Debian Bug report logs - #472349
adduser: please delay more than 5 seconds during deluser root

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Justin Pryzby <justinpryzby@users.sourceforge.net>

To: submit@bugs.debian.org

Subject: adduser: please delay more than 5 seconds during deluser root

Date: Sun, 23 Mar 2008 13:53:15 -0400

Package: adduser
Version: 3.106
Tags: patch
File: /usr/sbin/deluser
See also: #471705

This patch explicit statement that there is a time limit; without
this, users are likely to reread the huge warning rather than quickly
aborting/suspending the process to investigate.

--- /usr/sbin/deluser
+++ /tmp/tmp.FqfaY26055/deluser	2008-03-23 13:50:46.000000000 -0400
@@ -225,11 +225,13 @@
     }
     
     # Warn in any case if you want to remove the root account 
-    if ($uid == 0) {
+    if ($pw_uid == 0) {
+        my $delay=10;
         printf (gtx("WARNING: You are just about to delete the root account (uid 0)\n"));
+        printf (gtx("This action will proceed in $delay seconds; "));
+        printf (gtx("Press Ctrl+C immediately to abort\n"));
         printf (gtx("Usually this is never required as it may render the whole system unusable\n"));
-        printf (gtx("Press immediately Ctrl+C if you want to abort\n"));
-        sleep 5;
+        sleep $delay;
         printf (gtx("Ok, you really want it, I'll delete that account\n"));
     }
 

Message #10 received at 472349@bugs.debian.org (full text, mbox, reply):

From: Paul Johnson <baloo@ursine.ca>

To: Justin Pryzby <justinpryzby@users.sourceforge.net>, 472349@bugs.debian.org

Subject: Re: Bug#472349: adduser: please delay more than 5 seconds during deluser root

Date: Sun, 23 Mar 2008 12:03:22 -0700

[Message part 1 (text/plain, inline)]

Pardon the intrusion, I feel I need to speak up on this issue.  I feel that 
waiting on an interval before continuing instead of human confirmation on 
removal of important role accounts is not failsafe behavior.   I also suspect 
this could probably be merged with #470464.

On Sunday 23 March 2008 10:53:15 am Justin Pryzby wrote:

> This patch explicit statement that there is a time limit; without
> this, users are likely to reread the huge warning rather than quickly
> aborting/suspending the process to investigate.

With something as grave as removing the root account, wouldn't it make much 
more sense to ask for explicit confirmation to be entered and wait 
indefinitely until that happens, similar to what you must do in dpkg or apt 
if you try to remove base required packages?  adduser/deluser sometimes get 
called by apt themselves, possibly while the operator who called it has 
abandoned their console to go get coffee or take care of some other task.  

This has probably come to surprise more than just me thanks to bug #469165.

-- 
Paul Johnson
baloo@ursine.ca

[signature.asc (application/pgp-signature, inline)]

Message #15 received at 472349@bugs.debian.org (full text, mbox, reply):

From: Stephen Gran <sgran@debian.org>

To: Paul Johnson <baloo@ursine.ca>, 472349@bugs.debian.org

Cc: Justin Pryzby <justinpryzby@users.sourceforge.net>

Subject: Re: [Adduser-devel] Bug#472349: adduser: please delay more than 5 seconds during deluser root

Date: Mon, 24 Mar 2008 00:13:57 +0000

[Message part 1 (text/plain, inline)]

This one time, at band camp, Paul Johnson said:
> On Sunday 23 March 2008 10:53:15 am Justin Pryzby wrote:
> 
> > This patch explicit statement that there is a time limit; without
> > this, users are likely to reread the huge warning rather than quickly
> > aborting/suspending the process to investigate.
> 
> With something as grave as removing the root account, wouldn't it make much 
> more sense to ask for explicit confirmation to be entered and wait 
> indefinitely until that happens, similar to what you must do in dpkg or apt 
> if you try to remove base required packages?  adduser/deluser sometimes get 
> called by apt themselves, possibly while the operator who called it has 
> abandoned their console to go get coffee or take care of some other task.  

This bug is mostly harmless when deluser is called without a foolish
flag like --remove-home or worse, --remove-all-files.  It is possible,
of course, to say "no, you can't ever do that", but I do feel a little
uncomfortable second guessing an admin who wants to do something
drastically stupid - unix doesn't generally do that.

I agree that the harm caused by allowing people to effectively ask for
removal of the root account and all files that are uid 0 is stupid, so
what I propose is: allow removal of a uid 0 account, provided the
username is not root.  Also, fail before doing anything if either of
--remove-home or --remove-all-files is given.  Seem reasonable?
-- 
 -----------------------------------------------------------------
|   ,''`.                                            Stephen Gran |
|  : :' :                                        sgran@debian.org |
|  `. `'                        Debian user, admin, and developer |
|    `-                                     http://www.debian.org |
 -----------------------------------------------------------------

[signature.asc (application/pgp-signature, inline)]

Message #20 received at 472349@bugs.debian.org (full text, mbox, reply):

From: Justin Pryzby <justinpryzby@users.sourceforge.net>

To: Stephen Gran <sgran@debian.org>

Cc: Paul Johnson <baloo@ursine.ca>, 472349@bugs.debian.org

Subject: Re: [Adduser-devel] Bug#472349: adduser: please delay more than 5 seconds during deluser root

Date: Sun, 23 Mar 2008 20:59:57 -0400

On Mon, Mar 24, 2008 at 12:13:57AM +0000, Stephen Gran wrote:
> This one time, at band camp, Paul Johnson said:
> > On Sunday 23 March 2008 10:53:15 am Justin Pryzby wrote:
> > 
> > > This patch explicit statement that there is a time limit; without
> > > this, users are likely to reread the huge warning rather than quickly
> > > aborting/suspending the process to investigate.
> > 
> > With something as grave as removing the root account, wouldn't it make much 
> > more sense to ask for explicit confirmation to be entered and wait 
> > indefinitely until that happens, similar to what you must do in dpkg or apt 
> > if you try to remove base required packages?
Yes, perhaps unless an environment variable is set (to allow it to
happen in batch, if that's hypothetically useful).  I don't know if
it'd be sufficiently safe to initialize that variable to allow root's
removal if the stdio fd's are /dev/null or such.

> This bug is mostly harmless when deluser is called without a foolish
> flag like --remove-home or worse, --remove-all-files.
Really?  

> It is possible,
> of course, to say "no, you can't ever do that", but I do feel a little
> uncomfortable second guessing an admin who wants to do something
> drastically stupid - unix doesn't generally do that.
OTOH adduser/deluser are considered to be high level tools, so it
perhaps it isn't entirely unreasonable to reject it at that level?

Justin

Message #25 received at 472349@bugs.debian.org (full text, mbox, reply):

From: Justin Pryzby <justinpryzby@users.sourceforge.net>

To: Stephen Gran <sgran@debian.org>

Cc: Paul Johnson <baloo@ursine.ca>, 472349@bugs.debian.org

Subject: Re: [Adduser-devel] Bug#472349: adduser: please delay more than 5 seconds during deluser root

Date: Sun, 23 Mar 2008 21:02:44 -0400

On Sun, Mar 23, 2008 at 08:59:57PM -0400, Justin Pryzby wrote:
> On Mon, Mar 24, 2008 at 12:13:57AM +0000, Stephen Gran wrote:
> > This one time, at band camp, Paul Johnson said:
> > > On Sunday 23 March 2008 10:53:15 am Justin Pryzby wrote:

> > This bug is mostly harmless when deluser is called without a foolish
> > flag like --remove-home or worse, --remove-all-files.
> Really?  
Sorry, I meant to expand on that.  After removing root's passwd,
shadow and group entries, neither su nor sudo works (although single
user mode might), and I suspect pam prevents things like cron from
running normally.

Justin

Message #30 received at 472349@bugs.debian.org (full text, mbox, reply):

From: Joerg Hoh <joerg@joerghoh.de>

To: 472349@bugs.debian.org

Subject: Re: [Adduser-devel] Bug#472349: Bug#472349: adduser: please delay more than 5 seconds during deluser root

Date: Wed, 26 Mar 2008 19:13:36 +0100

[Message part 1 (text/plain, inline)]

On Mon, Mar 24, 2008 at 12:13:57AM +0000, Stephen Gran wrote:
> 
> This bug is mostly harmless when deluser is called without a foolish
> flag like --remove-home or worse, --remove-all-files.  It is possible,
> of course, to say "no, you can't ever do that", but I do feel a little
> uncomfortable second guessing an admin who wants to do something
> drastically stupid - unix doesn't generally do that.
> 
> I agree that the harm caused by allowing people to effectively ask for
> removal of the root account and all files that are uid 0 is stupid, so
> what I propose is: allow removal of a uid 0 account, provided the
> username is not root.  Also, fail before doing anything if either of
> --remove-home or --remove-all-files is given.  Seem reasonable?

