On Sun, Feb 13, 2022 at 01:52:14PM -0500, Jason Franklin wrote: > On Sun, 2022-02-13 at 19:18 +0100, Marc Haber wrote: > > On Sun, Feb 13, 2022 at 12:27:26PM -0500, Jason Franklin wrote: > > > That warning is not emitted here when "-r" is added to the call made > > > from within adduser. The range discrepancy needs to be sorted out with > > > discussion, I think. > > > > Policy also helps here, it's rather explicit in defining the uid ranges. > > Are we in line with policy? > > Adduser is in line with policy for the moment. Improvements can be made > in this regard. > > For example, some UIDs are explicitly forbidden by policy, but adduser > and useradd allow them. These should be blocked, and tests should be > written to prove this.
adduser --system should enforce policy for system users. The local administrator is free to ignore Debian policy as they see fit. adduser should not enforce things on the local admin that don't apply to them. Maybe we add, some time in the future, an option --ignore-policy that a local admin can use, so that maintainer scripts get the support of policy enforcement. > > Useradd is more and more taking over functionality that has > > traditionally been implemented in adduser. Maybe they're working towards > > adduser just being a shim for backwards compatibility. Do you want me to > > reach out to them? > > Please do. You were faster than me, that's fine. > I am actually a bit worried that my work is in vain. The useradd utility > does have quite a few features that clash with or overtake those > previously offered by adduser. Adduser is used by over 1000 Debian packages and explicitly mentioned in policy (9.2.2, "packages SHOULD use adduser --system")). There is zero indication that this is going to change any time soon. There might other tools be available that allow creation of system users, but adduser is most probably going to stay the canonical tool for doing so. > If useradd is intended to replace adduser, I would like to know as most > of my work would be lessened in importance. I don't think there is any such intention in Debian. There is simply no mechanism to bring this forward other than talking and convincing each and every package maintainer. > I'm a bit uncertain as to where I stand in this regard. You're a member of the maintainer team of the "leading" user creating tool in Debian. You can decide whether to simplify your code by relying more on useradd int the future or not. Greetings Marc -- ----------------------------------------------------------------------------- Marc Haber | "I don't trust Computers. They | Mailadresse im Header Leimen, Germany | lose things." Winona Ryder | Fon: *49 6224 1600402 Nordisch by Nature | How to make an American Quilt | Fax: *49 6224 1600421
