[LEDE-DEV] running stuff as !root
Conor O'Gorman
i at conorogorman.net
Wed May 18 06:26:29 PDT 2016
On 18/05/16 08:41, David Lang wrote:
> On Wed, 18 May 2016, John Crispin wrote:
>
>> On 18/05/2016 09:04, David Lang wrote:
>>>
>>> The first question I would have is if we are going to the system users
>>> in an essentially random order (as needed so two systems with the same
>>> packages installed in a different order have different user->uid
>>> mapping) or if we are going to define service accounts distro wide so
>>> they are always going to be the same.
>>
>>
>> what would be the pros and cons for either of those ?
>
> If you have static user allocations then LEDE needs to maintain a
> central repository of userids and a way for applications to be
> registered with it.
>
> If you have dynamic user allocations, then the package installer
> scripts need to have more complexity to request the userids on the fly
> and make everything they install have the correct permissions. (most
> distros take this approach)
>
> In the case of LEDE, we generally aren't running install scripts for
> the packages on a running system, all this happens at compile time
> when you don't have a way to run various tools to lookup and allocate
> users and set the file permissions, so I think there's a good argument
> that the static allocation approach would work better here.
>
> The other place where this bites people is when they have multiple
> systems that then need to start working together (mounting a network
> drive and sharing info, think high availability and similar, or
> copying files from one system to another and trying to use them
> there). The 'normal' answer is that you then need to start managing
> users with some new tool (Chef, Puppet, Ansible, Salt, etc) that
> pre-allocates the users onto the systems before the install scripts
> run and/or overrides the package defaults.
>
>
> As I say, the common choice is dynamically allocated uids, but lede
> has to do this at compile/image creation time instead of on a running
> system.
I believe that during the root filesystem generation, scripts are run
and some information is available. Dependencies and ordering may be an
issue.
Conor
More information about the Lede-dev
mailing list