Package: xen-tools Version: 4.2-1~bpo50+1 Hi,
When the --accounts option is used, the domU gets not only the valid user accounts, it gets all "non-system" accounts from the dom0. However, the definition of non-system is trivial and actually broken - it adds everything that isn't already there, so in my case it included e.g. hacluster:x:102:104:Heartbeat System Account,,,:/usr/lib/heartbeat:/bin/false munin:x:106:109::/var/lib/munin:/bin/false nagios:x:103:105::/var/log/nagios:/bin/false ntp:x:105:107::/home/ntp:/bin/false sshd:x:101:65534::/var/run/sshd:/usr/sbin/nologin That's confusing and uncalled for. The Debian Policy, in the section "UID and GID classes" http://www.debian.org/doc/debian-policy/ch-opersys.html#s9.2.2 clearly indicates classes for dynamically allocated system users and groups, not normal user accounts. Hence, debian.d/35-setup-users readAccounts() needs to check $uid to be greater than 999 and smaller than 60000 by default. To cover the corner cases created by this limit (I doubt there are any in practice, but let's entertain the possibility for the sake of completeness), but also to provide for actual customizability, it would be nice for the --accounts option to have an optional value, or have a sibling option with a required value, and then use that as a parameter in readAccounts() - a list of account names that are to be copied is perhaps the simplest and most straightforward option. Please fix this. TIA. -- 2. That which causes joy or happiness. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org