Re: Keysafe dynamic UID

To: debian-devel@lists.debian.org
Subject: Re: Keysafe dynamic UID
From: Ian Jackson <ijackson@chiark.greenend.org.uk>
Date: Thu, 27 Oct 2016 23:58:35 +0100
Message-id: <[🔎] 22546.34459.689474.107999@chiark.greenend.org.uk>
In-reply-to: <[🔎] 20161027174621.f27zgwtkzo4ktgpf@derobert.net>
References: <[🔎] 20161022215723.mpnzx6e4vuroziyf@hephaestus.silentflame.com> <[🔎] 87k2d0820c.fsf@luffy.cx> <[🔎] 20161022222640.5wzinu2qk36vxi2g@jwilk.net> <[🔎] E1byGQa-0001zH-TV@swivel.zugschlus.de> <[🔎] 20161023124843.lz33exebfj7yme62@gaara.hadrons.org> <[🔎] 20161023143230.GA12909@khazad-dum.debian.net> <[🔎] 20161023145920.63tpek5fnzpiyobk@gaara.hadrons.org> <[🔎] 20161027174621.f27zgwtkzo4ktgpf@derobert.net>

Anthony DeRobertis writes ("Re: Keysafe dynamic UID"):
> I wonder if just adding a second user with the same uid would be safer
> (so then the packaged scripts can use the new name), and documenting
> that the old one will be removed for the next release?

This is an idea worth pursuing.

> (Also, I haven't tested: does that properly handle group memberships?)

I'm not sure.  Testing would be needed.

Other questions: what happens if attempts are made to lock the
account, or whatever.  (I suspect it's only one of the names that's
disabled.)

Also, in each case we'd have to check whether the software would be
likely to go wrong due to unexpected results from uid->name mapping.
(IME one gets the first matching entry found in /etc/passwd).

Ian.

-- 
Ian Jackson <ijackson@chiark.greenend.org.uk>   These opinions are my own.

If I emailed you from an address @fyvzl.net or @evade.org.uk, that is
a private address which bypasses my fierce spamfilter.

Reply to:

References:
- Keysafe dynamic UID
  - From: Sean Whitton <spwhitton@spwhitton.name>
- Re: Keysafe dynamic UID
  - From: Vincent Bernat <bernat@debian.org>
- Re: Keysafe dynamic UID
  - From: Jakub Wilk <jwilk@debian.org>
- Re: Keysafe dynamic UID
  - From: Marc Haber <mh+debian-devel@zugschlus.de>
- Re: Keysafe dynamic UID
  - From: Guillem Jover <guillem@debian.org>
- Re: Keysafe dynamic UID
  - From: Henrique de Moraes Holschuh <hmh@debian.org>
- Re: Keysafe dynamic UID
  - From: Guillem Jover <guillem@debian.org>
- Re: Keysafe dynamic UID
  - From: Anthony DeRobertis <anthony@derobert.net>

Prev by Date: Re: When should we https our mirrors?
Next by Date: Re: openssl transition
Previous by thread: Re: Keysafe dynamic UID
Next by thread: Re: Keysafe dynamic UID
Index(es):
- Date
- Thread