Debian Bug report logs - #621833
System users: removing them

version graph

Package: debian-policy; Maintainer for debian-policy is Debian Policy List <debian-policy@lists.debian.org>; Source for debian-policy is src:debian-policy.

Reported by: Lars Wirzenius <liw@liw.fi>

Date: Sat, 9 Apr 2011 08:48:08 UTC

Severity: wishlist

Merged with 228692, 291177

Found in versions 3.6.1.0, 3.6.1.1, debian-policy/3.9.2.0

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Policy List <debian-policy@lists.debian.org>:
Bug#621833; Package debian-policy. (Sat, 09 Apr 2011 08:48:32 GMT) Full text and rfc822 format available.

Acknowledgement sent to Lars Wirzenius <liw@liw.fi>:
New Bug report received and forwarded. Copy sent to Debian Policy List <debian-policy@lists.debian.org>. (Sat, 09 Apr 2011 08:48:59 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Lars Wirzenius <liw@liw.fi>
To: debian-devel@lists.debian.org
Cc: new debian bug <submit@bugs.debian.org>
Subject: Re: System users: removing them
Date: Sat, 09 Apr 2011 09:44:28 +0100
Package: debian-policy
Version: 3.9.2.0

thanks

Background for the policy list: see thread starting at
http://lists.debian.org/debian-devel/2011/03/msg01174.html
and continuing in April at
http://lists.debian.org/debian-devel/2011/04/msg00210.html

On ma, 2011-04-04 at 21:09 +0100, Lars Wirzenius wrote:
> > The current default is not to delete the user because packages don't
> > generally do so, surely ?
> 
> I ran the attached script (same as the one I attached to my previous
> mail, to the bash thread) to unpack all amd64 sid/main binary packages,
> and then grepped for use of adduser or deluser in maintainer scripts:
> 
>         find pool -name postinst -o -name preinst -o -name postrm -o
>         -name prerm | xargs grep adduser > adduser.list
>         
> And the same, replacing adduser with deluser. The lists are a few tens
> of kilobytes in total, so I won't attach them to the mailing list, but
> I've put them on the web:
> 
> http://files.liw.fi/temp/adduser.list
> http://files.liw.fi/temp/deluser.list
> 
> There seem to be 106 maintainer scripts that mention deluser, in 103
> packages. (I did not manually verify that they're all actually calling
> deluser.)
> 
> I think this would be a good point to have a discussion and set policy
> on how to deal with this. The policy manual seems to currently be silent
> about removing users created by the package at installation time.
> 
>       * We can decide that packages may not remove the accounts they
>         create, ever. In that case, we should amend Policy to say this
>         explicitly, do an MBF on the packages in the deluser.list above,
>         and add a lintian warning against calling deluser in maintainer
>         scripts.

Ian and Tollef and Scott Kitterman are against removal of system users,
and nobody (except, very mildly, me) is for their removal, so I guess
the consensus on -devel is clear: we should not remove system users,
ever, in maintainer scripts. If an admin wants to do it manually, that
is, of course, OK.

Thus, I propose to change 9.2.2 "UID and GID classes", the paragraph on
uids in the range 100-999, to add the following sentence to the end of
the paragraph:

        Packages must not remove system users and groups they have
        created.

Not sure if a mass bug filing is warranted if this policy change is
accepted, but definitely a lintian check would be in order (I'm happy to
write it).

-- 
Blog/wiki/website hosting with ikiwiki (free for free software):
http://www.branchable.com/





Severity set to 'wishlist' from 'normal' Request was from Russ Allbery <rra@debian.org> to control@bugs.debian.org. (Sat, 09 Apr 2011 17:03:42 GMT) Full text and rfc822 format available.

Merged 228692 291177 621833. Request was from Russ Allbery <rra@debian.org> to control@bugs.debian.org. (Sat, 09 Apr 2011 17:03:45 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Policy List <debian-policy@lists.debian.org>:
Bug#621833; Package debian-policy. (Sun, 10 Apr 2011 02:33:14 GMT) Full text and rfc822 format available.

Acknowledgement sent to Lars Wirzenius <liw@liw.fi>:
Extra info received and forwarded to list. Copy sent to Debian Policy List <debian-policy@lists.debian.org>. (Sun, 10 Apr 2011 02:33:14 GMT) Full text and rfc822 format available.

Message #14 received at 621833@bugs.debian.org (full text, mbox):

From: Lars Wirzenius <liw@liw.fi>
To: 621833@bugs.debian.org
Cc: debian-devel@lists.debian.org
Subject: Re: System users: removing them
Date: Sat, 09 Apr 2011 13:21:27 +0100
Adding a copy to the bug report.

Everyone please Cc 621833@bugs.debian.org if replying to this subhtread.
Thanks.

On la, 2011-04-09 at 10:14 +0100, Roger Leigh wrote:
> On Sat, Apr 09, 2011 at 09:44:28AM +0100, Lars Wirzenius wrote:
> > Package: debian-policy
> > Version: 3.9.2.0
> > 
> > thanks
> > 
> > Background for the policy list: see thread starting at
> > http://lists.debian.org/debian-devel/2011/03/msg01174.html
> > and continuing in April at
> > http://lists.debian.org/debian-devel/2011/04/msg00210.html
> > 
> > On ma, 2011-04-04 at 21:09 +0100, Lars Wirzenius wrote:
> > > > The current default is not to delete the user because packages don't
> > > > generally do so, surely ?
> > > 
> > > I ran the attached script (same as the one I attached to my previous
> > > mail, to the bash thread) to unpack all amd64 sid/main binary packages,
> > > and then grepped for use of adduser or deluser in maintainer scripts:
> > > 
> > >         find pool -name postinst -o -name preinst -o -name postrm -o
> > >         -name prerm | xargs grep adduser > adduser.list
> > >         
> > > And the same, replacing adduser with deluser. The lists are a few tens
> > > of kilobytes in total, so I won't attach them to the mailing list, but
> > > I've put them on the web:
> > > 
> > > http://files.liw.fi/temp/adduser.list
> > > http://files.liw.fi/temp/deluser.list
> > > 
> > > There seem to be 106 maintainer scripts that mention deluser, in 103
> > > packages. (I did not manually verify that they're all actually calling
> > > deluser.)
> > > 
> > > I think this would be a good point to have a discussion and set policy
> > > on how to deal with this. The policy manual seems to currently be silent
> > > about removing users created by the package at installation time.
> > > 
> > >       * We can decide that packages may not remove the accounts they
> > >         create, ever. In that case, we should amend Policy to say this
> > >         explicitly, do an MBF on the packages in the deluser.list above,
> > >         and add a lintian warning against calling deluser in maintainer
> > >         scripts.
> > 
> > Ian and Tollef and Scott Kitterman are against removal of system users,
> > and nobody (except, very mildly, me) is for their removal, so I guess
> > the consensus on -devel is clear: we should not remove system users,
> > ever, in maintainer scripts. If an admin wants to do it manually, that
> > is, of course, OK.
> > 
> > Thus, I propose to change 9.2.2 "UID and GID classes", the paragraph on
> > uids in the range 100-999, to add the following sentence to the end of
> > the paragraph:
> > 
> >         Packages must not remove system users and groups they have
> >         created.
> 
> This does sound like a sensible addition.  Will the packages be
> responsible for locking the accounts?
> 
> I've always found the addition and removal of user accounts in
> maintainer scripts difficult, due to the huge difference in
> practice between packages, and the lack of detailed guidance on
> best practice.  Would it be worth adding explicit examples of
> how to add system users and groups in Policy.  Also, would it
> be worth adding support to debhelper or dpkg-maintscript-helper
> to do the user addition--it would unify the process so that
> packages won't have to reinvent the wheel, and make things
> much more simple and reliable.
> 
> 
> Regards,
> Roger
> 

-- 
Blog/wiki/website hosting with ikiwiki (free for free software):
http://www.branchable.com/





Information forwarded to debian-bugs-dist@lists.debian.org, Debian Policy List <debian-policy@lists.debian.org>:
Bug#621833; Package debian-policy. (Sun, 10 Apr 2011 09:27:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Steve Langasek <vorlon@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Policy List <debian-policy@lists.debian.org>. (Sun, 10 Apr 2011 09:27:12 GMT) Full text and rfc822 format available.

Message #19 received at 621833@bugs.debian.org (full text, mbox):

From: Steve Langasek <vorlon@debian.org>
To: Roger Leigh <rleigh@codelibre.net>
Cc: 621833@bugs.debian.org
Subject: Re: System users: removing them
Date: Sun, 10 Apr 2011 02:25:36 -0700
[Message part 1 (text/plain, inline)]
On Sat, Apr 09, 2011 at 10:14:54AM +0100, Roger Leigh wrote:
> On Sat, Apr 09, 2011 at 09:44:28AM +0100, Lars Wirzenius wrote:
> > Thus, I propose to change 9.2.2 "UID and GID classes", the paragraph on
> > uids in the range 100-999, to add the following sentence to the end of
> > the paragraph:

> >         Packages must not remove system users and groups they have
> >         created.

> This does sound like a sensible addition.  Will the packages be
> responsible for locking the accounts?

I agree that the accounts should not be deleted, but that the packages
should still be responsible for certain forms of cleanup:

 - removing the user home directory (on purge?)
 - locking the account
 - (optional) scanning the filesystem to clean up any other files owned by
   the user

This is the good kind of cleanup to do.  Deleting the account entirely is
the bad kind of cleanup, because you can never guarantee that you've gotten
*all* the files belonging to that user/group, thanks to removable media; so
if the UID is reused, some other account gets access to files it wasn't
meant to.

> I've always found the addition and removal of user accounts in
> maintainer scripts difficult, due to the huge difference in
> practice between packages, and the lack of detailed guidance on
> best practice.  Would it be worth adding explicit examples of
> how to add system users and groups in Policy.  Also, would it
> be worth adding support to debhelper or dpkg-maintscript-helper
> to do the user addition--it would unify the process so that
> packages won't have to reinvent the wheel, and make things
> much more simple and reliable.

I don't think dpkg-maintscript-helper is the right layer of abstraction for
something like this; we already have an imperative interface for account
creation/deletion, which is adduser/deluser, and if that interface isn't
sufficiently straightforward we should remedy that directly.

I'm not sure if debhelper can help here.  I guess we would need a new config
file (debian/users?), but I'm not sure it could be done with a very
debhelper-like syntax.

-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
Ubuntu Developer                                    http://www.debian.org/
slangasek@ubuntu.com                                     vorlon@debian.org
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Policy List <debian-policy@lists.debian.org>:
Bug#621833; Package debian-policy. (Sun, 10 Apr 2011 10:24:50 GMT) Full text and rfc822 format available.

Acknowledgement sent to sean finney <seanius@seanius.net>:
Extra info received and forwarded to list. Copy sent to Debian Policy List <debian-policy@lists.debian.org>. (Sun, 10 Apr 2011 10:24:57 GMT) Full text and rfc822 format available.

