FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora Development

 
 
LinkBack Thread Tools
 
Old 08-04-2008, 12:32 AM
"Martin Langhoff"
 
Default uids for daemons on a spin

Hi,

packaging a custom-configured rsync daemon, I would like to give its
user a stable UID where possible. Looking at the httpd.spec for
reference, it has a hardcoded uid of 48 for the httpd user. Is there a
listing of known uids? A safe range defined for custom packages? Is
there a policy I should be reading...?

Googling for "uid policy fedora -selinux" (or redhat) does not yield
anything particularly interesting.

TIA for any hints...

cheers,



m
--
martin.langhoff@gmail.com
martin@laptop.org -- School Server Architect
- ask interesting questions
- don't get distracted with shiny stuff - working code first
- http://wiki.laptop.org/go/User:Martinlanghoff

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 08-04-2008, 01:55 AM
Ricky Zhou
 
Default uids for daemons on a spin

On 2008-08-04 12:32:09 PM, Martin Langhoff wrote:
> packaging a custom-configured rsync daemon, I would like to give its
> user a stable UID where possible. Looking at the httpd.spec for
> reference, it has a hardcoded uid of 48 for the httpd user. Is there a
> listing of known uids? A safe range defined for custom packages? Is
> there a policy I should be reading...?
>
> Googling for "uid policy fedora -selinux" (or redhat) does not yield
> anything particularly interesting.
Searching around on the wiki, I found the following pages:
http://fedoraproject.org/wiki/Packaging/UsersAndGroups
https://fedoraproject.org/wiki/Packaging/UserCreation
https://fedoraproject.org/wiki/PackageUserRegistry

I'm not sure how up-to-date they are, but hopefully, they provide some
useful information.

Thanks,
Ricky
--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 08-04-2008, 07:17 AM
"Martin Langhoff"
 
Default uids for daemons on a spin

2008/8/4 Ricky Zhou <ricky@fedoraproject.org>:
>> Googling for "uid policy fedora -selinux" (or redhat) does not yield
>> anything particularly interesting.
> Searching around on the wiki, I found the following pages:
> http://fedoraproject.org/wiki/Packaging/UsersAndGroups
> https://fedoraproject.org/wiki/Packaging/UserCreation
> https://fedoraproject.org/wiki/PackageUserRegistry

Thanks for the pointers! The docs on fedora-groupadd / useradd seem to
be just what I have been looking for.

Except that it doesn't seem to work - both on F7 and F9 I get

$ cat /etc/fedora/usermgmt/basegid
300
$ sudo /usr/sbin/fedora-groupadd 3 testing
## expecting 303 here -
$ grep testing /etc/group
testing:x:501:

Now, it's a bash script - and it _seems_ to be doing the right thing.
Almost. Mostly. See below:

$ sudo bash -x /usr/sbin/fedora-groupadd 3 testing
+ PATH=/usr/bin:/bin:/sbin:/usr/sbin:/usr/local/sbin
+ BASE_DIR=/etc/fedora/usermgmt
+ ARGS=("$0" "$@")
+ test -r /etc/fedora/usermgmt/baseuid
++ cat /etc/fedora/usermgmt/baseuid
+ BASE_UID=300
+ test -r /etc/fedora/usermgmt/basegid
++ cat /etc/fedora/usermgmt/basegid
+ BASE_GID=300
++ basename /usr/sbin/fedora-groupadd
+ skin=fedora-groupadd
+ skin=groupadd
+ exec_name=
+ for i in '"$BASE_DIR/scripts/$skin"' '"$BASE_DIR/$skin"'
+ test -x /etc/fedora/usermgmt/scripts/groupadd
+ exec_name=/etc/fedora/usermgmt/scripts/groupadd
+ break
+ case $skin in
+ test 3 '!=' --help
+ test 2 -ge 2
+ validateHint v 300 3
+ local tmp
+ let tmp=31
+ test 31 -ne 0
+ let tmp=300+3
+ test 303 -ge 0
+ eval 'v=$tmp'
++ v=303
+ shift
+ set -- 303 testing
+ log=/etc/fedora/usermgmt/log
+ test -e /etc/fedora/usermgmt/log -a -L /etc/fedora/usermgmt/log
+ test -n /etc/fedora/usermgmt/scripts/groupadd
+ invalidateCache
+ local rc=0
+ return 1
+ /etc/fedora/usermgmt/scripts/groupadd 303 testing #### THIS LOOKS CORRECT
+ rc=0
+ invalidateCache
+ local rc=0
+ return 1
+ invalidateCache
+ local rc=0
+ return 1
+ test 0 -eq 0
+ exit 0

