Re: Seeking consensus for some changes in adduser

To: debian-devel@lists.debian.org
Subject: Re: Seeking consensus for some changes in adduser
From: Marc Haber <mh+debian-devel@zugschlus.de>
Date: Wed, 09 Mar 2022 21:00:20 +0100
Message-id: <[🔎] E1nS2Ts-000r19-Fw@drop.zugschlus.de>
In-reply-to: <[🔎] 40cca538-7b1b-c111-90a0-27c3948b4ba6@aixigo.com>
References: <[🔎] YieJALY0ny0+07pw@torres.zugschlus.de> <[🔎] 40cca538-7b1b-c111-90a0-27c3948b4ba6@aixigo.com>

On Wed, 9 Mar 2022 14:10:04 +0100, Harald Dunkel
<harald.dunkel@aixigo.com> wrote:
>On 2022-03-08 17:49:04, Marc Haber wrote:
>> (1a) would it be necessary to handle --system accounts differently? I
>>       think yes.
>
>I think it would be helpful to define "system account" and "normal user".
>Neither adduser(8) nor useradd(8) provide a sufficient definition,
>especially wrt the existing network directory services (LDAP, AD, etc).

In adduser, a --system (sic!) account is one that is created using the
--system option. Basically, the biggest difference is that its UID is
allocated from a different UID range, see policy 9.2.2. I just see
that policy says "dynamically allocated system users and groups",
while it refers to uid 1000-59999 as "dynamically alllocated user
accounts".

So I am happy that my (and adduser's) notion of system and user
accounts actually matches policy, but I agree that we need to be more
explicit in adduser, probably referring to Policy in the adduser docs.

>Is a "system user" supposed to be a local account, defined in /etc/passwd
>only?

That is not defined in policy, but it should. The current policy
editing process is based on a proponent suggesting an exact wording
with the policy editors just giving advice. Since I don't have a
strong position in this regard, I'm out here.

>Related question: How are naming collisions between local entries and
>the entries in a network directory service supposed to be handled?
>Something like
>
>	passwd: files sss
>
>in /etc/nsswitch.conf is not helpful, if a postinst script fails to
>create a local account due to the entry it has found in freeipa, for
>example. Not to mention that such a service might fail at boot time,
>if the directory service is not available (yet).

That is beyond adduser's scope. We're (as the adduser team) usually
weasel out of that topic by saying that a system refering to a
directory service is run by skilled staff, and we expect those people
to do their job. It's a small team, adduser has been in limbo for
years, so we need to concentrate on the traps that a novice or
unexperiences user might fall into while relying on skilled users to
work around the issues that we haven't found the time to fix.

Greetings
Marc
-- 
-------------------------------------- !! No courtesy copies, please !! -----
Marc Haber         |   " Questions are the         | Mailadresse im Header
Mannheim, Germany  |     Beginning of Wisdom "     | 
Nordisch by Nature | Lt. Worf, TNG "Rightful Heir" | Fon: *49 621 72739834

Reply to:

Follow-Ups:
- Re: Seeking consensus for some changes in adduser
  - From: Harald Dunkel <harald.dunkel@aixigo.com>

References:
- Seeking consensus for some changes in adduser
  - From: Marc Haber <mh+debian-devel@zugschlus.de>
- Re: Seeking consensus for some changes in adduser
  - From: Harald Dunkel <harald.dunkel@aixigo.com>

Prev by Date: Re: Seeking consensus for some changes in adduser
Next by Date: Re: adduser: disabling passwords, disabling logins
Previous by thread: Re: Seeking consensus for some changes in adduser
Next by thread: Re: Seeking consensus for some changes in adduser
Index(es):
- Date
- Thread