On Fri, Jun 17, 2005 at 07:56:10PM +0200, Vincent Lefevre wrote: > Lots of Debian packages create local groups (and in fact, this is the > only problem I have with local groups). So, what do you suggest? Not > using Debian because it is a security bug?
No. But if you want to use NIS you have to be familiar with the consequences. If your local NIS policy allows having groups with IDs < 1000 in NIS maps, then you should better be prepared that automatic group creation _will_ fail and you have to fix it up manually. There is nothing Debian can do about it. > > > $ ./grname doctex > > > 42 (doctex) > > > $ ./grname 42 > > > 42 (shadow) > > > > Yes, it is correct as far as libc is concerned. It is simply a > > system administration error. > > So, this is a bug in Debian. No, it's a bug in your local NIS policy if you allow group IDs < 1000 being served by NIS and still expect automatic local system group creation to work. > I don't have such information, but I could probably ask them. The > problem is that they don't support Debian, so that their group id > range will conflict with Debian's group id range (in particular > because some group ids are hardcoded in Debian). Then you have no other option than to synchronize your local group IDs with NIS manually. NIS enforces a central policy that is defined by the NIS administrators. The package management system has no way to know about that policy. If you want to be part of a NIS setup you have to manually adapt the local system configuration to match the central policy. Of course, if you do not have a well-defined and well-designed NIS policy but rather it was just an ad-hoc setup then you will have difficulties... > Moreover, if some group exists in the NIS database, why isn't it > possible to have a copy (with the same group id) in /etc/groups? > This could be useful when the NIS server is down, for instance. It is possible but you have to do it manually. This cannot be automated in general (think about the group ID being changed in NIS but not in your local copy). Gabor -- --------------------------------------------------------- MTA SZTAKI Computer and Automation Research Institute Hungarian Academy of Sciences --------------------------------------------------------- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]