Ian Jackskon
2007-Nov-27 09:59 UTC
Bug#453086: adduser --system --group should ensure uid==gid
Package: adduser Version: 3.102 Severity: wishlist mariner:~> perl -e ''print join "|", getpwnam "Debian-exim"''; echo Debian-exim|x|100|102||||/var/spool/exim4|/bin/false mariner:~> perl -e ''print join "|", getgrnam "Debian-exim"''; echo Debian-exim|x|102| mariner:~> grep Debian-exim /etc/passwd /etc/group /etc/passwd:Debian-exim:x:100:102::/var/spool/exim4:/bin/false /etc/group:Debian-exim:x:102: mariner:~> It would be slightly less confusing if the ids matched. This machine was installed from an etch netinst CD about three weeks ago and I have configured exim only via dpkg-reconfigure. I''m pretty sure the user was created by this line in exim4-config''s postinst: adduser --system --group --quiet --home /var/spool/exim4 \ --no-create-home --disabled-login --force-badname Debian-exim Ian.
Stephen Gran
2007-Nov-27 13:02 UTC
[Adduser-devel] Bug#453086: Bug#453086: adduser --system --group should ensure uid==gid
This one time, at band camp, Ian Jackskon said:> It would be slightly less confusing if the ids matched. > > This machine was installed from an etch netinst CD about three weeks > ago and I have configured exim only via dpkg-reconfigure. I''m pretty > sure the user was created by this line in exim4-config''s postinst:What''s the benefit? The reason they don''t match is that there are some groups in the ''system gid'' range assigned that don''t have matching users - specifically, the groups crontab and users. These use 100 and 101 on most systems, so system users that come after can either have their uid''s renumbered up to match, or we can take the course adduser currently does and just not worry about something that''s not an issue in practice. I guess I do see the aesthetic appeal, but I''m not sure I want to rule out use of some parts of the already fairly small system range, just because either the uid or the gid is already taken. If you can provide a reason that''s more than aesthetic, I''m willing to consider it. Take care, -- ----------------------------------------------------------------- | ,''''`. Stephen Gran | | : :'' : sgran at debian.org | | `. `'' Debian user, admin, and developer | | `- http://www.debian.org | ----------------------------------------------------------------- -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : http://lists.alioth.debian.org/pipermail/adduser-devel/attachments/20071127/8500dfce/attachment.pgp
Ian Jackson
2007-Nov-27 20:44 UTC
[Adduser-devel] Bug#453086: Bug#453086: adduser --system --group should ensure uid==gid
Stephen Gran writes ("Re: [Adduser-devel] Bug#453086: adduser --system --group should ensure uid==gid"):> What''s the benefit? The reason they don''t match is that there are some > groups in the ''system gid'' range assigned that don''t have matching users > - specifically, the groups crontab and users. These use 100 and 101 on > most systems, so system users that come after can either have their uid''s > renumbered up to match, or we can take the course adduser currently does > and just not worry about something that''s not an issue in practice.It doesn''t cause any trouble for the computers. But uid==gid is much easier for humans - it makes life less error-prone because you only have to remember one id which applies everywhere. It''s already the case for non-system users.> I guess I do see the aesthetic appeal, but I''m not sure I want to rule > out use of some parts of the already fairly small system range, just > because either the uid or the gid is already taken.I thought about the problem of exhaustion, but I think in practice this change wouldn''t cause that to be more likely. On any particular system, either allocation of users or groups will dominate. And these uids and gids are each allocated sequentially. So the set of used uids will be a subset of the set of used gids, or vice versa. Regards, Ian.
joerg at joerghoh.de
2007-Nov-27 22:47 UTC
[Adduser-devel] Bug#453086: Bug#453086: Bug#453086: adduser --system --group should ensure uid==gid
On Tue, Nov 27, 2007 at 08:44:53PM +0000, Ian Jackson wrote:> Stephen Gran writes ("Re: [Adduser-devel] Bug#453086: adduser --system --group should ensure uid==gid"): > > What''s the benefit? The reason they don''t match is that there are some > > groups in the ''system gid'' range assigned that don''t have matching users > > - specifically, the groups crontab and users. These use 100 and 101 on > > most systems, so system users that come after can either have their uid''s > > renumbered up to match, or we can take the course adduser currently does > > and just not worry about something that''s not an issue in practice. > > It doesn''t cause any trouble for the computers. But uid==gid is much > easier for humans - it makes life less error-prone because you only > have to remember one id which applies everywhere. It''s already the > case for non-system users.I never used the numeric values in daily work. I always use the groupnames and usernames. J?rg -- What did you do to the cat? It looks half-dead. -Schroedinger''s wife -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : http://lists.alioth.debian.org/pipermail/adduser-devel/attachments/20071127/e0566a2a/attachment.pgp
Stephen Gran
2007-Nov-27 22:59 UTC
[Adduser-devel] Bug#453086: Bug#453086: adduser --system --group should ensure uid==gid
This one time, at band camp, Ian Jackson said:> Stephen Gran writes ("Re: [Adduser-devel] Bug#453086: adduser --system --group should ensure uid==gid"): > > It doesn''t cause any trouble for the computers. But uid==gid is much > easier for humans - it makes life less error-prone because you only > have to remember one id which applies everywhere. It''s already the > case for non-system users.It''s certainly not the case on many systems I admin, where there is a mix of users with their own group, some in group users, and so on. They quickly get to an unmatched stated on a complex system. But at any rate, the argument is largely due to aesthetics. I can understand that, but I''m not convinced it''s a good idea or worth the work. -- ----------------------------------------------------------------- | ,''''`. Stephen Gran | | : :'' : sgran at debian.org | | `. `'' Debian user, admin, and developer | | `- http://www.debian.org | ----------------------------------------------------------------- -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : http://lists.alioth.debian.org/pipermail/adduser-devel/attachments/20071127/924a5afb/attachment.pgp