[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: old vs new system uid/gid




On Wed, May 8, 2013 at 1:10 AM, Bob Proulx <bob@proulx.com> wrote:
Ross Boylan wrote:
> Bob Proulx wrote:
> > > I suppose it would be safer to have a script read the old files and
> > > do adduser/addgroup as appropriate, since that would assure the home
> > > directories existed (and maybe do other stuff I'm not aware of).
> >
> > Safer how?  It seems much more complicated.  Because you would need to
> > specify all of the parameters as options to adduser.  Complexity leads
> > to the higher possibility of errors.  Therefore I think it is more
> > dangerous.
>
> If I don't adduser then home directories won't be created, even though
> /etc/passwd will refer to them.  I figured that would lead to
> problems.

But you said you were restoring an old system and had backups of user
data but not of /usr.  Or did I read that wrong?  I assumed you would
restore /home and therefore would need the on disk restore uid:gid to
match the accounts.  Therefore /home $HOME directories will be created
by the backup restore.  No?
 
Good point.  But some of the system accounts have home directories in /var, /usr (/usr/games) or elsewhere: /bin, /root, /dev.  Interesting: several accounts share /bin as a homedir; I'm a little surprised the system permits that.

Since my backup of /var was somewhat selective, I might have missed some of them.  Then again, I might be fine.  The others outside of /var should be there anyway.  Also a little surprising that some are in /var/run (identid and jabber).

Oh... I do have libuuid on the lenny system; it was a late addition.  Maybe from installing a testing chroot.


> Your later remarks indicate there may not be much more adduser does.
> Actually, some of the skeleton files it usually copies may be
> inappropriate for system accounts.

System accounts are given options to make them simpler and to avoid
all of the niceties given to real users.  Such as this example from ntp.

  adduser --system --quiet --ingroup ntp --no-create-home ntp

Or this one from bind.

  adduser --system --home /var/cache/bind --no-create-home \
                --disabled-password --ingroup bind bind

You can browse through and see other examples.
That reinforces your point that simply going through the old passwd file and executing adduser will not necessarily recreate things exactly as they were.
 
....
> > A chroot does *not* get uid/gid from the host system.
>
> Thanks for the correction.  I figured since the hostname in the chroot
> comes from the host (I think I've been told) that users and groups had a
> similar story.


Yes on the hostname.  There is only one kernel.  Therefore asking the
running kernel gethostname(2) can only return one name.  But that
doesn't apply to getpwent(3) which matches uids up with passwd account
entries.  It may seem similar.  But one applies to the system, of
which there is only one.  The other applies to users, of which there
may be many users.
There is an /etc/hostname just as there is an /etc/passwd, , and so I find the difference in behavior suprising.  I know: the hostname can be set dynamically and so /etc/hostname isn't as authoritative as /etc/passwd.
...

> > > Since I use VMs I should probably be using LDAP, but I think that's
> > > best left for later.
> >
> > Using or not using LDAP for accounts I see as completely orthogonal to
> > this question.  (Same for using mysql too.)
>
> If a VM gets its account info from LDAP then it will use the same UIDs as
> elsewhere on the host and other VMs.  So doesn't it provide a natural way
> to ensure the ids match, even if the virtual systems are different
> releases?

Okay.  You have convinced me.  If you had already been using a
centralized database then it would be easier to restore.  But if you
haven't then I don't think I would try to set one up just for doing
the restore.
Yes, I have enough go on without changing my account management system at the same time!


Good luck!  I would be interested in hearing about snags you hit along
the way or things that worked out well.
I notice you didn't say *if* I hit snags!

On balance, do you think the restore lenny and upgrade option is better than restore direct onto wheezy?

Ross
Reply to: