[OpenIndiana-discuss] [OmniOS-discuss] User/group accounts for packaged daemons
Bob Friesenhahn
bfriesen at simple.dallas.tx.us
Fri Mar 18 17:24:46 UTC 2016
On Fri, 18 Mar 2016, Jim Klimov wrote:
> A solution of this sort involves running a number of services, such as a stack of milters, an antivirus engine, a sniffer (p0f), etc. - some with special privileges and constraints, and thus preferably different accounts, so possible security issues with one project do not let break into others. While some services might be generalized as 'mail' or 'antivir' accounts, it is not always good and safe to do so.
>
> The illumos default UIDs and GIDs generally reserve numbers under
> 100 and above somewhere around 60000. While there are Wiki pages for
> illumos and OI to list the well-known and occupied "system" account
> numbers and names, I'm not sure there is a procedure to claim and
> reserve the number so as to avoid conflicts.
I already encountered a conflict when OmniOS introduced OpenSSH and
used the user id used by another add-on package for it. Due to this,
I investigated the user id used by the SFE version of the package and
used that. The SFE versions should at least not conflict with user
ids used by Oracle Solaris 11 packages.
> On a side note, how do we uninstall or update IPS packages where software can create files, and we have no 'preremove' script goodness? :-)
>From what I have read, while there is no script goodness associated
with IPS packages, there is the ability to run a script when a service
manifest is installed or removed. As long as each package provides
its own service manifest, then it should be possible to remove the
junk when the associated service manifest is removed.
It would indeed be useful if there was a UID/GID registery for add-on
software and managed by the Illumos project (even if just in a Git
repository). These should try not to conflict with what Oracle
Solaris 10/11 and stable OpenIndiana are already using for similar
packages. Guidance should be taken from SFE, which has already needed
to deal with conflicts.
Bob
--
Bob Friesenhahn
bfriesen at simple.dallas.tx.us, http://www.simplesystems.org/users/bfriesen/
GraphicsMagick Maintainer, http://www.GraphicsMagick.org/
More information about the openindiana-discuss
mailing list