[OmniOS-discuss] User/group accounts for packaged daemons
Jim Klimov
jimklimov at cos.ru
Fri Mar 18 16:44:36 UTC 2016
Hello all,
With turtle speed I'm progressing to recipe the open-source stacks I used in sysadmin work, such as antispam relays. I'm working at the oi-userland in Hipster, and hopefully the good results can end up anywhere ;)
A solution of this sort involves running a number of services, such as a stack of milters, an antivirus engine, a sniffer (p0f), etc. - some with special privileges and constraints, and thus preferably different accounts, so possible security issues with one project do not let break into others. While some services might be generalized as 'mail' or 'antivir' accounts, it is not always good and safe to do so.
The illumos default UIDs and GIDs generally reserve numbers under 100 and above somewhere around 60000. While there are Wiki pages for illumos and OI to list the well-known and occupied "system" account numbers and names, I'm not sure there is a procedure to claim and reserve the number so as to avoid conflicts.
So I was advised to ask around the community: are there any established ways to proceed here? What can be done to cook those packages well in practice?
Grabbing random free uids/gids does not seem good, especially since (in my tests) the package got numbers under 100 that might clash with later installs of software that has valid fixed ID numbers.
On a side note, how do we uninstall or update IPS packages where software can create files, and we have no 'preremove' script goodness? :-)
For example, clamav downloads virus databases; when I try to uninstall it, there are 'lost+found' objects owned by its uid/gid, and so it can not undefine the uid/gid and remove the delivered working directory actions - so bam, pkg(5) fails either now or upon subsequent re-installation!
Also, in case of updates at least, i'd prefer to keep the bulky downloaded files in place, to save both on traffic and storage...
Sorry for the cluttered question, but I hope you get its point ;)
Thanks in advance, Jim Klimov
--
Typos courtesy of K-9 Mail on my Samsung Android
More information about the OmniOS-discuss
mailing list