I would suggest to introduce a new parameter "--force"; without this flag
deluser refuses to remove the "root" account, but with this flag, deluser
will print a warning and then remove the account. 

Joerg


-- 
What did you do to the cat? It looks half-dead. -Schroedinger's wife

[signature.asc (application/pgp-signature, inline)]

Message #35 received at 472349@bugs.debian.org (full text, mbox, reply):

From: Stephen Gran <sgran@debian.org>

To: Joerg Hoh <joerg@joerghoh.de>, 472349@bugs.debian.org

Subject: Re: [Adduser-devel] Bug#472349: Bug#472349: Bug#472349: adduser: please delay more than 5 seconds during deluser root

Date: Wed, 26 Mar 2008 19:28:02 +0000

[Message part 1 (text/plain, inline)]

This one time, at band camp, Joerg Hoh said:
> On Mon, Mar 24, 2008 at 12:13:57AM +0000, Stephen Gran wrote:
> > 
> > This bug is mostly harmless when deluser is called without a foolish
> > flag like --remove-home or worse, --remove-all-files.  It is possible,
> > of course, to say "no, you can't ever do that", but I do feel a little
> > uncomfortable second guessing an admin who wants to do something
> > drastically stupid - unix doesn't generally do that.
> > 
> > I agree that the harm caused by allowing people to effectively ask for
> > removal of the root account and all files that are uid 0 is stupid, so
> > what I propose is: allow removal of a uid 0 account, provided the
> > username is not root.  Also, fail before doing anything if either of
> > --remove-home or --remove-all-files is given.  Seem reasonable?
> 
> I would suggest to introduce a new parameter "--force"; without this flag
> deluser refuses to remove the "root" account, but with this flag, deluser
> will print a warning and then remove the account. 

Seems reasonable as well.
-- 
 -----------------------------------------------------------------
|   ,''`.                                            Stephen Gran |
|  : :' :                                        sgran@debian.org |
|  `. `'                        Debian user, admin, and developer |
|    `-                                     http://www.debian.org |
 -----------------------------------------------------------------

[signature.asc (application/pgp-signature, inline)]

Message #40 received at 472349-close@bugs.debian.org (full text, mbox, reply):

From: Stephen Gran <sgran@debian.org>

To: 472349-close@bugs.debian.org

Subject: Bug#472349: fixed in adduser 3.107

Date: Thu, 27 Mar 2008 21:17:03 +0000

Source: adduser
Source-Version: 3.107

We believe that the bug you reported is fixed in the latest version of
adduser, which is due to be installed in the Debian FTP archive:

adduser_3.107.dsc
  to pool/main/a/adduser/adduser_3.107.dsc
adduser_3.107.tar.gz
  to pool/main/a/adduser/adduser_3.107.tar.gz
adduser_3.107_all.deb
  to pool/main/a/adduser/adduser_3.107_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 472349@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Stephen Gran <sgran@debian.org> (supplier of updated adduser package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Thu, 27 Mar 2008 20:43:30 +0000
Source: adduser
Binary: adduser
Architecture: source all
Version: 3.107
Distribution: unstable
Urgency: low
Maintainer: Debian Adduser Developers <adduser-devel@lists.alioth.debian.org>
Changed-By: Stephen Gran <sgran@debian.org>
Description: 
 adduser    - add and remove users and groups
Closes: 469165 470464 470847 471705 471903 472349
Changes: 
 adduser (3.107) unstable; urgency=low
 .
   [ Joerg Hoh ]
   * deluser: fix really annoying message about removing root account when removing
     just a simple user. (Closes: #469165, #470464, #470847, #471705, #472349)
 .
   [ Stephen Gran ]
   * Translations:
     - eu (thanks Piarres Beobide <pi@beobide.net>)(closes: #471903)
Files: 
 0dd290f4b8f57d3d61413596163adf01 835 admin important adduser_3.107.dsc
 85f472ae5cedaea852c487ce7f6bd1e3 264145 admin important adduser_3.107.tar.gz
 f5bf39bfa88f28632bb193990976314f 172946 admin important adduser_3.107_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFH7AdrSYIMHOpZA44RAhXvAJ963469wSRtHT2vJjA5ly6CcnYikgCeP3zw
BDly+ZSSNl1pi52FpyHk3Bk=
=b/dk
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.