[Slackbuilds-users] on creating users

[Robby Workman]

On Tue, 18 Jun 2013 03:17:43 -0700
Miguel De Anda <miguel at thedeanda.com> wrote:

> what's the best practice for server/daemon apps that we want to run
> as an unprivileged user/group? for example, apache often runs as
> apache.apache and mysql as mysql.mysql.
> 
> i found one build script that has a grep for /etc/passwd
> and /etc/group and has some hard-coded uid/gid's in the suggested
> user/groups. my concern with this method is that if you archive the
> tgz file (to install on a remote machine for example) you have to
> remember that you ran some commands against the buidl system. do we
> want to add a similar check in the doinst.sh script? maybe a warning?


I've been bitten by this on some of my own systems, but I'm not
convinced that there's a *good* solution to it.

A note in doinst.sh is likely (almost sure) to be missed by many
admins (e.g. me) who do "batch installs" of add-ons to newly
deployed systems, so the extra work of adding notes there isn't
really something I want to commit to doing.

I also don't really like the idea of checking for existence of 
any required user/group and automatically creating it/them if
it/they do not already exist, and again I'll draw on my own
experience for that: I like to keep my UIDs and GIDs in sync
across all of my systems, so I'd rather have something fail
horribly due to a missing user/group than have a stealthily
created (and wrong/inconsistent) user and uid present.  I use
NFS locally so UID/GID consistency is a big deal for me.

All that said, I'm not against doing all of this in a better 
way, but I'll have to be convinced that it's actually better :-)

-RW
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: <http://lists.slackbuilds.org/pipermail/slackbuilds-users/attachments/20130618/2e90eb71/attachment.asc>