Message #24 received at 621833@bugs.debian.org (full text, mbox):

From: sean finney <seanius@seanius.net>
To: Steve Langasek <vorlon@debian.org>, 621833@bugs.debian.org
Cc: Roger Leigh <rleigh@codelibre.net>
Subject: Re: Bug#621833: System users: removing them
Date: Sun, 10 Apr 2011 12:12:24 +0200
Hi all,

On Sun, Apr 10, 2011 at 02:25:36AM -0700, Steve Langasek wrote:
> I agree that the accounts should not be deleted, but that the packages
> should still be responsible for certain forms of cleanup:
> 
>  - removing the user home directory (on purge?)
>  - locking the account
>  - (optional) scanning the filesystem to clean up any other files owned by
>    the user

For locking the account, I think it could be problematic if you have some
kind of central account management system (i.e. LDAP/AD), and you don't
want to lock it globally.


	sean





Information forwarded to debian-bugs-dist@lists.debian.org, Debian Policy List <debian-policy@lists.debian.org>:
Bug#621833; Package debian-policy. (Sun, 10 Apr 2011 18:06:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Russ Allbery <rra@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Policy List <debian-policy@lists.debian.org>. (Sun, 10 Apr 2011 18:06:07 GMT) Full text and rfc822 format available.

Message #29 received at 621833@bugs.debian.org (full text, mbox):

From: Russ Allbery <rra@debian.org>
To: sean finney <seanius@seanius.net>
Cc: 621833@bugs.debian.org, Steve Langasek <vorlon@debian.org>, Roger Leigh <rleigh@codelibre.net>
Subject: Re: Bug#621833: System users: removing them
Date: Sun, 10 Apr 2011 11:03:34 -0700
sean finney <seanius@seanius.net> writes:

> For locking the account, I think it could be problematic if you have
> some kind of central account management system (i.e. LDAP/AD), and you
> don't want to lock it globally.

Yeah, but adduser doesn't ever do anything with central account management
systems anyway, so far as I know, so you could tell adduser to lock it and
if adduser can't find it in the local /etc/passwd or /etc/shadow, it would
just give up.

-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Policy List <debian-policy@lists.debian.org>:
Bug#621833; Package debian-policy. (Sun, 10 Apr 2011 19:45:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to sean finney <seanius@seanius.net>:
Extra info received and forwarded to list. Copy sent to Debian Policy List <debian-policy@lists.debian.org>. (Sun, 10 Apr 2011 19:45:06 GMT) Full text and rfc822 format available.

Message #34 received at 621833@bugs.debian.org (full text, mbox):

From: sean finney <seanius@seanius.net>
To: Russ Allbery <rra@debian.org>, 621833@bugs.debian.org
Cc: Steve Langasek <vorlon@debian.org>, Roger Leigh <rleigh@codelibre.net>
Subject: Re: Bug#621833: System users: removing them
Date: Sun, 10 Apr 2011 21:41:03 +0200
On Sun, Apr 10, 2011 at 11:03:34AM -0700, Russ Allbery wrote:
> sean finney <seanius@seanius.net> writes:
> 
> > For locking the account, I think it could be problematic if you have
> > some kind of central account management system (i.e. LDAP/AD), and you
> > don't want to lock it globally.
> 
> Yeah, but adduser doesn't ever do anything with central account management
> systems anyway, so far as I know, so you could tell adduser to lock it and
> if adduser can't find it in the local /etc/passwd or /etc/shadow, it would
> just give up.

I was always given the impression that adduser and friends "wanted" to be
able to handle non-local accounts, but nobody had ever extended it to do
so?  So I think it's a bit shaky to make that assumption.

But if we specifically limit the scope for users/groups being locked to
"only if they're in /etc/passwd,/etc/group" then yes I think that the
recommendation makes sense.  But then we probably ought to also have
some boilerplate examples of exactly how it should be done.

On that note, I just read over 9.2 and see we don't have anything about
the right behavior for adding users/groups there either, and you have
similar problems along those lines.  Actually it seems that 9.2 as a
whole could use a bit of a facelift :)



	sean




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Policy List <debian-policy@lists.debian.org>:
Bug#621833; Package debian-policy. (Sun, 10 Apr 2011 19:57:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Russ Allbery <rra@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Policy List <debian-policy@lists.debian.org>. (Sun, 10 Apr 2011 19:57:05 GMT) Full text and rfc822 format available.

Message #39 received at 621833@bugs.debian.org (full text, mbox):

From: Russ Allbery <rra@debian.org>
To: sean finney <seanius@seanius.net>
Cc: 621833@bugs.debian.org, Steve Langasek <vorlon@debian.org>, Roger Leigh <rleigh@codelibre.net>
Subject: Re: Bug#621833: System users: removing them
Date: Sun, 10 Apr 2011 12:53:14 -0700
sean finney <seanius@seanius.net> writes:

> I was always given the impression that adduser and friends "wanted" to
> be able to handle non-local accounts, but nobody had ever extended it to
> do so?  So I think it's a bit shaky to make that assumption.

> But if we specifically limit the scope for users/groups being locked to
> "only if they're in /etc/passwd,/etc/group" then yes I think that the
> recommendation makes sense.  But then we probably ought to also have
> some boilerplate examples of exactly how it should be done.

If that's really a future intention, maybe add a no-op --local flag to
adduser that says not to do that, should it ever have been added?

> On that note, I just read over 9.2 and see we don't have anything about
> the right behavior for adding users/groups there either, and you have
> similar problems along those lines.  Actually it seems that 9.2 as a
> whole could use a bit of a facelift :)

Yes.

-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Policy List <debian-policy@lists.debian.org>:
Bug#621833; Package debian-policy. (Tue, 12 Apr 2011 17:45:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Lars Wirzenius <liw@liw.fi>:
Extra info received and forwarded to list. Copy sent to Debian Policy List <debian-policy@lists.debian.org>. (Tue, 12 Apr 2011 17:45:03 GMT) Full text and rfc822 format available.

Message #44 received at 621833@bugs.debian.org (full text, mbox):

From: Lars Wirzenius <liw@liw.fi>
To: Ian Jackson <ijackson@chiark.greenend.org.uk>
Cc: debian-devel@lists.debian.org, 621833@bugs.debian.org
Subject: Re: System users: removing them
Date: Tue, 12 Apr 2011 18:41:10 +0100
(Cc to the relevant bug added.)

On ma, 2011-04-11 at 14:05 +0100, Ian Jackson wrote:
> Lars Wirzenius writes ("Re: System users: removing them"):
> > Thus, I propose to change 9.2.2 "UID and GID classes", the paragraph on
> > uids in the range 100-999, to add the following sentence to the end of
> > the paragraph:
> > 
> >         Packages must not remove system users and groups they have
> >         created.
> 
> But shouldn't we say they _must_ lock package-specific system users
> and groups when the package is removed ?

I think that's a good idea. Steve Langasek in the bug (#621833) and
others agree, so I think there's a strong consensus on that.


-- 
Blog/wiki/website hosting with ikiwiki (free for free software):
http://www.branchable.com/





Information forwarded to debian-bugs-dist@lists.debian.org, Debian Policy List <debian-policy@lists.debian.org>:
Bug#621833; Package debian-policy. (Tue, 12 Apr 2011 19:34:17 GMT) Full text and rfc822 format available.

Acknowledgement sent to sean finney <seanius@seanius.net>:
Extra info received and forwarded to list. Copy sent to Debian Policy List <debian-policy@lists.debian.org>. (Tue, 12 Apr 2011 19:34:17 GMT) Full text and rfc822 format available.

Message #49 received at 621833@bugs.debian.org (full text, mbox):

From: sean finney <seanius@seanius.net>
To: Lars Wirzenius <liw@liw.fi>, 621833@bugs.debian.org
Cc: Ian Jackson <ijackson@chiark.greenend.org.uk>, debian-devel@lists.debian.org
Subject: Re: Bug#621833: System users: removing them
Date: Tue, 12 Apr 2011 21:31:47 +0200
Hi Lars,

On Tue, Apr 12, 2011 at 06:41:10PM +0100, Lars Wirzenius wrote:
> > But shouldn't we say they _must_ lock package-specific system users
> > and groups when the package is removed ?
> 
> I think that's a good idea. Steve Langasek in the bug (#621833) and
> others agree, so I think there's a strong consensus on that.

I don't think I'd agree there, at least without also addressing:

 * It also needs to limit the scope to locally defined users (i.e. not
   fail when it is unable to lock an NIS/LDAP/etc account).
 * There needs to be a way to explicitly do that with adduser or a similar
   tool[1][2][3][4].

Also, we haven't discussed what should be done in the case of a user
account possibly shared between different packages, where any one of
them may create it and 1..N of them might be installed.  For example,
nagios/nrpe comes to mind, or maybe parallel installed postgres versions
and related tools.  Alternatively, if we strictly interpret what
Ian suggested to not include such packages, we should state that and/or
give alternate instructions for this case.


I second your original proposal though, that packages must not delete
system users that they have created.  I don't think anyone had objections
to that, and the question is whether things should be taken further.


	sean

[1] Assuming it must be done with one tool, it should also state "lock
    users with $thiscommand $theseoptions", and depend on "$thisversion"
	of the tool in question if the tool needs to be updated.
[2] And if "$theseoptions" are not specifically for the "local only case",
    we need a way to tell the difference between a "locking failed" error and
	a "user is remote" error.
[3] Or maybe instead of using a tool we have something like declarative
    users, where we state policy and farm it off to dpkg to implement?
[4] Whoa, footnotespam ftw, sorry.




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Policy List <debian-policy@lists.debian.org>:
Bug#621833; Package debian-policy. (Tue, 12 Apr 2011 20:06:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Bill Allombert <Bill.Allombert@math.u-bordeaux1.fr>:
Extra info received and forwarded to list. Copy sent to Debian Policy List <debian-policy@lists.debian.org>. (Tue, 12 Apr 2011 20:06:03 GMT) Full text and rfc822 format available.

Message #54 received at 621833@bugs.debian.org (full text, mbox):

From: Bill Allombert <Bill.Allombert@math.u-bordeaux1.fr>
To: Lars Wirzenius <liw@liw.fi>, 621833@bugs.debian.org
Cc: Ian Jackson <ijackson@chiark.greenend.org.uk>, debian-devel@lists.debian.org
Subject: Re: Bug#621833: System users: removing them
Date: Tue, 12 Apr 2011 22:03:30 +0200
On Tue, Apr 12, 2011 at 06:41:10PM +0100, Lars Wirzenius wrote:
> (Cc to the relevant bug added.)
> 
> On ma, 2011-04-11 at 14:05 +0100, Ian Jackson wrote:
> > Lars Wirzenius writes ("Re: System users: removing them"):
> > > Thus, I propose to change 9.2.2 "UID and GID classes", the paragraph on
> > > uids in the range 100-999, to add the following sentence to the end of
> > > the paragraph:
> > > 
> > >         Packages must not remove system users and groups they have
> > >         created.
> > 
> > But shouldn't we say they _must_ lock package-specific system users
> > and groups when the package is removed ?
> 
> I think that's a good idea. Steve Langasek in the bug (#621833) and
> others agree, so I think there's a strong consensus on that.

Also, we need to provide a way for sysadmin to know they can safely remove a stale
system user.

Cheers,
-- 
Bill. <ballombe@debian.org>

Imagine a large red swirl here. 




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Policy List <debian-policy@lists.debian.org>:
Bug#621833; Package debian-policy. (Tue, 12 Apr 2011 21:16:33 GMT) Full text and rfc822 format available.

Acknowledgement sent to "Scott Kitterman" <debian@kitterman.com>:
Extra info received and forwarded to list. Copy sent to Debian Policy List <debian-policy@lists.debian.org>. (Tue, 12 Apr 2011 21:16:33 GMT) Full text and rfc822 format available.

Message #59 received at 621833@bugs.debian.org (full text, mbox):

From: "Scott Kitterman" <debian@kitterman.com>
To: debian-devel@lists.debian.org
Cc: 621833@bugs.debian.org
Subject: Re: Bug#621833: System users: removing them
Date: Tue, 12 Apr 2011 16:43:51 -0400
> On Tue, Apr 12, 2011 at 06:41:10PM +0100, Lars Wirzenius wrote:
>> (Cc to the relevant bug added.)
>>
>> On ma, 2011-04-11 at 14:05 +0100, Ian Jackson wrote:
>> > Lars Wirzenius writes ("Re: System users: removing them"):
>> > > Thus, I propose to change 9.2.2 "UID and GID classes", the paragraph
>> on
>> > > uids in the range 100-999, to add the following sentence to the end
>> of
>> > > the paragraph:
>> > >
>> > >         Packages must not remove system users and groups they have
>> > >         created.
>> >
>> > But shouldn't we say they _must_ lock package-specific system users
>> > and groups when the package is removed ?
>>
>> I think that's a good idea. Steve Langasek in the bug (#621833) and
>> others agree, so I think there's a strong consensus on that.
>
> Also, we need to provide a way for sysadmin to know they can safely remove
> a stale
> system user.

If we could do that, we could just remove them automatically and not
bother the sysadmin.

Scott K




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Policy List <debian-policy@lists.debian.org>:
Bug#621833; Package debian-policy. (Wed, 13 Apr 2011 19:42:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Lars Wirzenius <liw@liw.fi>:
Extra info received and forwarded to list. Copy sent to Debian Policy List <debian-policy@lists.debian.org>. (Wed, 13 Apr 2011 19:42:03 GMT) Full text and rfc822 format available.

Message #64 received at 621833@bugs.debian.org (full text, mbox):

From: Lars Wirzenius <liw@liw.fi>
To: 621833@bugs.debian.org
Cc: debian-devel@lists.debian.org
Subject: Re: Bug#621833: System users: removing them
Date: Wed, 13 Apr 2011 20:39:28 +0100
On ti, 2011-04-12 at 21:31 +0200, sean finney wrote:
> Hi Lars,
> 
> On Tue, Apr 12, 2011 at 06:41:10PM +0100, Lars Wirzenius wrote:
> > > But shouldn't we say they _must_ lock package-specific system users
> > > and groups when the package is removed ?
> > 
> > I think that's a good idea. Steve Langasek in the bug (#621833) and
> > others agree, so I think there's a strong consensus on that.
> 
> I don't think I'd agree there, at least without also addressing:
> 
>  * It also needs to limit the scope to locally defined users (i.e. not
>    fail when it is unable to lock an NIS/LDAP/etc account).
>  * There needs to be a way to explicitly do that with adduser or a similar
>    tool[1][2][3][4].

Yes, and these were already suggested in the bug log, if I've undertood
everyone correctly (not all those mails were on -devel, though).

> Also, we haven't discussed what should be done in the case of a user
> account possibly shared between different packages, where any one of
> them may create it and 1..N of them might be installed.

In my opinion, those packages should arrange for things to work right
amongst themselves. The typical case would be to have a -common package,
which creates and locks down the user, and everything else depends on
it. But other options are also possible; I guess anything that achieves
the same effect should be OK by the policy manual.

-- 
Blog/wiki/website hosting with ikiwiki (free for free software):
http://www.branchable.com/





Information forwarded to debian-bugs-dist@lists.debian.org, Debian Policy List <debian-policy@lists.debian.org>:
Bug#621833; Package debian-policy. (Wed, 13 Apr 2011 21:18:08 GMT) Full text and rfc822 format available.

Acknowledgement sent to Leo 'costela' Antunes <costela@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Policy List <debian-policy@lists.debian.org>. (Wed, 13 Apr 2011 21:18:08 GMT) Full text and rfc822 format available.

Message #69 received at 621833@bugs.debian.org (full text, mbox):

From: Leo 'costela' Antunes <costela@debian.org>
Cc: debian-devel@lists.debian.org, 621833@bugs.debian.org
Subject: Re: Bug#621833: System users: removing them
Date: Wed, 13 Apr 2011 23:06:48 +0200
On 12/04/11 22:43, Scott Kitterman wrote:
>> Also, we need to provide a way for sysadmin to know they can safely remove
>> a stale
>> system user.
> 
> If we could do that, we could just remove them automatically and not
> bother the sysadmin.

Not necessarily. We can't be sure there aren't any files lying around
(at least not efficiently enough) to cause problems with UID reuse etc,
but we may inform the admin that at least from the packaging point of
view, the user/group isn't needed anymore. He can then decide to take
appropriate action if he feels the house-keeping is necessary.
It could simply be a matter of using the "User Name/Comment" field to
write something like "formerly used by package X; may be removed".
Admittedly not strictly necessary, but nice for those cases where you
check your /etc/passwd a few years later and ask yourself where that
user came from.


