From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1O8arz-0006Wd-4r for garchives@archives.gentoo.org; Sun, 02 May 2010 15:14:13 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 2B408E0747; Sun, 2 May 2010 15:14:05 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) by pigeon.gentoo.org (Postfix) with ESMTP id C80B3E0656 for ; Sun, 2 May 2010 15:13:07 +0000 (UTC) Received: from [192.168.0.1] (f049175194.adsl.alicedsl.de [78.49.175.194]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTP id 1D0781B4097 for ; Sun, 2 May 2010 15:13:06 +0000 (UTC) Message-ID: <4BDD968E.7050309@gentoo.org> Date: Sun, 02 May 2010 17:13:18 +0200 From: Stefan Behte User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.9) Gecko/20100421 Thunderbird/3.0.4 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org MIME-Version: 1.0 To: gentoo-dev@lists.gentoo.org Subject: Re: [gentoo-dev] A policy to support random superuser account names References: <20100430200726.298ae94c@pomiot.lan> In-Reply-To: <20100430200726.298ae94c@pomiot.lan> X-Enigmail-Version: 1.0.1 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Archives-Salt: 6a09c341-b25e-42ae-9c21-c30ca4518318 X-Archives-Hash: f87fd82a2ace3076a1d3e0b4b8d9a2a7 Hi, in some environments you have to rename "root" to something else, just to be compliant to a (maybe dumb) security policy. This might be the case for PCI, and as far as I remember, it is necessary (not just "recommended") for a BSI Grundschutz certification (meaning something like "basic security protection") [1]. Unfortunately I didn't find the exact link. This might prevent or make usage of gentoo more complicated in those environments, but is only a problem for a small fraction of our user base= . Best regards, Craig [1] https://www.bsi.bund.de/cln_183/ContentBSI/EN/Publications/Bsi_standards/= standards.html 30.04.2010 20:07, Micha=C5=82 G=C3=B3rny wrote: > Hello, >=20 > I would like to put an emphasis on the fact that many eclasses > and ebuilds in gx86 are relying on an assumption that the superuser > account is always supposed to be named 'root'. >=20 > In fact, no such constraint exists. Although most users will never even > think of changing the superuser account name, it is perfectly legit > to do so, and to use any name for that account. Moreover, it is > perfectly legit to name an unprivileged user 'root' too. >=20 > Thus, the above assumption is clearly incorrect and may result in many > issues with ebuilds using it. These range from builds failing because > of chown 'invalid user' error to packages being installed with > incorrect file ownership. >=20 > From what I've heard already, similar problem has hit Gentoo/*BSD users > already, with superuser group not being named 'root'. Although some > files were fixed to properly use numeric GID in the specific case, > no UID-related changes were done. >=20 > Moreover, not all developers agree with the case being an issue, > and they even refuse patches clearly fixing it [1]. Thus, I guess that > a clear policy regarding referencing the superuser account should be > enforced. >=20 > In my opinion, that policy should clearly indicate that the numeric > UID/GID should be always used for referencing the superuser account > as they are fixed unlike the names. >=20 > [1] http://bugs.gentoo.org/show_bug.cgi?id=3D315779 >=20