On 1/20/20 5:08 PM, Alec Warner wrote: > > So I can describe in detail one example, but its not running Gentoo; so > I'm not sure if you care in practice.
Yes, I'm happy to see a real example. > At work we had sec=krb5 NFS v3 mounted home directories. They were > mounted in /home (via the automounter.) So if these machines ran Gentoo > and you went to do something like "create /home/amavisd" it would fail > because the root user doesn't have the ability to make home directories > in /home (uid=0 is mapped to nobody, who doesn't have +w on /home.) All > home directories were created by a business application and there were > specific hosts where root was not squashed (and we used sec=sys instead > of krb5) and so root on the admin host would have +w on /home and not be > squashed to nobody.) > > In practice in that enterprise environment, if we needed something like > /home/web/ (which I think did exist at one point) we would create a role > account in LDAP (www-data is a common user for example), assign it a > uid, create the homedirectory (/home/web) and it would be owned by > www-data:www-data. Then we would configure the web front ends to use > www-data instead of the normal user (apache or nginx or whatever.) That's all relatively normal. As I've said, a human uses the "amavis" account. Yes, the install of acct-user/amavis would crash because it can't create the home directory, but I contend that crashing is the best thing to do. When the acct-user ebuild crashes, you get to ask yourself if you want his home directory to be shared among the people with authority to release spam from the quarantine. I'm betting you would, and that you would therefore add the account to LDAP and start over. Same deal as apache/web, and you don't have to involve an overlay to do the right thing. In this case, the fact that we used /home was a boon, because it helped you accomplish what you were trying to accomplish by sharing /home in the first place. If you don't want to share the home directory... well, no harm done. You'll have to override the ebuild to tell it what location to use as an alternative. But I think this case is somewhat less likely, and the base rate was already single digits. If only good exceptions are made (with home directories that people would actually want to share under /home), this approach does a little good and no bad. > (2) I don't think most people running Gentoo are running these > environments, which is why you don't see many practical objections on > the list. I think it's reasonable to avoid service account homedirs in > /home not because of fancy examples like above (that maybe 10 companies > in the world run) and instead just focus on this idea that "system stuff > doesn't go in /home." Its somewhat arbitrary as mgorny points out > earlier in the thread. I was never discounting these sorts of environments. On the contrary, the point I'm trying to make above appeared somewhere in the discussion with rich0, but it's hard to articulate without details. If it's arbitrary and we admit that, I'm fine with it. I'm moving on with my life. QA can choose what kind of sauce users get on their turd sandwich =P
