bug-guix
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#36508: GDM files have incorrect owner after temporarily removing ser


From: Mark H Weaver
Subject: bug#36508: GDM files have incorrect owner after temporarily removing service
Date: Sat, 17 Apr 2021 12:28:10 -0400

Hi Maxime,

Maxime Devos <maximedevos@telenet.be> writes:

> On Thu, 2021-04-15 at 14:58 -0400, Mark H Weaver wrote:
>> Maintain historical mappings from user/group names to UIDs/GIDs, perhaps
>> in some file in /etc, where entries are added but *never* automatically
>> removed.  When allocating UIDs/GIDs, we would avoid any UIDs/GIDs in the
>> range of those mappings.
>
> This seems rather convoluted to me.  Why not reuse /etc/passwd and 
> /etc/groups?
> My suggestion:
>
> 1. *never* automatically delete users/groups from /etc/passwd, /etc/groups
>    (I thought that was how Guix already worked ...)
> 2. as users and groups appearing in /etc/passwd and /etc/groups, but not
>    in the operating system configuration can be confusing, change the comment
>    string of these users and groups, to something like
>
>    "account removed"
>
>    Add a group 'user-graveyard' for (3), and move these 'pseudo-removed' users
>    to the 'user-graveyard' group.
> 3. Don't forget to remove graveyard users from all groups (except 
> user-graveyard),
>    make sure the graveyard users can't log in anymore ... (Perhaps add a rule 
> to
>    the SSH and PAM configuration that forbids logging in to graveyard 
> accounts,
>    by checking whether the user is in the 'user-graveyard' group?)

I would be okay with this approach as well, although it's not obvious to
me that it's any cleaner than having a separate /etc/previous-uids file,
given items 2 and 3 above.

>> Then, provide a UID/GID garbage collector, to be explicitly run by users
>> if desired, which would scan all filesystems to find the set of UID/GIDs
>> currently referenced, and remove entries from the historical mappings
>> that are no longer needed.
>
> That seems useful for if /etc/passwd and /etc/group is getting full, or just 
> for
> cleaning up.  You may want to exclude /gnu/store though, for efficiency (-:.

Good point!  That's one directory that would clearly be a waste to scan :-)

> And just in case check whether any live processes have the UID/GID.

Sure, sounds good.

     Thanks!
       Mark





reply via email to

[Prev in Thread] Current Thread [Next in Thread]