At our site, we needed to change the name of the default Cyrus user from "cyrus" to "cyrusadm". We changed this %define in the spec file, but there are a few places in the source where this %define isn't used.
Created attachment 107875 [details] Avoid hard-coding cyrus username
Created attachment 107876 [details] Avoid hard-coding cyrus username in init script
Created attachment 107877 [details] Avoid hard-coding cyrus username in cvt_cyrusdb_all
Created attachment 107878 [details] Update spec file to take advantage of above patches
Created attachment 107879 [details] Don't hardcode username or groupname
Created attachment 107880 [details] Update spec file to fix cyrus-imapd.rpm_set_permissions as well
I can see the value in having the spec file properly build with an alternate specification of the cyrus user. However there are two things I noticed right away with your patches. 1) You didn't pass with-cyrus-user=%{_cyrususer} to configure, that means you missed a significant part of the configuration. 2) I can't speak for Simon, but I would vastly prefer if the existing variables and configuration mechanism were used instead of inventing new ones. For example the Makefiles use, CYRUS_USER=@cyrus_user@, the variable is CYRUS_USER and the substitution parameter used by configure is @cyrus_user@. Rather than running sed with different variables on the additional SOURCE files if they were added to AC_OUTPUT and used the existing variables it would be much cleaner IMHO. We can either take you work as a starting point or submit a new patch. We try to keep our rpm in sync with Simon's so I'm going to CC him on this bug and see if he has any comments.
About (1) above, you are correct. I thought I had seen --with-cyrus-user and -\-with-cyrus-group set, but I guess not. This is easily remedied. Regarding (2) above, can AC_OUTPUT be used to change files not included in the \main tarball? The source files that I'm changing are copied into the buildroot\ after configure/make/make install have already been run. Should they be appli\ed to the source tarball as patches or something? The other source file change\s are done using sed so I had assumed that was an acceptable way of doing thing\s. Please let me know how to proceed and I'd be happy to submit new patches.
My first question is why did you have to rename the default cyrus user to something else? From my point of view it's a bad idea which can be compared to renaming the root user in any *X system. While it's possible it's a dangerous thing which poeple will learn earlier or later and then complain about it. Most important reasons for not doing it in a packaged version: - it will break 90% of cyrus-imapd related tools which are not part of the rpm but very widely used. - it's a change which can not be done once but needs additional work and testing with every new release or inclusion of new contributed tools. - updating a cyrus-imapd rpm on a system with renamed cyrus user may result in a horrible mess. - the _cyrususer macro is not a build time option. - I have just checked source rpms for bind, apache, mysql, openldap, sendmail and squid and none of them supports a renaming of usernames. Even if we change all packaged scripts to use settings in /etc/sysconfig/cyrus-imapd, where they belong, I really don't think it's a good idea.
We already have a VIP user that's using the account "cyrus". We needed to go with something like "cyrusadm".
I think Simon's arguments in comment #9 out weigh the rare problem of having previously allocated the user id cyrus to a non-system account. There is a set of user names that should be reserved, cyrus is one of them. They are documented in /usr/share/doc/setup-*/uidgid