diff --git a/documents/problems/userNaming.txt b/documents/problems/userNaming.txt new file mode 100644 index 0000000..265ae99 --- /dev/null +++ b/documents/problems/userNaming.txt @@ -0,0 +1,72 @@ +LSB Specification Proposal + +Problem Statement: +------------------ + +For administrators and certain types of applications it is important to have +a cross distribution consistent naming policy for system created users. In +certain cases it is also important to have a consistent user and group ids +(UID & GID) for system created users. + +The various available cloud frameworks such as OpenStack, openNebula, +CloudStack, and Eucalyptus come to mind. All cloud frameworks have services +running on all the nodes in a cluster that comprises the cloud on the hardware +side. It is generally possible to configure image sharing in these frameworks +via NFS and thus the user name, UID, and GID need to match on all installations +to provide the proper access permissions. This requirement reduces to +consistent user names with NFSv4, but the adoption rate of NFSv4 is unknown. +Additionally services for cloud frameworks may be configured in an HA +environment and may not tolerate fail-over with UID transitioning. + +In an environment where LDAP is used system administrators may pre-create +system users through the LDAP mechanism. This is difficult if different +user names and UID as well as GID implementations exist across various +distributions. + +Last but not least system users, i.e. names created through distribution +provided packages, may collide with names created for "regular" system +users. A common pattern for user names on Unix systems is to combine +letters of the users name, many combinations of first and last name letters +are in use. This may lead to combinations that may overlap with system user +names. Sharing a user name between a system user and a person user leads +to surprising or even security relevant misbehavior as the daemon user +may write to files in the real user's home or vice versa. + +A cross distribution solution will also give upstream projects an avenue to +determine user names when needed and ensure that distributions are consistent +eliminating one potential source of issues for upstream projects + + +(Proposed) Solution: +-------------------- + +Add a detailed description of the proposed solution in this section. Detailed +implementation suggestions are welcome. Be as specific as possible to provide +a good technical basis for discussion on the various distribution mailing +lists. + +Solution Discussion Links: +-------------------------- + +Provide links to at least 3 distribution mailing lists where this topic has +been discussed. + + +Solution Rational: +------------------ + +Provide a brief description how the documented solution was derived. + + +Distributions Support: +---------------------- + +A list of distributions that have pledged to adhere to this specification and +integrate the test into their QA suite. + + +Verification Test: +------------------ + +tests/distro/userNames.py +tests/distro/groupNames.py diff --git a/tests/distro/groupNames.py b/tests/distro/groupNames.py new file mode 100644 index 0000000..9bfd3b3 --- /dev/null +++ b/tests/distro/groupNames.py @@ -0,0 +1,17 @@ +#!/usr/bin/python + +import grp +import sys + +lsbGroups = { + 'root' : 0, + 'nobody' : 65533, + 'nogroup' : 65534, +} + +for grpent in grp.getgrall(): + if lsbGroups.has_key(grpent.gr_name): + if grpent.gr_gid != lsbGroups[grpent.gr_name]: + print 'GID for group %s does not match specification' %grp + print 'found: ', gid, ',', ' expected: ', lsbGroups[grp] + sys.exit(1) diff --git a/tests/distro/userNames.py b/tests/distro/userNames.py new file mode 100644 index 0000000..c86f51f --- /dev/null +++ b/tests/distro/userNames.py @@ -0,0 +1,16 @@ +#!/usr/bin/python + +import pwd +import sys + +lsbUsers = { + 'root' : (0,0), + 'nobody' : (65534,65533), +} + +for pwent in pwd.getpwall(): + if lsbUsers.has_key(pwent.pw_name): + if (pwent.pw_uid, pwent.pw_gid) != lsbUsers[pwent.pw_name]: + print 'UID and or GID for user %s do not match specification' %usr + print 'found: (', uid, ',', gid, ') expected: ', lsbUsers[usr] + sys.exit(1)