Darren J Moffat <Darren.Moffat at Sun.COM> writes: > Jyri Virkki wrote: >> One detail that caught us (http://www.opensolaris.org/os/project/webstack/) >> by surprise recently is that daemon users dedicated to running server >> processes (such as webservd, postgres) are not being delivered by the >> corresponding packages. Instead, these are hardcoded in the OS install >> itself. >> >> So their creation needs to be coordinated at the OS level and they >> exist even if the matching server packages are never installed, >> cluttering up the passwd file. > > There is a very good reason we choose to do it this way for gdm and > webservd and how I advised the team to do it for postgres. I'll working > getting PSARC/2003/405 opened up because it was that case that set the > precedence. > > Firstly webservd isn't just for a specific webserver, eg Apache or Sun > WebServer but any webserver. > > Secondly if we don't put them all in a single location there is no easy > way to ensure that there are no clashes of uid/gid. We need a single > canonical repository of the reserved name/uid mapping because the > reserved space is small (0-99 only). Hosting the repository outside of > the source base was considered but that only leads the possibility of > being out of sync. > > I'm not saying we can't change this but it wasn't a decision made > without thought and much discussion. > > For the RBAC rights profiles (exec_attr(4), prof_attr(4)) then they > should be with the particular package that delivers eg the postgres > rights profiles are (or could be) specific to a given release. > > We know already that i.rbac is a complete mess and needs a big rethink. > though and pkg is the perfect opportunity to resolve that.
The trouble is that there is no way that we can think of all the user accounts of this type that will be needed. imapuser? dirsvr? xmppuser? It's all very well for the some accounts to be system defined and for that to be in the OS source, but third parties will have needs for other, unbundled software. Boyd