Cheers

-- 
Leo "costela" Antunes
[insert a witty retort here]




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Policy List <debian-policy@lists.debian.org>:
Bug#621833; Package debian-policy. (Sun, 01 May 2011 07:51:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Steve Langasek <vorlon@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Policy List <debian-policy@lists.debian.org>. (Sun, 01 May 2011 07:51:05 GMT) Full text and rfc822 format available.

Message #74 received at 621833@bugs.debian.org (full text, mbox):

From: Steve Langasek <vorlon@debian.org>
To: sean finney <seanius@seanius.net>, 621833@bugs.debian.org
Cc: Lars Wirzenius <liw@liw.fi>, Ian Jackson <ijackson@chiark.greenend.org.uk>, debian-devel@lists.debian.org
Subject: Re: Bug#621833: System users: removing them
Date: Sun, 1 May 2011 00:49:03 -0700
On Tue, Apr 12, 2011 at 09:31:47PM +0200, sean finney wrote:

> I second your original proposal though, that packages must not delete
> system users that they have created.  I don't think anyone had objections
> to that, and the question is whether things should be taken further.

I do object to telling maintainers they must not delete system users,
without also giving guidance on how and when to lock the accounts.

Sorry, no time at the moment to propose verbiage to reconcile this with your
concerns.

-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
Ubuntu Developer                                    http://www.debian.org/
slangasek@ubuntu.com                                     vorlon@debian.org




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Policy List <debian-policy@lists.debian.org>:
Bug#621833; Package debian-policy. (Sun, 01 May 2011 14:24:10 GMT) Full text and rfc822 format available.

Acknowledgement sent to Ian Jackson <ijackson@chiark.greenend.org.uk>:
Extra info received and forwarded to list. Copy sent to Debian Policy List <debian-policy@lists.debian.org>. (Sun, 01 May 2011 14:24:10 GMT) Full text and rfc822 format available.

Message #79 received at 621833@bugs.debian.org (full text, mbox):

From: Ian Jackson <ijackson@chiark.greenend.org.uk>
To: Steve Langasek <vorlon@debian.org>
Cc: sean finney <seanius@seanius.net>, 621833@bugs.debian.org, Lars Wirzenius <liw@liw.fi>, debian-devel@lists.debian.org
Subject: Re: Bug#621833: System users: removing them
Date: Sun, 1 May 2011 15:06:00 +0100
Steve Langasek writes ("Re: Bug#621833: System users: removing them"):
> On Tue, Apr 12, 2011 at 09:31:47PM +0200, sean finney wrote:
> > I second your original proposal though, that packages must not delete
> > system users that they have created.  I don't think anyone had objections
> > to that, and the question is whether things should be taken further.
> 
> I do object to telling maintainers they must not delete system users,
> without also giving guidance on how and when to lock the accounts.

Yes, I agree with this.

> Sorry, no time at the moment to propose verbiage to reconcile this with your
> concerns.

I think the right thing to do would be to have deluser lock (rather
than delete) system users when invoked in the way currently used by
maintainer scripts.  Provided that doesn't make interactive use of
deluser break somehow.

Ian.




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Policy List <debian-policy@lists.debian.org>:
Bug#621833; Package debian-policy. (Sun, 01 May 2011 15:15:08 GMT) Full text and rfc822 format available.

Acknowledgement sent to Andreas Barth <aba@not.so.argh.org>:
Extra info received and forwarded to list. Copy sent to Debian Policy List <debian-policy@lists.debian.org>. (Sun, 01 May 2011 15:15:08 GMT) Full text and rfc822 format available.

Message #84 received at 621833@bugs.debian.org (full text, mbox):

From: Andreas Barth <aba@not.so.argh.org>
To: Ian Jackson <ijackson@chiark.greenend.org.uk>
Cc: Steve Langasek <vorlon@debian.org>, sean finney <seanius@seanius.net>, 621833@bugs.debian.org, Lars Wirzenius <liw@liw.fi>, debian-devel@lists.debian.org
Subject: Re: Bug#621833: System users: removing them
Date: Sun, 1 May 2011 16:42:17 +0200
* Ian Jackson (ijackson@chiark.greenend.org.uk) [110501 16:39]:
> Steve Langasek writes ("Re: Bug#621833: System users: removing them"):
> > On Tue, Apr 12, 2011 at 09:31:47PM +0200, sean finney wrote:
> > > I second your original proposal though, that packages must not delete
> > > system users that they have created.  I don't think anyone had objections
> > > to that, and the question is whether things should be taken further.
> > 
> > I do object to telling maintainers they must not delete system users,
> > without also giving guidance on how and when to lock the accounts.
> 
> Yes, I agree with this.
> 
> > Sorry, no time at the moment to propose verbiage to reconcile this with your
> > concerns.
> 
> I think the right thing to do would be to have deluser lock (rather
> than delete) system users when invoked in the way currently used by
> maintainer scripts.  Provided that doesn't make interactive use of
> deluser break somehow.

Good idea.


I agree that system users should never be removed by maintainer
scripts, but as said: Someone would need to write that down before
starting to behave so.


Andi




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Policy List <debian-policy@lists.debian.org>:
Bug#621833; Package debian-policy. (Sun, 29 May 2011 10:54:38 GMT) Full text and rfc822 format available.

