Re: [Fink-devel] user and group handling
On Monday, August 11, 2003, at 02:17 PM, TheSin wrote: also there will no longer be a random gen password, it will be a crypt pass or it will be blank which will mean a locked user which will be most common. Sorry to beat this point to death, but I feel quite strongly that there should never be a password on any daemon accounts. Even an encrypted or hashed password is still a default password, and a default password is a backdoor for entry. Because you can always sudo from a user account, or simply su from the root account, there should never be a need for a Fink package to supply a password or even prompt for one. If you can think of a case where a password on an autogenerated account would ever be needed, please let me know and I'll concede the point. But I can't think of a time a password has been needed for a non-user account on any Unix system I've ever administered. Chris --- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa0013ave/direct;at.aspnet_072303_01/01 ___ Fink-devel mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/fink-devel
Re: [Fink-devel] user and group handling
this really is a moot point, why not allow to behavior as it may someday be needed, but till then just set all users to locked, for that matter then don't "NEED" descriptions but I'm allow it to be set anyhow. But if need be I can remove the passwd and default it to locked with out a problem. On Monday, August 11, 2003, at 07:57 PM, Benjamin Reed wrote: I agree. If the user feels the need to override it, they can set it themselves. There's no reason to allow passworded login to daemon accounts I can imagine. --- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa0013ave/direct;at.aspnet_072303_01/01 ___ Fink-devel mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/fink-devel
Re: [Fink-devel] user and group handling
I'm looking more for info on whether ppl want the online method of heredoc version and if ppl like the user- and group- pkgs to deal with users/groups, the password issue and such are minor point that are easily changed, right now I need to get the major part of the code done. though it doesn't seem the password thing is distracting so I'll from this point disable the settable password. On Monday, August 11, 2003, at 01:17 PM, TheSin wrote: okay after much thought and lots of discussion with other developers this is a great idea and i just want the run it by. all pkgs needed users/groups will depends on sort of bundle pkgs. user- or group- these pkgs will control the users on a system, there will check to make sure they exist and keep the info current and the same across the board. then as my code currently does, when building a pkg it will get a list of perms and set all files to user 0 and group 0, so all debs are the same and it will create a postinstall script to set the perms to the required values, and since the user-* and group-* pkgs are depends they need to be installed prior to this, also they can't be removed unless that are no longer needed, and not all users/groups need to be on every system. in this system uids and gids are not important and thus no db is needed for this, and it's easy to add users and groups for maintainers. also there will no longer be a random gen password, it will be a crypt pass or it will be blank which will mean a locked user which will be most common. any comments please respond I'd like to get this code done for the end of the week. --- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa0013ave/direct; at.aspnet_072303_01/01 ___ Fink-devel mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/fink-devel --- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa0013ave/direct;at.aspnet_072303_01/01 ___ Fink-devel mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/fink-devel
Re: [Fink-devel] user and group handling
On Monday, August 11, 2003, at 9:42PM, Chris Dolan wrote: On Monday, August 11, 2003, at 02:17 PM, TheSin wrote: also there will no longer be a random gen password, it will be a crypt pass or it will be blank which will mean a locked user which will be most common. Sorry to beat this point to death, but I feel quite strongly that there should never be a password on any daemon accounts. Even an encrypted or hashed password is still a default password, and a default password is a backdoor for entry. I agree. If the user feels the need to override it, they can set it themselves. There's no reason to allow passworded login to daemon accounts I can imagine. -- We put a lot of thought into our defaults. We like them. If we didn't, we would have made something else be the default. So keep your cotton-pickin' hands off our defaults. Don't touch. Consider them mandatory. "Mandatory defaults" has a nice ring to it. --- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa0013ave/direct;at.aspnet_072303_01/01 ___ Fink-devel mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/fink-devel
Re: [Fink-devel] user and group handling
well since I got no response other then this one I've gone with the oneline version for now, but I suppose this can be changed later (the beauty of perl mmm). I just have two shell functions to write and it seems to be done. Any willing testers? :) and all user and locked, passworded can only be set via netinfo or sudo passwd user On Monday, August 11, 2003, at 08:41 PM, Charles Lepple wrote: The actual style of the password specification doesn't really matter to me, though-- both accomplish the same thing, and if it were me, I'd pick the one that is easiest to maintain on both sides (fink engine and packages). The one-line version is slightly more amenable to diff'ing between versions, but that hasn't been much of a driving force in the past. --- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa0013ave/direct;at.aspnet_072303_01/01 ___ Fink-devel mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/fink-devel
