Debian Bug report logs - #390457
adduser: deluser --system should be configurable to not delete the account

version graph

Package: adduser; Maintainer for adduser is Debian Adduser Developers <adduser-devel@lists.alioth.debian.org>; Source for adduser is src:adduser.

Reported by: Marc Haber <mh+debian-bugs@zugschlus.de>

Date: Sun, 1 Oct 2006 11:48:07 UTC

Severity: wishlist

Found in version adduser/3.97

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Adduser Developers <adduser-devel@lists.alioth.debian.org>:
Bug#390457; Package adduser. Full text and rfc822 format available.

Acknowledgement sent to Marc Haber <mh+debian-bugs@zugschlus.de>:
New Bug report received and forwarded. Copy sent to Debian Adduser Developers <adduser-devel@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Marc Haber <mh+debian-bugs@zugschlus.de>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: adduser: deluser --system should be configurable to not delete the account
Date: Sun, 01 Oct 2006 13:23:21 +0200
Package: adduser
Version: 3.97
Severity: wishlist

Hi,

I'd like to see deluser --system having a configuration option which
would prevent an account from actually being deleted. That way, a
local administrator could make sure that UIDs are not being re-used.

If this option is enabled, deluser --system would set the shell to
/bin/false and invalidate the password (I am not sure whether the
password should be destroyed or invalidated in a reversible way).

The default would, of course, be current behavior with actually
deleting the account.

Greetings
Marc

-- System Information:
Debian Release: testing/unstable
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'stable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.17.13-zgsrv
Locale: LANG=C, LC_CTYPE=de_DE (charmap=ISO-8859-1)

Versions of packages adduser depends on:
ii  debconf [debconf-2.0]       1.5.5        Debian configuration management sy
ii  passwd                      1:4.0.18.1-3 change and administer password and
ii  perl-base                   5.8.8-6.1    The Pathologically Eclectic Rubbis

adduser recommends no packages.

-- debconf information excluded



Information forwarded to debian-bugs-dist@lists.debian.org, Debian Adduser Developers <adduser-devel@lists.alioth.debian.org>:
Bug#390457; Package adduser. Full text and rfc822 format available.

Acknowledgement sent to Stephen Gran <sgran@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Adduser Developers <adduser-devel@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #10 received at 390457@bugs.debian.org (full text, mbox):

From: Stephen Gran <sgran@debian.org>
To: 390457@bugs.debian.org
Subject: Re: [Adduser-devel] Bug#390457: adduser: deluser --system should be configurable to not delete the account
Date: Mon, 2 Oct 2006 20:43:26 +0100
[Message part 1 (text/plain, inline)]
This one time, at band camp, Marc Haber said:
> I'd like to see deluser --system having a configuration option which
> would prevent an account from actually being deleted. That way, a
> local administrator could make sure that UIDs are not being re-used.
> 
> If this option is enabled, deluser --system would set the shell to
> /bin/false and invalidate the password (I am not sure whether the
> password should be destroyed or invalidated in a reversible way).
> 
> The default would, of course, be current behavior with actually
> deleting the account.

This is repeating logic already available (chsh and passwd -l) that
don't really buy all that much security.  passwd -l doesn't prevent key
based logins, for instance.

I'd rather see the logic work another way:

Add a --permanent flag to adduser, which writes the uid to a state file.
Make deluser exit 0 (or some specific non-zero) if called for a uid in that file.
Add --force to deluser to override it.

Maintainers could then individually decide if they think the accounts
they set up are sensitive enough to be worth preserving, and call chsh
and passwd -l themselves in postrm, or, maybe better:

if deluser $user; then
  if [ $? = 6 ]; then
    chsh -s /bin/false $user
    passwd -l $user
  else
    ...
  fi
fi

This would mean making deluser return something non-zero, and
documenting how to use it for maintainer scripts.  This would allow the
local admin to easily override maintainer decisions about what uid's are
too important to remove.

I'm open to other suggestions, but that's how I see it.

Take care,
-- 
 -----------------------------------------------------------------
|   ,''`.                                            Stephen Gran |
|  : :' :                                        sgran@debian.org |
|  `. `'                        Debian user, admin, and developer |
|    `-                                     http://www.debian.org |
 -----------------------------------------------------------------
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Adduser Developers <adduser-devel@lists.alioth.debian.org>:
Bug#390457; Package adduser. Full text and rfc822 format available.

Acknowledgement sent to Marc Haber <mh+debian-packages@zugschlus.de>:
Extra info received and forwarded to list. Copy sent to Debian Adduser Developers <adduser-devel@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #15 received at 390457@bugs.debian.org (full text, mbox):

From: Marc Haber <mh+debian-packages@zugschlus.de>
To: Stephen Gran <sgran@debian.org>, 390457@bugs.debian.org
Subject: Re: Bug#390457: [Adduser-devel] Bug#390457: adduser: deluser --system should be configurable to not delete the account
Date: Mon, 2 Oct 2006 23:43:13 +0200
On Mon, Oct 02, 2006 at 08:43:26PM +0100, Stephen Gran wrote:
> This one time, at band camp, Marc Haber said:
> > I'd like to see deluser --system having a configuration option which
> > would prevent an account from actually being deleted. That way, a
> > local administrator could make sure that UIDs are not being re-used.
> > 
> > If this option is enabled, deluser --system would set the shell to
> > /bin/false and invalidate the password (I am not sure whether the
> > password should be destroyed or invalidated in a reversible way).
> > 
> > The default would, of course, be current behavior with actually
> > deleting the account.
> 
> This is repeating logic already available (chsh and passwd -l) that
> don't really buy all that much security.

deluser would do its work by invoking chsh and password -l.

> Add a --permanent flag to adduser, which writes the uid to a state file.
> Make deluser exit 0 (or some specific non-zero) if called for a uid in that file.
> Add --force to deluser to override it.

That would mean touching a lot of packages.

> Maintainers could then individually decide if they think the accounts
> they set up are sensitive enough to be worth preserving, and call chsh
> and passwd -l themselves in postrm, or, maybe better:
> 
> if deluser $user; then
>   if [ $? = 6 ]; then
>     chsh -s /bin/false $user
>     passwd -l $user
>   else
>     ...
>   fi
> fi

The idea of adduser and deluser is to move complexity needed in
maintainer scripts to adduser and deluser. What you are suggesting is
adding eight lines of code to a lot of maintainer scripts. I do not
like that idea as bugs in that code are going to show up and need to
be fixed in a gazillion of packages.

Greetings
Marc

-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany  |  lose things."    Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 621 72739835



Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 19 18:57:30 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.