the zulip user should be created as a system user

[kneufeld]

Daemon accounts should not be created as human user accounts. Also, the zulip user should not have it's home in /home. This wrecks havoc when you have managed users like in a FreeIPA system. I just picked uid/guid of 800 to get on with my life.

  group { 'zulip':
    ensure     => present,
    gid        => 800,                           # add this line
  }

  user { 'zulip':
    ensure     => present,
    require    => Group['zulip'],
    uid        => 800,
    gid        => 'zulip',
    shell      => '/bin/bash',
    home       => '/var/lib/zulip',             # change this line
    managehome => true,
    system  => true,                               # add this line
  }

All scripts use hard coded paths to /home/zulip but should probably use a variable.

Fix all scripts with

grep -l /home/zulip | xargs -n1 sed -i -e 's|/home/zulip|/var/lib/zulip|g'

[timabbott]

@kneufeld thanks for the report! I certainly agree /home isn't ideal, though changing that would be a significant (though likely not huge) migration for existing Zulip servers. I would definitely be on board with someone doing the work to move this to be a variable in /etc/zulip/zulip.conf, so that we can at least support installing with a home directory under /var/lib and then start switching around the default.

However, it's actually somewhat common to directly ssh in as the zulip user to run management commands (well, maybe not that common to actually run management commands, but it's a common way people do that), so I'm not sure that we'd want to mark the user as system. I'd be fine with making that an option, however.

Can you explain a bit more about the details of how this wreaks havok with FreeIPA? I'm not super familiar with FreeIPA and that context would be helpful for anyone working on this issue.

[kneufeld]

It's entirely possible something else happened and I'm mis-remembering events, but when the zulip user got created it got uid 1000. This collided with an existing FreeIPA user (basically a single sign on, ldap, active directory, etc, user) so permissions were very wonky.

I was able to install zulip by manually creating the zulip user with uid/guid of 800 and then running the puppet scripts. After that finished then I joined the machine to the domain.

You can still ssh into machine as a system user, just look at root.

[timabbott]

It sounds like the user ID reuse bug is the main problem here. That feels likely to be a bug in either FreeIPA or puppet; in theory, Puppet's adduser shouldn't clobber a user ID that already exists on the system when you don't explicitly declare the user ID you want. And we intentionally don't set a user ID in our configuration so adduser can just pick any user ID that's not in use. I wonder whether FreeIPA doesn't support whatever adduser does to query the first available user ID, because they expect to manage all non-system users and will happily just break things if you create one with other tools.

If that were correct, you should be able to install happily on a system using FreeIPA by tagging the "zulip" user as a system user, without any of the other changes. Would you be up for testing that hypothesis? Probably the fastest method is to just close zulip.git, make the change, and run scripts/setup/install out of the patched Git checkout, and see if the permissions get broken.

[zulipbot]

Hello @zulip/server-production members, this issue was labeled with the area: production label, so you may want to check it out!

[zulipbot]

Hello @zulip/server-production members, this issue was labeled with the "area: production installer" label, so you may want to check it out!