[lsb-discuss] user naming proposal

[Russ Allbery]

Robert Schweikert <rjschwei at suse.com> writes:

> A while back an issue about user naming/numbering has surfaced. While in
> many cases it is immaterial to have the same name and uid/gid for a user
> on various installations there are cases where having the same
> name/uid/gid is important. Additionally there is a potential security
> issue with "user/sysadmin" assigned names and "system users" is there
> should be a "conflict" with user names. To address this topic the work
> group has created a proposal [1].

> Before the proposal is solicited to various distributions it would be
> great if those following this list could take a look and provide
> feedback by end of next week. After weighing the provided feedback the
> proposal will then be solicited on the development mailing lists of
> various distributions.

It's probably unsurprising given that this is based on the Debian
proposal, but from a Debian Policy perspective this looks good to me.

I wholeheartedly concur with the policy of prefixing system users with an
underscore.  That's the model I've been advocating for in Debian for some
time, although I haven't been successful in making it policy.  Be aware,
however, that changing the name of the system user for a particular
package is quite difficult to manage across upgrades, so there's a
substantial legacy problem here.

It is probably somewhat out of scope, but it might be nice to say
something about the default shells for these users.  I can say that from
the perspective of a large-site systems administrator who has to deal with
occasional audits that apply fairly simplistic criteria, having system
users with shells other than /usr/sbin/nologin or the moral equivalent
causes me a bunch of pain, even if the accounts are created locked.

-- 
Russ Allbery (eagle at eyrie.org)              <http://www.eyrie.org/~eagle/>