[Pkg-shadow-devel] I need some advice/discuss on fixing/extending shadow

Tomasz Kłoczko kloczek@zie.pg.gda.pl
Thu, 24 Mar 2005 23:31:45 +0100 (CET)


  This message is in MIME format.  The first part should be readable text,
  while the remaining parts are likely unreadable without MIME-aware tools.

--568760595-238457766-1111697278=:6369
Content-Type: TEXT/PLAIN; CHARSET=ISO-8859-2
Content-Transfer-Encoding: QUOTED-PRINTABLE
Content-ID: <Pine.LNX.4.61L.0503242151231.6369@boss.zie.pg.gda.pl>


Things now are sligly slower .. Christmans comes :)
I found more time in bigger piece for rething some plans around=20
shadow.

First: shadow have one IMO critacal bug in useradd/usermod when=20
usermod/useradd must create directory fo home directory if parent=20
directory does not exist. This was repered by Debian pople.

This can be solved by:
- recursive checking and create all neccessary parent directories using
  UMASK,
- exit with verbose error message about for create by hand neccessary=20
  directories and setum uid/gid/attrs.

I thing second is correct because:

- on using useradd/usermod someone can pass directory with typos and it=20
  can be source some kind of bad scenarios,

- in case for example empty on two level /foo/bar/user tree (if only /foo=
=20
  exist before) for home direcroty paren directory will probably require=20
  some setup using chmod/chown/chattr by hand if will be shared by users=20
  with common group or few groups.

Now I have few feresh Solarises around and I'm during prepare integrated=20
enviroment for share resources by users across this systems. Some users
will be keeped centraly in LDAP database but some other not. Also I'm not=
=20
alone on administration tasks in this enviroment. So .. I need some tools=
=20
set which can work possibly similar in Solaris and Linux.

I see some good things in shadow like tools in Solaris and some things I=20
want to integrate on shadow.
Example: in useradd instead extending set of options by adding next=20
--<switch> for diffrent things is possible use some template for pass many=
=20
properties for created acount.

[Solaris 10]# useradd -D
group=3Dother,1  project=3Ddefault,3  basedir=3D/home
skel=3D/etc/skel  shell=3D/bin/bash  inactive=3D0
expire=3D  auths=3D  profiles=3D  roles=3D  limitpriv=3D
defaultpriv=3D  lock_after_retries=3D

All above variables can be used by "useradd -K <key>=3D<value>".
For compare current status useradd from shadow:

[Linux]# useradd -D
GROUP=3D1000
HOME=3D/home/users
INACTIVE=3D-1
EXPIRE=3D
SHELL=3D/bin/bash
SKEL=3D/etc/skel
CREATE_MAIL_SPOOL=3Dyes

Current shadow useradd have undocumented -O option. Fragment from
useradd source code:

                case 'O':
                        /*
                         * override login.defs defaults (-O name=3Dvalue)
                         * example: -O UID_MIN=3D100 -O UID_MAX=3D499
                         * note: -O UID_MIN=3D10,UID_MAX=3D499 doesn't work=
 yet
                         */
                        cp =3D strchr (optarg, '=3D');
                        if (!cp) {
                                fprintf (stderr,
                                         _("%s: -O requires NAME=3DVALUE\n"=
),
                                         Prog);
                                exit (E_BAD_ARG);
                        }
                        /* terminate name, point to value */
                        *cp++ =3D '\0';
                        if (putdef_str (optarg, cp) < 0)
                                exit (E_BAD_ARG);
                        break;

IMO it will be good kill -O an move this to -K. Also move UID_MIN, UID_MAX=
=20
from login.defs to /etc/default/useradd.
BTW: existing above is why I still resist on integrate handle -r option
(add system account) patch from RH/FC useradd to shadow CVS tree.
It can be now reached without patching useradd by use -O UID_MIN=3D0.
-r is _redundand_ .. even now.

Next ..
I don't know how hard for accept will be change for example
HOME=3D -> basedir=3D, GROUP=3D -> group=3D etc. in /etc/default/useradd (?=
).

IMO make shadow possibly Solaris compliant will open some new possibilites=
=20
afer upcomming OpenSolaris release source code after make Solaris=20
development widely opened for open source developers. I think it will make=
=20
better shadow future .. and will allow coexistance Linux and=20
Solaris slightly easier (for both ponit of view).

On packaging level in variouse distribution this change in=20
/etc/default/useradd can be plugged by simple trigger script on upgrade=20
(one sed command).
Other side is how many people this kind of change will disturbe/drive to=20
crazy ? ;>

On walking this path I predict it will good prepare some kind "information=
=20
campaining" _before_ start changes. I accep all thing (probably also not=20
only good) wich will happen when shadow will walk this path ..  and I=20
caunt on some people which will help me on this :)

Next minor thing.
Sometimes I have some set of users for migrate from one system to another=
=20
(not so offen :). I think on this king jobs will be better handled if some=
=20
tools will have {-t|--test} option. Tools .. like useradd, groupadd,=20
usermod, groupmod and newusers. All for allow perform two stage=20
batch/massive moving/changing/create accounts. On first test stage only=20
will be performed for example checking is created account (by useradd)=20
will not overlap with some existing accounts (in uid/gid/directories=20
area).

Next.
In longer perion I plan completly remove using login.defs and move=20
all what is neccessary to /etc/default/<command>.


Simple .. I need some avices/opinions/discusses about above.
And forgiveme me my not so good english ;>

I'm sending this email to two mailing list: Debian shadow package list and=
=20
official shadow package mailing list. So be warned before reply.
Probaly best place for some common discuss will be mailing list=20
@pld.org.pl.
Also probably it will be good have around shadow package maintainers from=
=20
other distributions. If someone will know some contact adresses please=20
inform/forward this email to them.

kloczek
PS. BTW bug with exit with slightly not understendable error message in
useradd when parent directory not exist also exist in Solaris useradd :^)
--=20
-----------------------------------------------------------
*Ludzie nie maj=B1 problem=F3w, tylko sobie sami je stwarzaj=B1*
-----------------------------------------------------------
Tomasz K=B3oczko, sys adm @zie.pg.gda.pl|*e-mail: kloczek@rudy.mif.pg.gda.p=
l*
--568760595-238457766-1111697278=:6369--