Acknowledgement sent to Nicholas Bamber <nicholas@periapt.co.uk>:
Extra info received and forwarded to list. Copy sent to Debian Policy List <debian-policy@lists.debian.org>. (Sun, 29 May 2011 10:54:48 GMT) Full text and rfc822 format available.

Message #89 received at 621833@bugs.debian.org (full text, mbox):

From: Nicholas Bamber <nicholas@periapt.co.uk>
To: 621833@bugs.debian.org
Subject: What about userdel?
Date: Sun, 29 May 2011 11:52:40 +0100
[Message part 1 (text/plain, inline)]
I am managing a package that does 'userdel' in a purge. It removes the
home directory as that contains config files. I am a bit concerned about
disabling the account further, because then I will have to add more
logic about reenabling it in certain scenarios.

-- 
Nicholas Bamber | http://www.periapt.co.uk/
PGP key 3BFFE73C from pgp.mit.edu

[signature.asc (application/pgp-signature, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Policy List <debian-policy@lists.debian.org>:
Bug#621833; Package debian-policy. (Sun, 29 May 2011 11:06:37 GMT) Full text and rfc822 format available.

Acknowledgement sent to Roger Leigh <rleigh@codelibre.net>:
Extra info received and forwarded to list. Copy sent to Debian Policy List <debian-policy@lists.debian.org>. (Sun, 29 May 2011 11:06:44 GMT) Full text and rfc822 format available.

Message #94 received at 621833@bugs.debian.org (full text, mbox):

From: Roger Leigh <rleigh@codelibre.net>
To: Ian Jackson <ijackson@chiark.greenend.org.uk>, 621833@bugs.debian.org
Cc: Steve Langasek <vorlon@debian.org>, sean finney <seanius@seanius.net>, Lars Wirzenius <liw@liw.fi>, debian-devel@lists.debian.org
Subject: Re: Bug#621833: System users: removing them
Date: Sun, 29 May 2011 12:04:35 +0100
[Message part 1 (text/plain, inline)]
On Sun, May 01, 2011 at 03:06:00PM +0100, Ian Jackson wrote:
> Steve Langasek writes ("Re: Bug#621833: System users: removing them"):
> > On Tue, Apr 12, 2011 at 09:31:47PM +0200, sean finney wrote:
> > > I second your original proposal though, that packages must not delete
> > > system users that they have created.  I don't think anyone had objections
> > > to that, and the question is whether things should be taken further.
> > 
> > I do object to telling maintainers they must not delete system users,
> > without also giving guidance on how and when to lock the accounts.
> 
> Yes, I agree with this.
> 
> > Sorry, no time at the moment to propose verbiage to reconcile this with your
> > concerns.
> 
> I think the right thing to do would be to have deluser lock (rather
> than delete) system users when invoked in the way currently used by
> maintainer scripts.  Provided that doesn't make interactive use of
> deluser break somehow.

I've been looking at how this might be accomplished right now, and
have these observations to make.  (These are WRT my addition and
removal of the "sbuild" user in the sbuild package.)

1) Locking on removal.

  This is as simple as doing (in postrm)

    # Lock sbuild account.
    usermod -U -e 1 sbuild

However, one does now need to consider how "unlocking" will occur
if the package is reinstalled, which I don't think has been covered
as yet:

2) Reinstallation.

   I'm currently using this logic (in postinst)

     # Create dedicated sbuild user
     if ! getent passwd sbuild > /dev/null; then
         adduser --system --quiet --home /var/lib/sbuild --no-create-home \
         --shell /bin/bash --ingroup sbuild --gecos "Debian source builder" sbuild
     fi

  However, consider that if the account is locked, the user already
  exists and no unlocking will occur, leaving the reinstalled
  package broken.  This logic is common to many packages.

  I've added this after the above to unlock if locked:

    # Unlock account in case it was locked from previous purge.
    usermod -U -e '' sbuild

  This appears to reverse the locking, via inspection of the
  shadow record.  However, "" isn't documented as a valid
  value for EXPIRE_DATE (it's the default in /etc/default/useradd
  though).

Given the need to consider unlocking as well as locking, I'm not sure
it's worth adding special support to deluser: the typical logic used
to create the user will be insufficient to unlock, so it's no less
the effort to add an explict unlock/lock to the maintainer scripts,
dropping use of deluser entirely.

I do agree that a --local option would be a valuable and useful
addition to the adduser and deluser etc. tools, even if currently
a no-op.  However, due to the above I don't think that adding
special-case user locking to deluser is the correct course of action.


Regards,
Roger

-- 
  .''`.  Roger Leigh
 : :' :  Debian GNU/Linux             http://people.debian.org/~rleigh/
 `. `'   Printing on GNU/Linux?       http://gutenprint.sourceforge.net/
   `-    GPG Public Key: 0x25BFB848   Please GPG sign your mail.
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Policy List <debian-policy@lists.debian.org>:
Bug#621833; Package debian-policy. (Sun, 29 May 2011 11:57:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Roger Leigh <rleigh@codelibre.net>:
Extra info received and forwarded to list. Copy sent to Debian Policy List <debian-policy@lists.debian.org>. (Sun, 29 May 2011 11:57:03 GMT) Full text and rfc822 format available.

