Re: [PROPOSAL] Chapter 15. Users & Groups: mininal UID for normal Users
Date: Thu, 7 Dec 2000 14:27:17 +0000 (GMT)
From: Alan Cox <alan@lxorguk.ukuu.org.uk>
> Let me raise a broader question. Why is this in the LSB specification
> at all? It's good practice for the distributions to follow, no doubt,
> but I don't think its within the scope of LSB, since how user groups are
> chosen is generally a matter of local sysadmin policy, and is generally
> irrelevant as far as application/distribution interoperability is
> concerned.
I strongly disagree Ted. Good security practice says you give daemons their
own unique user name to get some compartmentalisation.
Now whether we say 500/500 or we say
'useradd has the following extra flag to make it pick a system user'
I agree that daemons should have their own unique user name and user ID,
but constraining what UID's distributions should use for normal user's
is a stupid way to try to solve this problem, since installation scripts
still have to figure out how to pick an unused user id.
We should solve this by adopting your solution to add an extra flag to
useradd to pick a system user and/or by having LANANA keep a
registration for usernames and user ID's registration. (And I say this
not because I think ISV's need to be able to compile userid's into apps;
tough, they can call getpwnam() if necessary. I suggested having LANANA
keep a system userid registration because it mightful be helpful in
cases where filesystems containing files owed by system users are being
shared across NFS.)
- Ted
Reply to: