[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Best practices on system users and groups



On Tue, Nov 01, 2005 at 04:53:33AM -0500, sean finney wrote:
> hi javier,
> 
> On Mon, Oct 31, 2005 at 10:03:01PM +0100, Javier Fernández-Sanguino Peña wrote:
> > I would like developers to review and provide feedback for that section,
> 
> thanks for actually putting this into a document, however, i notice
> two problems:
> 
> - the addgroup/adduser functions mask the error status, yet do not
>   later check to see if the group was actually created.   this is doubly

Fixed in CVS.

>   the second thing i notice is that you arbitrarily modify the user in
>   question via usermod, which would override the local admin's changes.
>   i wonder whether it is even good to recommend this at all.

Usermod is only called if the user does not exist and the package creates
it. gdm, postgresql and logcheck already do this. In the example code,
if the system user exists, then usermod is not called, which is better than
what logcheck or postgresl currently do.

> i'd like to double-ack this remark.  even if the oft-mentioned "dh_user"
> were implemented, if there were a bug in this implementation, every
> affected package would have to be /rebuilt/ if the buggy code were
> actually in the postinsts.
> 
> if you're going to do this, it would be better to provide a program
> or a shell library that is sourced in the postinst, and then
> awrapper function which does all of this.  

Yes, that's what I'm currently more inclined at. I'm not certain which
package should provide this function but adduser seems like a valid candidate
for that.

Regards

Javier

Attachment: signature.asc
Description: Digital signature


Reply to: