Re: nogroup and nobody
Hi David
On Wed, 14 Jul 2004, David Weinehall wrote:
> On Wed, Jul 14, 2004 at 12:00:45PM +0100, Colin Watson wrote:
> > On Wed, Jul 14, 2004 at 02:48:21PM +1000, Darren Williams wrote:
> > > This has been brought up before and appears that it is not major
> > > concern for the Debian community.
> >
> > Can you give me a reference? I don't recall ever seeing this in the
> > several years I've been a member of Debian or in the year and a half
> > I've been the Debian base-passwd maintainer.
> >
> > > However, the current policy of nobody, nogroup subtly breaks Linux
> > > Test Project if you are unaware of Debian's policy. LTP expects that
> > > if user nobody exists then either a nobody group exists or it will
> > > create one if you desire. The problem becomes obvious when you run LTP
> > > on a network filesystem using NIS and ltp has created the group nobody
> > > under the NIS flag in /etc/group. This new group is never recognised
> > > and the hosting server is requested to fulfil the request, if that
> > > server is also a Debian system then it to will know nothing about the
> > > group nobody, and subsequent tests that rely on the group produce an
> > > incorrect result for the test. For details on LSB user groups see:
> > > http://www.linuxbase.org/spec/refspecs/LSB_1.3.0/gLSB/gLSB.html#TOCUSERSGROUPS
> >
> > This does seem to be a straightforward bug in either Debian policy (and
> > base-passwd) or the LSB. Frankly I'm not sure how Debian could get there
> > from here; it entirely depends on how much the name 'nogroup' is
> > hardcoded in packages in our archive. I'd hope not very much, but I'm
> > reluctant to agree with changing policy and base-passwd without knowing
> > the impact. Has anyone audited this?
> >
> > Similarly, is there a good reason for the LSB to mandate that name, or
> > is it just overspecification in the same way that it used to mandate
> > that the bin and daemon users should have uids 1 and 2 respectively? We
> > got that specification removed because there was really no good reason
> > for the LSB to specify it. The LSB says that the nobody group is for
> > distributions, not applications, so it seems unlikely that it would
> > matter if the alternative were offered.
>
> At least AIX and Solaris both seem to have nobody in /etc/group, but not
> /etc/nogroup. Whether that's relevant or not, I cannot say...
>
> BTW, group allows for several names to map to the same UID, so we could
> add nobody to /etc/group and make sure it ends up before nogroup in the
> file; that way we'd get backwards-compatibility as well as
> LSB-compatibility. And since nobody sorts before nogroup, grpck -s
> shouldn't hurt either. Whether there are applications that rely on an
> 1:1 mapping of gid:name, I cannot say.
I am not to sure about what applications do, again from LSB we have:
"
Only a minimum working set of "user names" and their corresponding
"user groups" are required. Applications cannot assume non system
user or group names will be defined.
"
Which to me means that a distribution does not need to define the
optional users, however if they do they should also define the
corresponding group and apps should not assume anything about these
optional user/groups. If they do then they are broken to start with.
This is a hardline approach and need not be taken, though I think
as a community if we can bring some standardisation to the distributions
then they will be easier to write applications for such as Linux Test
Project.
Darren
>
>
> Regards: David Weinehall
> --
> /) David Weinehall <tao@acc.umu.se> /) Northern lights wander (\
> // Maintainer of the v2.0 kernel // Dance across the winter sky //
> \) http://www.acc.umu.se/~tao/ (/ Full colour fire (/
--------------------------------------------------
Darren Williams <dsw AT gelato.unsw.edu.au>
Gelato@UNSW <www.gelato.unsw.edu.au>
--------------------------------------------------
Reply to: