[Fedora-packaging] packages which add user accounts: is fedora-usermgmt the way?
Enrico Scholz
enrico.scholz at informatik.tu-chemnitz.de
Tue Sep 6 22:29:56 UTC 2005
steve at silug.org (Steven Pritchard) writes:
> My personal feeling (as a sysadmin and a packager) is that doing
> something like this in %pre (not %post, if you want files owned by
> the new user) is the Right Thing:
>
> %pre
> if ! id foo > /dev/null 2>&1 ; then
> /usr/sbin/useradd -r -s /sbin/nologin -c 'BAR' [...] foo
> fi
This does not solve the problem that users will have different UIDs on
different machines.
> And then just *don't touch the account* on removal.
This rule is ok with me.
> If for some reason useradd will not work, doing this in %pre should
> make package installation fail, right? Then the sysadmin can go add
> the user in LDAP/NIS/whatever and reinstall the package.
IMO, managing service-accounts with LDAP/NIS is a bad idea. It is ideal
for normal users but I do not want to rely on them for services. You will
run into bootstrap issues (e.g. think of slapd which tries to resolve the
'ldap' user), configuration errors like outdated TLS certificates (which
make LDAP lookups impossible) or added complexity for critical services
(I saw enough problems with nss_ldap and nscd).
Additionally, there is no way to see whether users are created by an
rpm package or which parameters are used for these users. So it is not
possible to create users on the LDAP server *before* the package is
installed.
Enrico
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 480 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-packaging/attachments/20050907/5c1fbd1c/attachment.sig>
More information about the Fedora-packaging
mailing list