and then... hrm...

$ sudo bash -x /etc/fedora/usermgmt/scripts/groupadd 303 testing
+ shift
+ exec /usr/sbin/groupadd testing

The first param to fedora-(user|group)add is supposed to be uid, which
should get added do base (g|u)id and should also get prefixed with
--uid for useradd and --gid for groupadd. When should the option name
be added I am not sure, but it should happen *somewhere*.

<curious>Is this toolchain in use?

cheers,




m
--
martin.langhoff@gmail.com
martin@laptop.org -- School Server Architect
- ask interesting questions
- don't get distracted with shiny stuff - working code first
- http://wiki.laptop.org/go/User:Martinlanghoff

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 08-04-2008, 08:03 AM
Michael Schwendt
 
Default uids for daemons on a spin

On Mon, 4 Aug 2008 19:17:14 +1200, Martin Langhoff wrote:

> 2008/8/4 Ricky Zhou <ricky@fedoraproject.org>:
> >> Googling for "uid policy fedora -selinux" (or redhat) does not yield
> >> anything particularly interesting.
> > Searching around on the wiki, I found the following pages:
> > http://fedoraproject.org/wiki/Packaging/UsersAndGroups
> > https://fedoraproject.org/wiki/Packaging/UserCreation
> > https://fedoraproject.org/wiki/PackageUserRegistry
>
> Thanks for the pointers! The docs on fedora-groupadd / useradd seem to
> be just what I have been looking for.
>
> Except that it doesn't seem to work - both on F7 and F9 I get

No word from you on whether you configured it for static gid/uid
allocation.

> <curious>Is this toolchain in use?

Yes. It's usage is controversial, though, as it's considered non-trivial
and non-intuitive by some.

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 08-04-2008, 08:52 AM
"Martin Langhoff"
 
Default uids for daemons on a spin

On Mon, Aug 4, 2008 at 8:03 PM, Michael Schwendt <mschwendt@gmail.com> wrote:
> No word from you on whether you configured it for static gid/uid
> allocation.

Static? No mention of that in the wikipage so I don't know... I am
using it in its "default". The default value seems to be 300 for uid
and gid. Suits me ok - at least for the testing I am doing. And
looking at the bash -x output (_stop_ reading now and scroll back to
my earlier email - I flagged the relevant line to make it stand out),
it _is_ reading '300' and adding '3' and then tries to create the user
with id 303.

Except that it passes the '303' wrong to useradd. Oops!

and the 2nd script very purposefully discards the 303 without checking
anything. An elaborate ruse to discard the desired uid and gid? ;-)

> Yes. It's usage is controversial, though, as it's considered non-trivial
> and non-intuitive by some.

I find the concepts and documentation in the wiki easy enough for me,
and it will be no problem to use this strategy on the School Server
spin. If it works!

The code OTOH, is computing the right number and then meticulously
_discarding_ it. See

- /etc/fedora/usermgmt/scripts/groupadd - discards the gid
vs
- /etc/fedora/usermgmt/scripts.shadow-utils/groupadd - uses the gid

So you would think that there's a branch in the controlling script
that based on some rule it will switch to "scripts.shadow-utils"
rather than "scripts". Not so - line 73 of
/usr/share/fedora-usermgmt/wrapper is our only chance, and it says...

for i in "$BASE_DIR/scripts/$skin" "$BASE_DIR/$skin"; do

I just imported the cvs history into git and walked it up and down.
Unfortunately it's only 0.7 so packaging changes and no interesting
stuff. All the versions I can see in there are 100% bent on discarding
the user input.

