[Pkg-shadow-devel] I need some advice/discuss on fixing/extending shadow
Tomasz Kłoczko
kloczek@zie.pg.gda.pl
Thu, 24 Mar 2005 23:31:45 +0100 (CET)
This message is in MIME format. The first part should be readable text,
while the remaining parts are likely unreadable without MIME-aware tools.
--568760595-238457766-1111697278=:6369
Content-Type: TEXT/PLAIN; CHARSET=ISO-8859-2
Content-Transfer-Encoding: QUOTED-PRINTABLE
Content-ID: <Pine.LNX.4.61L.0503242151231.6369@boss.zie.pg.gda.pl>
Things now are sligly slower .. Christmans comes :)
I found more time in bigger piece for rething some plans around=20
shadow.
First: shadow have one IMO critacal bug in useradd/usermod when=20
usermod/useradd must create directory fo home directory if parent=20
directory does not exist. This was repered by Debian pople.
This can be solved by:
- recursive checking and create all neccessary parent directories using
UMASK,
- exit with verbose error message about for create by hand neccessary=20
directories and setum uid/gid/attrs.
I thing second is correct because:
- on using useradd/usermod someone can pass directory with typos and it=20
can be source some kind of bad scenarios,
- in case for example empty on two level /foo/bar/user tree (if only /foo=
=20
exist before) for home direcroty paren directory will probably require=20
some setup using chmod/chown/chattr by hand if will be shared by users=20
with common group or few groups.
Now I have few feresh Solarises around and I'm during prepare integrated=20
enviroment for share resources by users across this systems. Some users
will be keeped centraly in LDAP database but some other not. Also I'm not=
=20
alone on administration tasks in this enviroment. So .. I need some tools=
=20
set which can work possibly similar in Solaris and Linux.
I see some good things in shadow like tools in Solaris and some things I=20
want to integrate on shadow.
Example: in useradd instead extending set of options by adding next=20
--<switch> for diffrent things is possible use some template for pass many=
=20
properties for created acount.
[Solaris 10]# useradd -D
group=3Dother,1 project=3Ddefault,3 basedir=3D/home
skel=3D/etc/skel shell=3D/bin/bash inactive=3D0
expire=3D auths=3D profiles=3D roles=3D limitpriv=3D
defaultpriv=3D lock_after_retries=3D
All above variables can be used by "useradd -K <key>=3D<value>".
For compare current status useradd from shadow:
[Linux]# useradd -D
GROUP=3D1000
HOME=3D/home/users
INACTIVE=3D-1
EXPIRE=3D
SHELL=3D/bin/bash
SKEL=3D/etc/skel
CREATE_MAIL_SPOOL=3Dyes
Current shadow useradd have undocumented -O option. Fragment from
useradd source code:
case 'O':
/*
* override login.defs defaults (-O name=3Dvalue)
* example: -O UID_MIN=3D100 -O UID_MAX=3D499
* note: -O UID_MIN=3D10,UID_MAX=3D499 doesn't work=
yet
*/
cp =3D strchr (optarg, '=3D');
if (!cp) {
fprintf (stderr,
_("%s: -O requires NAME=3DVALUE\n"=
),
Prog);
exit (E_BAD_ARG);
}
/* terminate name, point to value */
*cp++ =3D '\0';
if (putdef_str (optarg, cp) < 0)
exit (E_BAD_ARG);
break;
IMO it will be good kill -O an move this to -K. Also move UID_MIN, UID_MAX=
=20
from login.defs to /etc/default/useradd.
BTW: existing above is why I still resist on integrate handle -r option
(add system account) patch from RH/FC useradd to shadow CVS tree.
It can be now reached without patching useradd by use -O UID_MIN=3D0.
-r is _redundand_ .. even now.
Next ..
I don't know how hard for accept will be change for example
HOME=3D -> basedir=3D, GROUP=3D -> group=3D etc. in /etc/default/useradd (?=
).
IMO make shadow possibly Solaris compliant will open some new possibilites=
=20
afer upcomming OpenSolaris release source code after make Solaris=20
development widely opened for open source developers. I think it will make=
=20
better shadow future .. and will allow coexistance Linux and=20
Solaris slightly easier (for both ponit of view).
On packaging level in variouse distribution this change in=20
/etc/default/useradd can be plugged by simple trigger script on upgrade=20
(one sed command).
Other side is how many people this kind of change will disturbe/drive to=20
crazy ? ;>
On walking this path I predict it will good prepare some kind "information=
=20
campaining" _before_ start changes. I accep all thing (probably also not=20
only good) wich will happen when shadow will walk this path .. and I=20
caunt on some people which will help me on this :)
Next minor thing.
Sometimes I have some set of users for migrate from one system to another=
=20
(not so offen :). I think on this king jobs will be better handled if some=
=20
tools will have {-t|--test} option. Tools .. like useradd, groupadd,=20
usermod, groupmod and newusers. All for allow perform two stage=20
batch/massive moving/changing/create accounts. On first test stage only=20
will be performed for example checking is created account (by useradd)=20
will not overlap with some existing accounts (in uid/gid/directories=20
area).
Next.
In longer perion I plan completly remove using login.defs and move=20
all what is neccessary to /etc/default/<command>.
Simple .. I need some avices/opinions/discusses about above.
And forgiveme me my not so good english ;>
I'm sending this email to two mailing list: Debian shadow package list and=
=20
official shadow package mailing list. So be warned before reply.
Probaly best place for some common discuss will be mailing list=20
@pld.org.pl.
Also probably it will be good have around shadow package maintainers from=
=20
other distributions. If someone will know some contact adresses please=20
inform/forward this email to them.
kloczek
PS. BTW bug with exit with slightly not understendable error message in
useradd when parent directory not exist also exist in Solaris useradd :^)
--=20
-----------------------------------------------------------
*Ludzie nie maj=B1 problem=F3w, tylko sobie sami je stwarzaj=B1*
-----------------------------------------------------------
Tomasz K=B3oczko, sys adm @zie.pg.gda.pl|*e-mail: kloczek@rudy.mif.pg.gda.p=
l*
--568760595-238457766-1111697278=:6369--