Web lists-archives.com

Re: Namespace for system users




Hi,

On 2/9/2019 6:02 PM, Sean Whitton wrote:
> On Sat 09 Feb 2019 at 01:51PM +01, Guillem Jover wrote:
> 
>> To that effect I sent a patch to adduser to allow these in #521883,
>> but it seems that's stuck. :/
>>
>>> How do others deal with this problem? Could someone think of a viable
>>> approach on how to approach this from a policy side?
>>
>> Unfortunately, last time it looked like there was some push bach, due
>> to there not being a clear winner in "current" practice at the time
>> AFAIR. I think a way forward would be to get that adduser patch merged,
>> then keep promoting the underscore usage, and possibly try to switch
>> existing users to use that.
> 
> ISTM to me we have a consensus, at least, that new packages with system
> users should use the underscore prefix convention.  There isn't a
> consensus on what to do about old packages, but Policy can be written in
> such a way to refer only to new packages with system users.

that sounds great to me. I think we should finally come up with a
solution and flesh out how to grandfather in the old packages, while
nudging them to adopt a new scheme if possible. Marco's approach is
ultimately correct in that maintainers of packages with existing system
users should evaluate if something can be done - but it might well be
that it is pretty much impossible to fix for some of the packages. And
that's fine.

I do wonder if it would be possible to solve some of the rename cases
with some sort of dpkg-maintscript-helper so that not everyone needs to
figure this out on their own, but I fear that this could easily be
ratholed into a too generic solution that supports all cases - which
would not be useful.

I did a small evaluation on the set of the existing users created by
packages in sid and put it onto [0]. It's a large list of ~300 users to
exclude while skipping the ones with dashes and underscores in them. I'd
be great to stop the bleeding here, though.

It's a bit sad that the policy bug #248809 did not go anywhere with the
last update happening in 2008. And obviously the list is now much larger
than the list compiled by Vincent back then. Is that the bug in which we
should continue this discussion for the policy change?

> Ideally the adduser change would happen before we wrote this down in
> Policy, but since the adduser behaviour is easy to workaround (IIRC), it
> would not be required for it to happen first.

The former maintainer of the package seems to have been sympathetic to
the patch in [1], too.

Kind regards and thanks
Philipp Kern

[0] https://people.debian.org/~pkern/permanent/userlist.txt -- Obviously
this still contains some variables at the top that would need manual
analysis. I also ignored all of OpenStack which seems to have its own
way of shipping a shell library in every postinst script that calls adduser.
[1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=521883#38