On Mon, Feb 27, 2012 at 01:16:25PM +0100, Daniel Pocock wrote: > Colin Watson wrote: > > Pre-allocated IDs are only necessary when the IDs need to be hardcoded > > in binary packages somehow. I won't allocate them unless there is no > > reasonable alternative, as the allocation space is limited (particularly > > true for the global static IDs below 100). It is always preferable to > > use techniques such as 'adduser --system' where possible. > > I definitely haven't seen this type of thing hard coded, so it would not > pass that criteria > > The reason I raise this, however, is that the pattern is becoming more > widespread, and it is possible with quite a few packages now
Have you raised this with any of the maintainers of the packages in question, or do you maintain any of those packages yourself? I mean, I'm not trying to restrict who gets to report bugs or anything, but normally it's best for this sort of request for ID allocation to be made by maintainers of the affected packages; there's no point in me allocating things that no maintainer is actually planning to use. > > Why couldn't all packages here simply cooperate in using 'adduser > > --system vmail' etc., and then look up the user dynamically by name? > > There seems no reason why the ID numbers themselves need to be the same > > between different systems or hardcoded in binary packages, so it doesn't > > seem to me as though base-passwd needs to be involved. > > It would be useful to have a standard username. Right, certainly. But this is the kind of thing that maintainers of the affected packages should just arrange among themselves, in a mail mini-policy or whatever (or even an amendment to policy - whatever suits best). It wouldn't add anything to have it recorded in base-passwd; in fact in many ways that would be less likely to be noticed than a mail mini-policy, and base-passwd is not in a good position to record things like the precise ways in which packages should co-operate in their use of the user in question, what files are permitted to be owned by that user, and so on, which are likely to be important security properties. > Having a standard numeric ID isn't so important, but it would be > useful to have some guidance on whether this type of ID would be in > the system range (up to 999) or potentially qualify for one of the > reserved ranges (> 60000) It would belong in the dynamic system range, 100-999. As indicated by policy, the 60000-64999 range is only for static allocation; and I only allocate static IDs when dynamic ones won't do. Cheers, -- Colin Watson [[email protected]] -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]