Instead of using this script perhaps I can write the desired gid to
/dev/null and see if it works ;-)

Might still be a PEBKAC at my end, but I cannot see anyt hint that the
code in CVS has ever worked -

puzzled,



m
--
martin.langhoff@gmail.com
martin@laptop.org -- School Server Architect
- ask interesting questions
- don't get distracted with shiny stuff - working code first
- http://wiki.laptop.org/go/User:Martinlanghoff

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 08-04-2008, 09:07 AM
Michael Schwendt
 
Default uids for daemons on a spin

On Mon, 4 Aug 2008 20:52:29 +1200, Martin Langhoff wrote:

> On Mon, Aug 4, 2008 at 8:03 PM, Michael Schwendt <mschwendt@gmail.com> wrote:
> > No word from you on whether you configured it for static gid/uid
> > allocation.
>
> Static? No mention of that in the wikipage so I don't know...

Everything's there:
https://fedoraproject.org/wiki/Packaging/UserCreation#Documentation

Even links to postings which answer you other questions:
https://fedoraproject.org/wiki/Packaging/UserCreation#Background

> Might still be a PEBKAC at my end, but I cannot see anyt hint that the
> code in CVS has ever worked -

Wiki plus: rpm -qi fedora-usermgmt-shadow-utils

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 08-04-2008, 09:32 AM
"Martin Langhoff"
 
Default uids for daemons on a spin

On Mon, Aug 4, 2008 at 9:07 PM, Michael Schwendt <mschwendt@gmail.com> wrote:
> On Mon, 4 Aug 2008 20:52:29 +1200, Martin Langhoff wrote:
>
>> On Mon, Aug 4, 2008 at 8:03 PM, Michael Schwendt <mschwendt@gmail.com> wrote:
>> > No word from you on whether you configured it for static gid/uid
>> > allocation.
>>
>> Static? No mention of that in the wikipage so I don't know...
>
> Everything's there:
> https://fedoraproject.org/wiki/Packaging/UserCreation#Documentation

I've read it -- I guess you mean whether I did

/usr/sbin/update-alternatives --set fedora-usermgmt
/etc/fedora/usermgmt/scripts.shadow-utils

and the answer is no, I didn't.

Hmmmm. Ok, if I re-read that page and translate the phrase

"Administrators who want static uid/gid allocations..."

into

"this defaults to a no-op - to make it _do_ something..."

then maybe it starts expressing things a bit better :-/

> Even links to postings which answer you other questions:
> https://fedoraproject.org/wiki/Packaging/UserCreation#Background

Ugh, this isn't pretty. From one of the emails:

> fedora-usermgmt in it's unconfigured state was the same as useradd.

perhaps that line, in wrapped in <blink> tags should be in the wiki?

Perhaps I misunderstood the goal of the tool - but I see there's
plenty of flamewars about this. Shame that the controversy has shaped
this into its current state of "actually, it doesn't work" out of the
box.

In any case, Real Men just hardcode the uid and so what if there's a
conflict or the local admin has an opinion - ;-)

cheers,




m
--
martin.langhoff@gmail.com
martin@laptop.org -- School Server Architect
- ask interesting questions
- don't get distracted with shiny stuff - working code first
- http://wiki.laptop.org/go/User:Martinlanghoff

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 08-04-2008, 10:49 AM
Enrico Scholz
 
Default uids for daemons on a spin

"Martin Langhoff" <martin.langhoff@gmail.com> writes:

> Static? No mention of that in the wikipage so I don't know... I am
> using it in its "default". The default value seems to be 300 for uid
> and gid. Suits me ok - at least for the testing I am doing. And looking
> at the bash -x output (_stop_ reading now and scroll back to my earlier
> email - I flagged the relevant line to make it stand out), it _is_
> reading '300' and adding '3' and then tries to create the user with id
> 303.

