Bug#706985: ITP: opensmtpd -- Simple Mail Transfer Protocol daemon

[Colin Watson <cjwatson@debian.org>]

On Wed, May 22, 2013 at 02:16:34PM -0700, Russ Allbery wrote:
> We currently have no good policy about how to name system users, but
> despite that I personally would recommend against using simple
> alphanumeric usernames like those.  (They are longer than eight
> characters, which avoids some local namespaces, but not all.)

I've never been a fan of worrying about this, largely because the names
that are really a practical problem are mostly the ones that have been
around forever and that we're stuck with (things like "man" could well
be a real name; I have a co-worker whose initials are apparently SSH;
people occasionally try to use things like "staff"; and so on), while
most of the ones that have been introduced more recently, and certainly
the longer and/or more elaborate ones, are likely to be innocuous.

Pragmatically, I wouldn't be inclined to lose any sleep over the chances
of somebody having a local username called opensmtpd that wasn't
actually for a local installation of this very same package.  And our
user/group namespace is such that it really almost has to be handled
pragmatically.

> There are two conventions that other packages have used to make it less
> likely that system accounts will conflict with local usernames:
> 
> * Append "Debian-" to the username, as in Debian-opensmtpd

This was used by Debian-exim and not a lot else that I ever heard of.
In my view this scheme rightly failed; plenty of simple system
monitoring tools (top, ps, and the like) truncate long usernames in many
modes or turn them into UIDs, and sticking a seven-character prefix on
the front just seems to be trying to maximise the probability of trouble
like this, even though it is certainly clear.

Cheers,

-- 
Colin Watson                                       [cjwatson@debian.org]