Bug#627660: xen-create-image --accounts is too greedy and too generic
Package: xen-tools Version: 4.2-1~bpo50+1 Hi, When the --accounts option is used, the domU gets not only the valid user accounts, it gets all non-system accounts from the dom0. However, the definition of non-system is trivial and actually broken - it adds everything that isn't already there, so in my case it included e.g. hacluster:x:102:104:Heartbeat System Account,,,:/usr/lib/heartbeat:/bin/false munin:x:106:109::/var/lib/munin:/bin/false nagios:x:103:105::/var/log/nagios:/bin/false ntp:x:105:107::/home/ntp:/bin/false sshd:x:101:65534::/var/run/sshd:/usr/sbin/nologin That's confusing and uncalled for. The Debian Policy, in the section UID and GID classes http://www.debian.org/doc/debian-policy/ch-opersys.html#s9.2.2 clearly indicates classes for dynamically allocated system users and groups, not normal user accounts. Hence, debian.d/35-setup-users readAccounts() needs to check $uid to be greater than 999 and smaller than 6 by default. To cover the corner cases created by this limit (I doubt there are any in practice, but let's entertain the possibility for the sake of completeness), but also to provide for actual customizability, it would be nice for the --accounts option to have an optional value, or have a sibling option with a required value, and then use that as a parameter in readAccounts() - a list of account names that are to be copied is perhaps the simplest and most straightforward option. Please fix this. TIA. -- 2. That which causes joy or happiness. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#627660: xen-create-image --accounts is too greedy and too generic
Hi Josip, Josip Rodin wrote: When the --accounts option is used, the domU gets not only the valid user accounts, it gets all non-system accounts from the dom0. However, the definition of non-system is trivial and actually broken - it adds everything that isn't already there, so in my case it included e.g. hacluster:x:102:104:Heartbeat System Account,,,:/usr/lib/heartbeat:/bin/false munin:x:106:109::/var/lib/munin:/bin/false nagios:x:103:105::/var/log/nagios:/bin/false ntp:x:105:107::/home/ntp:/bin/false sshd:x:101:65534::/var/run/sshd:/usr/sbin/nologin This sounds very similar to http://bugs.debian.org/495266 despite the reported effects are different ones. I suspect that the fix for both issues will be the same. Regards, Axel -- ,''`. | Axel Beckert a...@debian.org, http://people.debian.org/~abe/ : :' : | Debian Developer, ftp.ch.debian.org Admin `. `' | 1024D: F067 EA27 26B9 C3FC 1486 202E C09E 1D89 9593 0EDE `-| 4096R: 2517 B724 C5F6 CA99 5329 6E61 2FF9 CD59 6126 16B5 -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#627660: xen-create-image --accounts is too greedy and too generic
On Mon, May 23, 2011 at 02:17:26PM +0200, Axel Beckert wrote: Hi Josip, Josip Rodin wrote: When the --accounts option is used, the domU gets not only the valid user accounts, it gets all non-system accounts from the dom0. However, the definition of non-system is trivial and actually broken - it adds everything that isn't already there, so in my case it included e.g. hacluster:x:102:104:Heartbeat System Account,,,:/usr/lib/heartbeat:/bin/false munin:x:106:109::/var/lib/munin:/bin/false nagios:x:103:105::/var/log/nagios:/bin/false ntp:x:105:107::/home/ntp:/bin/false sshd:x:101:65534::/var/run/sshd:/usr/sbin/nologin This sounds very similar to http://bugs.debian.org/495266 despite the reported effects are different ones. I suspect that the fix for both issues will be the same. I don't see it, the example included in #495266 was all about uid 1000 accounts, whereas I'm saying just omit uid 1000 completely. I didn't look into the mapping and ordering issues of the accounts yet... maybe I should :) -- 2. That which causes joy or happiness. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org