Re: [Fink-devel] user and group handling
you could be right about mysql, I use debian and webmin I don't need to use the CLi I think having a shell is more dangerous then having a pass, but it doesn't matter i removed it, I wasn't planing on using it for anything anyhow, and if need be a sudo passwd $user can be added to the end of a script anyhow. On Monday, August 11, 2003, at 08:33 PM, Benjamin Reed wrote: Mysql needs it for the user? I was under the impression the mysql root "user" (inside mysql) does, but not the system user that mysql runs under. you can' sudo or su to a user that doesn't have a shell. you can execute things as that user using sudo -u but that is it. But he would have a shell, just not a password. --- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa0013ave/direct;at.aspnet_072303_01/01 ___ Fink-devel mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/fink-devel
Re: [Fink-devel] user and group handling
this is NOT correct, it totally depends on your auth, you can auth via pam. On Monday, August 11, 2003, at 08:41 PM, Charles Lepple wrote: and that won't help you login to things like cyradmin again, another separate user database (not tied into /etc/passwd or netinfo unless you configure it that way). --- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa0013ave/direct;at.aspnet_072303_01/01 ___ Fink-devel mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/fink-devel
Re: [Fink-devel] user and group handling
On Monday, August 11, 2003, at 10:01PM, TheSin wrote: some pkgs require a pass that is known, ie mysql, but maybe I could set it to ask if the passwd eq ask if that suits? Mysql needs it for the user? I was under the impression the mysql root "user" (inside mysql) does, but not the system user that mysql runs under. you can' sudo or su to a user that doesn't have a shell. you can execute things as that user using sudo -u but that is it. But he would have a shell, just not a password. -- We put a lot of thought into our defaults. We like them. If we didn't, we would have made something else be the default. So keep your cotton-pickin' hands off our defaults. Don't touch. Consider them mandatory. "Mandatory defaults" has a nice ring to it. --- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa0013ave/direct;at.aspnet_072303_01/01 ___ Fink-devel mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/fink-devel
Re: [Fink-devel] user and group handling
On Monday, August 11, 2003, at 10:01 PM, TheSin wrote: some pkgs require a pass that is known, ie mysql From mysql.info: DescUsage: << The package creates the administrative tables on installation. Be sure to set a MySQL root password using mysqladmin: 'mysqladmin -u root password your-new-password' or 'mysqladmin -u root -h localhost -p password your-new-password' This isn't for the system password database. Are you proposing a scheme to cover database-specific user lists as well? but maybe I could set it to ask if the passwd eq ask if that suits? This is crying out for debconf... you can' sudo or su to a user that doesn't have a shell. you can execute things as that user using sudo -u but that is it. ... or (x)inetd can switch to that user, or a daemon can be launched as root, and switch to that user... and that won't help you login to things like cyradmin again, another separate user database (not tied into /etc/passwd or netinfo unless you configure it that way). On Monday, August 11, 2003, at 07:42 PM, Chris Dolan wrote: Sorry to beat this point to death, but I feel quite strongly that there should never be a password on any daemon accounts. amen to that. I would rather not find out after the fact that one of the packages installed to satisfy a dependency had a default login (although I guess this happens with mysql's permissions table... other systems that I have seen don't start the daemon by default) The actual style of the password specification doesn't really matter to me, though-- both accomplish the same thing, and if it were me, I'd pick the one that is easiest to maintain on both sides (fink engine and packages). The one-line version is slightly more amenable to diff'ing between versions, but that hasn't been much of a driving force in the past. -- Charles Lepple <[EMAIL PROTECTED]> http://www.ghz.cc/charles/ --- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa0013ave/direct;at.aspnet_072303_01/01 ___ Fink-devel mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/fink-devel
Re: [Fink-devel] user and group handling
some pkgs require a pass that is known, ie mysql, but maybe I could set it to ask if the passwd eq ask if that suits? you can' sudo or su to a user that doesn't have a shell. you can execute things as that user using sudo -u but that is it. and that won't help you login to things like cyradmin or mysql. On Monday, August 11, 2003, at 07:42 PM, Chris Dolan wrote: Sorry to beat this point to death, but I feel quite strongly that there should never be a password on any daemon accounts. Even an encrypted or hashed password is still a default password, and a default password is a backdoor for entry. Because you can always sudo from a user account, or simply su from the root account, there should never be a need for a Fink package to supply a password or even prompt for one. If you can think of a case where a password on an autogenerated account would ever be needed, please let me know and I'll concede the point. But I can't think of a time a password has been needed for a non-user account on any Unix system I've ever administered. Chris --- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa0013ave/direct;at.aspnet_072303_01/01 ___ Fink-devel mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/fink-devel