharing low uid/gid's over NIS, PERIOD, end of sentance. Your NIS uid/gid should be somewhere abovbe 1500 so that your system and operator accounts don't require full-time network connections to be accessible. How many times has your NFS server died or experienced lag, locking you out of your home directory? How many times have you been unable to login because some system profile script requires a file on an NFS automounted directory. How about NIS dying and no-one being able to login except root? It happens. All the time. Why? Badly configured systems, often inherited from one BOFH to another (It's not my fault! -- Han Solo). The fix? Manual labor, headaches, and lots of coffee. I know this from recent experience (geeze, every day, in fact). Should LSB be pushing us around over small, usually systems management related tasks? Probably not. Should the LSB be a good guideline on setting up a sane system to begin with? Certainly. Should we conform to LSB whenever possible. Absolutely. Does this mean we need to convert every running system over to accomedate a uid/gid change? No. The robust solution to such a switch would have to incorporate more tools than I listed above, such as 'ps' and 'fopen'. Perl or Python may be a nice, one-tool approach, and it sounds like the base Debian system should have at least Perl for the time being. Anyway, it's late, and I'm tired. Night! -- Chad Walstrom <chewie@wookimus.net> | a.k.a. ^chewie http://www.wookimus.net/ | s.k.a. gunnarr Get my public key, ICQ#, etc. $(mailx -s 'get info' chewie@wookimus.net)
Attachment:
pgpNNB_690zNx.pgp
Description: PGP signature