On Wed, 9 Mar 2022 14:10:04 +0100, Harald Dunkel <harald.dun...@aixigo.com> wrote: >On 2022-03-08 17:49:04, Marc Haber wrote: >> (1a) would it be necessary to handle --system accounts differently? I >> think yes. > >I think it would be helpful to define "system account" and "normal user". >Neither adduser(8) nor useradd(8) provide a sufficient definition, >especially wrt the existing network directory services (LDAP, AD, etc).
In adduser, a --system (sic!) account is one that is created using the --system option. Basically, the biggest difference is that its UID is allocated from a different UID range, see policy 9.2.2. I just see that policy says "dynamically allocated system users and groups", while it refers to uid 1000-59999 as "dynamically alllocated user accounts". So I am happy that my (and adduser's) notion of system and user accounts actually matches policy, but I agree that we need to be more explicit in adduser, probably referring to Policy in the adduser docs. >Is a "system user" supposed to be a local account, defined in /etc/passwd >only? That is not defined in policy, but it should. The current policy editing process is based on a proponent suggesting an exact wording with the policy editors just giving advice. Since I don't have a strong position in this regard, I'm out here. >Related question: How are naming collisions between local entries and >the entries in a network directory service supposed to be handled? >Something like > > passwd: files sss > >in /etc/nsswitch.conf is not helpful, if a postinst script fails to >create a local account due to the entry it has found in freeipa, for >example. Not to mention that such a service might fail at boot time, >if the directory service is not available (yet). That is beyond adduser's scope. We're (as the adduser team) usually weasel out of that topic by saying that a system refering to a directory service is run by skilled staff, and we expect those people to do their job. It's a small team, adduser has been in limbo for years, so we need to concentrate on the traps that a novice or unexperiences user might fall into while relying on skilled users to work around the issues that we haven't found the time to fix. Greetings Marc -- -------------------------------------- !! No courtesy copies, please !! ----- Marc Haber | " Questions are the | Mailadresse im Header Mannheim, Germany | Beginning of Wisdom " | Nordisch by Nature | Lt. Worf, TNG "Rightful Heir" | Fon: *49 621 72739834
