PackagingDrafts/UsersAndGroupsThoughts

Thoughts about user and group handling in packages
This is a collection of notes posted by various people in the user and group handling packaging draft, kept around for future reference. This is not a policy nor should the notes be interpreted as guidelines!

Here's a collection of past notes made regarding the issue. Some are taken into account in the above, some are not, some are more useful than others. These are not part of the actual draft, at least yet. Approach with care.


 * Static, pseudo-static or dynamic uid mappings, uid ranges if non-dynamic? (TBD: is this within the scope of this doc?)
 * Document users in use in the whole distro somewhere (no matter how uid mapping is done)?
 * General stuff, eg. shell, comment, no password, where to put home dirs, whether or when to create private groups

---

1. Before submitting the package for review, add the user to PackageUserRegistry, set the 'Under Review' field and fill in the other ones. Use a consecutive number for the 'hint' field. Rationale:: 1. Make sure that package is not part of a Base installation; there is no simple way for administrators to install a local user policy during the initial rpm transaction 1. Add something like %global username %global hint %global homedir		%_var/lib/%username
 * some administrators want predictable uids on their systems; registering users before the corresponding package hits the repository and gets installed on the system, will give the administrators a chance to do the precautions to deal with the new user
 * TODO: require that a certain time (7-14 days) has to pass until package is published?
 * TODO: enhance Fedora in a way that  is brought in by a virtual, easy to replace package

Requires(pre):		/usr/sbin/useradd #/usr/sbin/groupadd Requires(postun):	/usr/sbin/userdel #/usr/sbin/groupdel

Provides:		user(%username)	 = %hint Provides:		group(%username) = %hint

%pre id '%username' || /usr/sbin/useradd -r -d %homedir -s /sbin/nologin -c '...' %username || :

%postun test "$1" = 0 || /usr/sbin/userdel %username to your spec file.

Rationale::
 * instead of  ...   is easier to use than   and often this, what packagers really want
 * ... most common location for a homedir
 * ... should be clear
 * ... allows to query the repository which package creates which user; it is possible to use it in constructs like  ... precheck whether user already exists; this avoids the expected "user already exists" message on package upgrades/reinstallations
 * ... must be set to enable dynamic uid allocation and to mark it as a system account (which has e.g. no default expiration time)
 * ... most common shell for service users

TODO::
 * update PackageUserRegistry:
 * replace 'uid/gid' with 'hint', 'idx' or whatever
 * add 'Under Review' field
 * add fields where other useradd information (or the whole  commandline) can/must be entered
 * provide a way which exports the table e.g. in a CSV format
 * sample registry could look like
 * add explicit '/usr/sbin/groupadd' stuff?
 * is the  really needed or would it be better to fail? Distinguish between the different exit values there?
 * do the  stuff? On one side, after an rpm install-uninstall sequence the system should be in the state as before. On the other one, there might exist files with private information owned by the old uid. When creating a new user he might get the old uid and read these information
 * is  stuff really useful?

Some random related recent posts: http://www.redhat.com/archives/fedora-packaging/2006-December/msg00066.html, http://www.redhat.com/archives/fedora-maintainers/2007-February/msg00328.html