Ludovic Courtès schreef op ma 30-05-2022 om 17:58 [+0200]:
> Perhaps it should forcefully “chown -R” home directories at boot time,
> so they have the right UID?  This has been discussed a few times,

I haven't seen the "chown -R" suggestion yet in the context of homes
(only for system accounts, and at activation time, not only boot time).

> especially in the context of system accounts; systemd-homed appears to
> be doing exactly that.

I don't think the problem is that the uid of /home/... was wrong,
rather I think the problem is that Guix has forgotten the uid and hence
invents a new one to put in /etc/passwd instead of keeping the old one.

A pitfall (noticed in the context of system accounts): the user could
have created files outside /home (e.g. in /tmp).  IIUC, this would also
require a reboot to keep name<->uid consistent after "guix system
reconfigure".

A 'chown -R' doesn't seem great to me from a security perspective
(seems very easy to get something wrong, and the TOCTTOU-free chownat
hasn't been merged yet in Guile), a performance perspective (what if
you have a huge $HOME).  Also extra io -> slower boot + disk wear.
It also destroys some information, it's possible to intentionally have
files owned by other users inside $HOME.

Things that seem missing here to me:

  * a mechanism for remembering that an uid is still in use even though
    the user has been removed (previously mentioned solutions: keep the
    uid in /etc/passwd even though it is ‘removed’, or keep a separate
    /etc/passwd-graveyard or such, etc.).  For system accounts and user
    accounts.  Won't help in this particular case but would make more
    general adding/removing user accounts less fragile (avoid 
    accidental reuse).

  * a mechanism for telling Guix ‘I'm renaming the user account, not
    creating and removing a new one, so keep the uid’

  * some heuristics for detecting mistakes (e.g.: if Guix thinks it
    should create a directory /home/foo for uid 1234, but it notices
    there is already a directory /home/bar with that uid 1234, then
    that's super suspicious.  Likewise, if Guix thinks the home
    /home/foo should be owned by uid 1234, but it notices it's already
    owned by 1235!=1234, that's also suspicious).

    IIUC, Blake Shaw only changed their user name, not the home
    directory, so this would have detected the problem

  * some mechanism for resolving mistakes 

Or maybe something else entirely, whatever works without causing new
problems I guess.

Greetings,
Maxime.