Patch: Solaris packages don't create privsep user or group

[Jim Knoble]

Circa 2002-Jul-16 10:50:30 +1000 dixit Darren Tucker:

: Darren Tucker wrote:
: > Ben Lindstrom wrote:
: > > Hmm.. Does this work with JumpStart?  Can you add users at install time?
: > 
: > I didn't even consider that. We use jumpstart to build machines but
: > don't install sshd until after the first boot (ie not in the
: > finish_script). I'll try to dig up some spare hardware to try it.
: 
: OK I can confirm that it does NOT work with Jumpstart. useradd and
: groupadd try to modify the read-only files on the jumpstart NFS image.
: 
: Should we:
: (a) move them to the /etc/init.d/openssh script same as the keygens
: (b) attempt to hand-hack $PKG_INSTALL_ROOT/etc/passwd
: (c) chroot tricks?
: (d) ?
: 
: I prefer (a).

My preference would be:

  (d) Move them to an 'openssh-setup' script that does the following:
  
      - creates /var/empty if it doesn't exist
      - sets proper ownership and permissions on /var/empty
      - creates the privsep user/group using usual tools
      - if desired, turns on/off privsep in sshd_config
      - other optional post-install setup (such as creating a service
        directory for use with svscan/supervise/multilog from djb's
	daemontools package <http://cr.yp.to/daemontools.html>).

This is the only sane way to deal with post-install package
configuration.  I've been using such a schema for some time to handle
post-install configuration both for homegrown Encap packages
<http://www.encap.org/> of OpenSSH on HP-UX, AIX, and Slolaris, and for
my homegrown RPM packages for various Linux flavors.

-- 
jim knoble  |  jmknoble at pobox.com  |  http://www.pobox.com/~jmknoble/
(GnuPG fingerprint: 31C4:8AAC:F24E:A70C:4000::BBF4:289F:EAA8:1381:1491)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 262 bytes
Desc: not available
Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20020716/947921a6/attachment.bin