On Tue, Feb 19, 2002 at 01:09:10AM -0600, Chris Lawrence wrote:
> Let's put it this way: making uid/gid 1 a requirement means Debian
> probably will never conform to the spec, because of the problem of
> breaking existing installs.
Only apply the changes to new installs. Alternatively, create a
configlet script for the Sysadmin to use while in single-user mode to
change over things. We're not changing root here, just bin and daemon.
I don't know any application that runs as daemon that still runs in
single user mode.
#!/bin/sh
#
# swap uid/gid btwn bin & daemon users/groups
#
# DISCLAIMER -- this is a hack intended for sysadmins willing to get
# their hands dirty once and a while.
#
>/etc/nologin
groupmod -gid 1 -o bin
groupmod -gid 2 -o daemon
usermod -uid 1 -gbin bin
usermod -uid 2 -gdaemon daemon
find / -uid 1 -gid 1 -exec chown 2:1 \{\} \; -print > /tmp/2:1.list
find / -uid 2 -gid 2 -exec chown 1:1 \{\} \;
# already found the files...chown them again to their final uid:gid
cat /tmp/2:1.list | xargs chown 2:2
rm /tmp/2:1.list
rm /etc/nologin
If we have to, we could create/choose a high, random uid that isn't
being used as the swap point.
> It also creates problems for people who want to use NIS across
> multiple systems, as Solaris uses uid/gid 2 for bin (like Debian), or
> running LSB apps on Solaris/x86, which could be conformant if Sun or a
> third party wanted to do the work.
IMHO, you should not be sharing low uid/gid's over NIS, PERIOD, end of
sentance. Your NIS uid/gid should be somewhere abovbe 1500 so that your
system and operator accounts don't require full-time network connections
to be accessible. How many times has your NFS server died or
experienced lag, locking you out of your home directory? How many times
have you been unable to login because some system profile script
requires a file on an NFS automounted directory. How about NIS dying
and no-one being able to login except root?
It happens. All the time. Why? Badly configured systems, often
inherited from one BOFH to another (It's not my fault! -- Han Solo).
The fix? Manual labor, headaches, and lots of coffee. I know this from
recent experience (geeze, every day, in fact).
Should LSB be pushing us around over small, usually systems management
related tasks? Probably not. Should the LSB be a good guideline on
setting up a sane system to begin with? Certainly. Should we conform
to LSB whenever possible. Absolutely. Does this mean we need to
convert every running system over to accomedate a uid/gid change? No.
The robust solution to such a switch would have to incorporate more
tools than I listed above, such as 'ps' and 'fopen'. Perl or Python may
be a nice, one-tool approach, and it sounds like the base Debian system
should have at least Perl for the time being.
Anyway, it's late, and I'm tired. Night!
--
Chad Walstrom <chewie@wookimus.net> | a.k.a. ^chewie
http://www.wookimus.net/ | s.k.a. gunnarr
Get my public key, ICQ#, etc. $(mailx -s 'get info' chewie@wookimus.net)
Attachment:
pgpgPZ8wI8F4l.pgp
Description: PGP signature