[Slackbuilds-users] on creating users
rworkman at slackbuilds.org
Tue Jun 18 15:21:25 UTC 2013
On Tue, 18 Jun 2013 03:17:43 -0700
Miguel De Anda <miguel at thedeanda.com> wrote:
> what's the best practice for server/daemon apps that we want to run
> as an unprivileged user/group? for example, apache often runs as
> apache.apache and mysql as mysql.mysql.
> i found one build script that has a grep for /etc/passwd
> and /etc/group and has some hard-coded uid/gid's in the suggested
> user/groups. my concern with this method is that if you archive the
> tgz file (to install on a remote machine for example) you have to
> remember that you ran some commands against the buidl system. do we
> want to add a similar check in the doinst.sh script? maybe a warning?
I've been bitten by this on some of my own systems, but I'm not
convinced that there's a *good* solution to it.
A note in doinst.sh is likely (almost sure) to be missed by many
admins (e.g. me) who do "batch installs" of add-ons to newly
deployed systems, so the extra work of adding notes there isn't
really something I want to commit to doing.
I also don't really like the idea of checking for existence of
any required user/group and automatically creating it/them if
it/they do not already exist, and again I'll draw on my own
experience for that: I like to keep my UIDs and GIDs in sync
across all of my systems, so I'd rather have something fail
horribly due to a missing user/group than have a stealthily
created (and wrong/inconsistent) user and uid present. I use
NFS locally so UID/GID consistency is a big deal for me.
All that said, I'm not against doing all of this in a better
way, but I'll have to be convinced that it's actually better :-)
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 198 bytes
Desc: not available
More information about the SlackBuilds-users