Without reading whole thread and participating in yet another flame war
(I reply only because I was in a CC): the 300 baseuid is a bad value but
one of the best what I can use as a default.

When you want to use fedora-usermgmt, pick an empty UID range and
reserve it for system users. Here, it is the 63000-65000 range but
this will probably vary on your system. Then, put this number into
/etc/fedora/usermgmt/base[ug]id and activate whole stuff by

/usr/sbin/update-alternatives --set fedora-usermgmt /etc/fedora/usermgmt/scripts.shadow-utils

and install your packages. I described in some other threads how to do this
stuff in early initializiation phases (kickstart); basically it was the
creation of a new package which provides 'flavor(fedora-usermgmt-setup)'.


Enrico

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 08-05-2008, 05:30 AM
"Martin Langhoff"
 
Default uids for daemons on a spin

On Mon, Aug 4, 2008 at 10:49 PM, Enrico Scholz
<enrico.scholz@informatik.tu-chemnitz.de> wrote:
> Without reading whole thread and participating in yet another flame war

Apologies, didn't mean to taunt peoplle into another flamefest --
thanks for your kind reply. I will use a high uid range as the base if
I do use this.

However, it seems that my situation is one where I end up with an
ordering if I try to use your package. Brief description follows

My project - OLPC's School Server - is a Fedora spin that adds a few
packages with custom daemons, provides a "xs-config" package that
makes a mess of /etc (ahem!, applies a custom configuration), and has
a metapackage to pull it all together.

Having stable, predictable uids/gids is *extremely* valuable as we
want maximum consistency between systems -- the target ratio is of a
small sysadmin team (5 to 12) managing thousands of servers. We could
hardcode the uid/gids, but we want to work with Fedora to make our
packages mainstream as much as possible. So we tend to package things
"vanilla" and do our wonky configuration in a separate package.

So I would need to have an "config" package that
- depends on fedora-usermgmt fedora-usermgmt-shadowutils
- is guaranteed to install _before_ any other package that depends on
fedora-usermgmt

the "main" xs-config package gets installed late because it overwrites
configurations, and so it depends on everything.

Is there a way to force this early-dependency? In case you are
wondering, this gets installed via anaconda unattended and or via yum
update. I'm wary of anaconda hacks that a yum install / yum update
won't obey.

It's a bit of circular logic. Can I package my own
"fedora-usermgmt-yesjustdoit" version of the -shadowutils with
metadata that makes it win over the "-dontreallydoanything" package?

cheers,



martin
--
martin.langhoff@gmail.com
martin@laptop.org -- School Server Architect
- ask interesting questions
- don't get distracted with shiny stuff - working code first
- http://wiki.laptop.org/go/User:Martinlanghoff

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 08-06-2008, 06:28 PM
Enrico Scholz
 
Default uids for daemons on a spin

"Martin Langhoff" <martin.langhoff@gmail.com> writes:

> So I would need to have an "config" package that
> - depends on fedora-usermgmt fedora-usermgmt-shadowutils
> - is guaranteed to install _before_ any other package that depends on
> fedora-usermgmt

See

http://fedoraproject.org/wikiold/PackageUserCreation (old wiki;
conversion to new broke some things)

https://www.redhat.com/archives/fedora-extras-list/2006-March/msg00793.html

http://ensc.de/fedora/fedora-usermgmt-my.spec

Latter is a spec file which should be used to create a package for a
local repository. Register this repository in your kickstart file, and
add 'fedora-usermgmt-my' to the %files section. Due to its shorter
name it wins against 'fedora-usermgmt-shadow-utils' (which applies the
non-predictable behaviour by default).


When there are proper deps (which should be the case when using the
recommended macros), this customization happens before any package is
installed which uses fedora-usermgmt.



> It's a bit of circular logic. Can I package my own
> "fedora-usermgmt-yesjustdoit" version of the -shadowutils with
> metadata that makes it win over the "-dontreallydoanything" package?

As said above: abuse the rpm behaviour to prefer shorter names...


Enrico

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 

Thread Tools




All times are GMT. The time now is 03:28 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org