Page MenuHomePhabricator
Create Task
Maniphest T86971

Decide on /var/lib vs /home as locations of homedir for mwdeploy
Closed, ResolvedPublic
Actions

Description

It's currently on /home (both in prod and beta).

Details

SubjectRepoBranchLines +/-
Move mwdeploy home to /var/lib where it belongs, it's a system useroperations/puppetproduction+4 -2
Customize query in gerrit

Related Objects

Event Timeline

yuvipanda created this task.Jan 15 2015, 9:38 PM
yuvipanda raised the priority of this task from to Needs Triage.
yuvipanda updated the task description. (Show Details)
yuvipanda added a project: acl*sre-team.
yuvipanda subscribed.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJan 15 2015, 9:38 PM
yuvipanda added subscribers: faidon, ori.Jan 15 2015, 9:39 PM

I couldn't really summarize what @faidon and @ori said (about /var/lib vs /home), so would be great if either of them could comment.

I personally do not care as long as it's consistent between prod and beta (beta uses a shared /home, which doesn't actually cause any issues here in practice except being eugh)

BBlack subscribed.Jan 15 2015, 9:43 PM

In the coming world of systemd, it seems to be an implicit assumption for security that homedirs are for human users only, which could include cron/daemon -like things of today which become systemd units tomorrow. cf. http://0pointer.de/public/systemd-man/systemd.exec.html#ProtectHome= . The idea behind that is that most systemd units can have ProtectHome=full and not leak random human users' data if they're compromised (assuming other sufficient privdrop).

faidon added a comment.Jan 16 2015, 2:23 PM

My comment was/is that I have a slight preference against non-human users having a home directory under /home. I called those "system" users and mwdeploy does have system => true (and I think rightfully), but @ori mentioned briefly that he doesn't consider mwdeploy a system user (correct me if I'm wrong). I'd prefer e.g. /var/lib/mwdeploy for this.

This has nothing to do with beta or Labs or NFS/LDAP in my mind; just a good practice.

Note that the reason mwdeploy switched to /home/mwdeploy was for provisioning an SSH key for keyholder, i.e. for creating ~/.ssh/authorized_keys. First of all, there's nothing stopping us from using /var/lib/mwdeploy/.ssh (SSH's config is %h/.ssh, not /home/%u/.ssh). Second, topic:ssh-userkey (still unmerged) ditches ~/.ssh entirely for authorized_keys, as these shouldn't be under user-control directories in our setup.

Dzahn subscribed.EditedJan 28 2015, 6:06 PM
In T86971#981861, @faidon wrote:

slight preference against non-human users having a home directory under /home.>
I'd prefer e.g. /var/lib/mwdeploy for this.

^ this. +1

Dzahn triaged this task as Low priority.Jan 28 2015, 6:06 PM
fgiunchedi added a project: scap2.Apr 29 2016, 12:35 PM
fgiunchedi subscribed.

looping in Scap since it also belongs there

demon subscribed.Nov 28 2016, 6:16 PM

I see zero reason we can't move the homedir to /var/lib.

gerritbot subscribed.Nov 28 2016, 6:19 PM

Change 323867 had a related patch set uploaded (by Chad):
Move mwdeploy home to /var/lib where it belongs, it's a system user

https://gerrit.wikimedia.org/r/323867

gerritbot added a project: Patch-For-Review.Nov 28 2016, 6:19 PM
mmodell edited projects, added Scap; removed scap2.Feb 10 2017, 6:22 PM
demon mentioned this in T163288: Decide on /var/lib vs /home as locations of homedir for l10nupdate.Apr 19 2017, 12:03 AM
Phabricator_maintenance removed a subscriber: yuvipanda.Jun 7 2017, 6:55 PM
gerritbot added a comment.Jul 6 2017, 4:40 PM

Change 323867 merged by Filippo Giunchedi:
[operations/puppet@production] Move mwdeploy home to /var/lib where it belongs, it's a system user

https://gerrit.wikimedia.org/r/323867

demon closed this task as Resolved.Jul 6 2017, 4:58 PM
demon claimed this task.
Restricted Application added a project: Release-Engineering-Team (Kanban). · View Herald TranscriptJul 6 2017, 4:58 PM
Phabricator_maintenance edited projects, added RelEng-Archive-FY201718-Q1; removed Release-Engineering-Team (Kanban).Sep 26 2017, 11:48 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL