Debian Bug report logs - #291177
User/group creation/removal in package maintainer scripts

version graph

Package: debian-policy; Maintainer for debian-policy is Debian Policy List <debian-policy@lists.debian.org>; Source for debian-policy is src:debian-policy.

Reported by: Javier Fernández-Sanguino Peña <jfs@computer.org>

Date: Wed, 19 Jan 2005 08:48:01 UTC

Severity: wishlist

Merged with 228692, 621833

Found in versions 3.6.1.0, 3.6.1.1, debian-policy/3.9.2.0

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Policy List <debian-policy@lists.debian.org>:
Bug#291177; Package debian-policy. Full text and rfc822 format available.

Acknowledgement sent to Javier Fernández-Sanguino Peña <jfs@computer.org>:
New Bug report received and forwarded. Copy sent to Debian Policy List <debian-policy@lists.debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Javier Fernández-Sanguino Peña <jfs@computer.org>
To: submit@bugs.debian.org
Subject: [PROPOSAL] Policy for user/groups creation/removal in package maintainer scripts
Date: Wed, 19 Jan 2005 09:38:15 +0100
[Message part 1 (text/plain, inline)]
Package: debian-policy
Version: 3.6.1.1
Priority: wishlist

There is currently no policy on how should per-package users be created and 
removed. Eeven though the 'UID and GID classes' sections determines that 
packages _should_ use adduser --system in some occasions it doesn't 
describe why a package would want to do that.

IMHO it would be worthwhile writing in the policy that:

- maintainers should strive to make daemons run as non-root users
(this helps reduce the severity of many security bugs)

- maintainers scripts should create a system user for their daemon in
postinst.  User creation should not fail if the user already exists
(example code should be provided here, since this is sometimes not done
properly in maintainer scripts). Maintainer scripts can ask to the admin if 
the user already exists.

- maintainers scripts can remove users on purge of the package. 
This  should only be done if the files created by the user are being
removed in purge too.

- package configuration files (under /etc) should not be owned by the 
package user (this is to prevent attacks to daemons that might introduce a 
way to modify their own configuration). In some occasions access to a file 
(since it includes sensitive information) needs to be restricted, for this, 
a group should be created and the files should be chowned root:group.
(note that there is some *buggy* software in which the daemon needs to 
write to its configuration files)

For reference here are some relevant discussions:
(there are probably many more)

http://lists.debian.org/debian-policy/2003/05/msg00022.html
http://lists.debian.org/debian-devel/2001/09/msg01960.html
http://lists.debian.org/debian-devel/2004/08/msg01798.html
http://lists.debian.org/debian-devel/2004/05/msg01156.html
http://lists.debian.org/debian-devel/2003/11/msg02231.html
http://lists.debian.org/debian-devel/1996/05/msg00159.html
http://lists.debian.org/debian-user/1996/05/msg00106.html
http://lists.debian.org/debian-mentors/2004/10/msg00338.html

If others agree I can go forward, write a proposal text for this and 
provide a patch.

Regards

Javier
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Policy List <debian-policy@lists.debian.org>:
Bug#291177; Package debian-policy. Full text and rfc822 format available.

Acknowledgement sent to Henrique de Moraes Holschuh <hmh@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Policy List <debian-policy@lists.debian.org>. Full text and rfc822 format available.

Message #10 received at 291177@bugs.debian.org (full text, mbox):

From: Henrique de Moraes Holschuh <hmh@debian.org>
To: Javier Fernández-Sanguino Peña <jfs@computer.org>, 291177@bugs.debian.org
Subject: Re: Bug#291177: [PROPOSAL] Policy for user/groups creation/removal in package maintainer scripts
Date: Wed, 19 Jan 2005 09:54:50 -0200
On Wed, 19 Jan 2005, Javier Fernández-Sanguino Peña wrote:
> There is currently no policy on how should per-package users be created and 
> removed. Eeven though the 'UID and GID classes' sections determines that 
> packages _should_ use adduser --system in some occasions it doesn't 

Make it *must* use adduser --system, *if* they add an user at all.

> - maintainers scripts should create a system user for their daemon in
> postinst.  User creation should not fail if the user already exists
> (example code should be provided here, since this is sometimes not done
> properly in maintainer scripts). Maintainer scripts can ask to the admin if 
> the user already exists.

Maintainer scripts can ask about an already existing user *if and only if*
it is not a system user...  no more useless, aggravating postinst prompts,
please.

-- 
  "One disk to rule them all, One disk to find them. One disk to bring
  them all and in the darkness grind them. In the Land of Redmond
  where the shadows lie." -- The Silicon Valley Tarot
  Henrique Holschuh



Information forwarded to debian-bugs-dist@lists.debian.org, Debian Policy List <debian-policy@lists.debian.org>:
Bug#291177; Package debian-policy. Full text and rfc822 format available.

Acknowledgement sent to Javier Fernández-Sanguino Peña <jfs@computer.org>:
Extra info received and forwarded to list. Copy sent to Debian Policy List <debian-policy@lists.debian.org>. Full text and rfc822 format available.

Message #15 received at 291177@bugs.debian.org (full text, mbox):

From: Javier Fernández-Sanguino Peña <jfs@computer.org>
To: Henrique de Moraes Holschuh <hmh@debian.org>
Cc: 291177@bugs.debian.org
Subject: Re: Bug#291177: [PROPOSAL] Policy for user/groups creation/removal in package maintainer scripts
Date: Wed, 19 Jan 2005 13:22:30 +0100
[Message part 1 (text/plain, inline)]
On Wed, Jan 19, 2005 at 09:54:50AM -0200, Henrique de Moraes Holschuh wrote:
> On Wed, 19 Jan 2005, Javier Fernández-Sanguino Peña wrote:
> > There is currently no policy on how should per-package users be created and 
> > removed. Eeven though the 'UID and GID classes' sections determines that 
> > packages _should_ use adduser --system in some occasions it doesn't 
> 
> Make it *must* use adduser --system, *if* they add an user at all.

Some packages might need to use a hardcoded UID (and there's a UID range
for those) those don't use 'adduser --system'

> 
> > - maintainers scripts should create a system user for their daemon in
> > postinst.  User creation should not fail if the user already exists
> > (example code should be provided here, since this is sometimes not done
> > properly in maintainer scripts). Maintainer scripts can ask to the admin if 
> > the user already exists.
> 
> Maintainer scripts can ask about an already existing user *if and only if*
> it is not a system user...  no more useless, aggravating postinst prompts,
> please.

True. I would love to see a sample for that so that postinst scripts would 
reuse that. Actually, it could even be integrated into a dh_adduser script, 
couldn't it?

Regards

Javier
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Policy List <debian-policy@lists.debian.org>:
Bug#291177; Package debian-policy. Full text and rfc822 format available.

Acknowledgement sent to Henrique de Moraes Holschuh <hmh@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Policy List <debian-policy@lists.debian.org>. Full text and rfc822 format available.

Message #20 received at 291177@bugs.debian.org (full text, mbox):

From: Henrique de Moraes Holschuh <hmh@debian.org>
To: Javier Fernández-Sanguino Peña <jfs@computer.org>
Cc: 291177@bugs.debian.org
Subject: Re: Bug#291177: [PROPOSAL] Policy for user/groups creation/removal in package maintainer scripts
Date: Wed, 19 Jan 2005 11:59:42 -0200
On Wed, 19 Jan 2005, Javier Fernández-Sanguino Peña wrote:
> On Wed, Jan 19, 2005 at 09:54:50AM -0200, Henrique de Moraes Holschuh wrote:
> > On Wed, 19 Jan 2005, Javier Fernández-Sanguino Peña wrote:
> > > There is currently no policy on how should per-package users be created and 
> > > removed. Eeven though the 'UID and GID classes' sections determines that 
> > > packages _should_ use adduser --system in some occasions it doesn't 
> > 
> > Make it *must* use adduser --system, *if* they add an user at all.
> 
> Some packages might need to use a hardcoded UID (and there's a UID range
> for those) those don't use 'adduser --system'

Then they *must* request that UID to be statically allocated to them, and
add a proper versioned dep to the base-passwd package providing it.  This is
an old, old rule, if it is not a "must" yet, it is about time it becomes
one...

> > Maintainer scripts can ask about an already existing user *if and only if*
> > it is not a system user...  no more useless, aggravating postinst prompts,
> > please.
> 
> True. I would love to see a sample for that so that postinst scripts would 
> reuse that. Actually, it could even be integrated into a dh_adduser script, 
> couldn't it?

Yes, it could.  For a sample, please see the amavisd-new or cyrus21-imapd
packages.  Both do it.  I do not claim they do it in the best possible way,
but it works.

-- 
  "One disk to rule them all, One disk to find them. One disk to bring
  them all and in the darkness grind them. In the Land of Redmond
  where the shadows lie." -- The Silicon Valley Tarot
  Henrique Holschuh



Changed Bug title to `User/group creation/removal in package maintainer scripts' from `[PROPOSAL] Policy for user/groups creation/removal in package maintainer scripts'. Request was from Russ Allbery <rra@debian.org> to control@bugs.debian.org. (Mon, 17 Mar 2008 05:24:18 GMT) Full text and rfc822 format available.

Merged 228692 291177. Request was from Russ Allbery <rra@debian.org> to control@bugs.debian.org. (Mon, 17 Mar 2008 05:24:19 GMT) Full text and rfc822 format available.

Merged 228692 291177 621833. Request was from Russ Allbery <rra@debian.org> to control@bugs.debian.org. (Sat, 09 Apr 2011 17:03:44 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Mon Apr 21 09:47:52 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.