Message #99 received at 621833@bugs.debian.org (full text, mbox):

From: Roger Leigh <rleigh@codelibre.net>
To: Ian Jackson <ijackson@chiark.greenend.org.uk>, 621833@bugs.debian.org
Cc: Steve Langasek <vorlon@debian.org>, sean finney <seanius@seanius.net>, Lars Wirzenius <liw@liw.fi>, debian-devel@lists.debian.org
Subject: Re: Bug#621833: System users: removing them
Date: Sun, 29 May 2011 12:55:10 +0100
[Message part 1 (text/plain, inline)]
On Sun, May 29, 2011 at 12:04:35PM +0100, Roger Leigh wrote:
> On Sun, May 01, 2011 at 03:06:00PM +0100, Ian Jackson wrote:
> > Steve Langasek writes ("Re: Bug#621833: System users: removing them"):
> > > On Tue, Apr 12, 2011 at 09:31:47PM +0200, sean finney wrote:
> > > > I second your original proposal though, that packages must not delete
> > > > system users that they have created.  I don't think anyone had objections
> > > > to that, and the question is whether things should be taken further.
> > > 
> > > I do object to telling maintainers they must not delete system users,
> > > without also giving guidance on how and when to lock the accounts.
> > 
> > Yes, I agree with this.
> > 
> > > Sorry, no time at the moment to propose verbiage to reconcile this with your
> > > concerns.
> > 
> > I think the right thing to do would be to have deluser lock (rather
> > than delete) system users when invoked in the way currently used by
> > maintainer scripts.  Provided that doesn't make interactive use of
> > deluser break somehow.
> 
> I've been looking at how this might be accomplished right now, and
> have these observations to make.  (These are WRT my addition and
> removal of the "sbuild" user in the sbuild package.)
> 
> 1) Locking on removal.
> 
>   This is as simple as doing (in postrm)
> 
>     # Lock sbuild account.
>     usermod -U -e 1 sbuild

Oops, should of course be "usermod -L -e 1 sbuild"

-- 
  .''`.  Roger Leigh
 : :' :  Debian GNU/Linux             http://people.debian.org/~rleigh/
 `. `'   Printing on GNU/Linux?       http://gutenprint.sourceforge.net/
   `-    GPG Public Key: 0x25BFB848   Please GPG sign your mail.
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Policy List <debian-policy@lists.debian.org>:
Bug#621833; Package debian-policy. (Sun, 29 May 2011 17:25:31 GMT) Full text and rfc822 format available.

Acknowledgement sent to Jonathan Nieder <jrnieder@gmail.com>:
Extra info received and forwarded to list. Copy sent to Debian Policy List <debian-policy@lists.debian.org>. (Sun, 29 May 2011 17:25:31 GMT) Full text and rfc822 format available.

Message #104 received at 621833@bugs.debian.org (full text, mbox):

From: Jonathan Nieder <jrnieder@gmail.com>
To: Roger Leigh <rleigh@codelibre.net>, 621833@bugs.debian.org
Cc: sean finney <seanius@seanius.net>, debian-devel@lists.debian.org
Subject: Re: System users: removing them
Date: Sun, 29 May 2011 12:09:40 -0500
(culled cc list of a few people I know read -devel)
Roger Leigh wrote:

> Given the need to consider unlocking as well as locking, I'm not sure
> it's worth adding special support to deluser: the typical logic used
> to create the user will be insufficient to unlock, so it's no less
> the effort to add an explict unlock/lock to the maintainer scripts,
> dropping use of deluser entirely.

The obvious question then would be whether it's worth adding special
support to deluser *and* adduser, no?

I don't have an answer in mind, though the lazy person in me would
like it to work.




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Policy List <debian-policy@lists.debian.org>:
Bug#621833; Package debian-policy. (Sun, 29 May 2011 19:33:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Roger Leigh <rleigh@codelibre.net>:
Extra info received and forwarded to list. Copy sent to Debian Policy List <debian-policy@lists.debian.org>. (Sun, 29 May 2011 19:33:03 GMT) Full text and rfc822 format available.

Message #109 received at 621833@bugs.debian.org (full text, mbox):

From: Roger Leigh <rleigh@codelibre.net>
To: Jonathan Nieder <jrnieder@gmail.com>, 621833@bugs.debian.org
Cc: sean finney <seanius@seanius.net>, debian-devel@lists.debian.org
Subject: Re: Bug#621833: System users: removing them
Date: Sun, 29 May 2011 20:32:21 +0100
[Message part 1 (text/plain, inline)]
On Sun, May 29, 2011 at 12:09:40PM -0500, Jonathan Nieder wrote:
> (culled cc list of a few people I know read -devel)
> Roger Leigh wrote:
> 
> > Given the need to consider unlocking as well as locking, I'm not sure
> > it's worth adding special support to deluser: the typical logic used
> > to create the user will be insufficient to unlock, so it's no less
> > the effort to add an explict unlock/lock to the maintainer scripts,
> > dropping use of deluser entirely.
> 
> The obvious question then would be whether it's worth adding special
> support to deluser *and* adduser, no?

We could add special behaviour to adduser to unlock the account
if it already exists when run in the postinst.  However, most
postinsts wrap the call to adduser with a check for whether the
account already exists, so it would not be called without an
update to every preinst employing this strategy.  It would also
alter the existing behaviour of adduser, which is to return nonzero
if the user already exists, which could cause breakage.

I dislike the fact that the behaviour of adduser and deluser would,
in effect, /not/ add or delete users as intended, which is rather
counter-intuitive.  Providing that we have consensus on a recommended
strategy for locking and unlocking accounts which can go into policy,
I think all we need are examples for how maintainer scripts are
expected to handle account creation and locking/unlocking.


Regards,
Roger

-- 
  .''`.  Roger Leigh
 : :' :  Debian GNU/Linux             http://people.debian.org/~rleigh/
 `. `'   Printing on GNU/Linux?       http://gutenprint.sourceforge.net/
   `-    GPG Public Key: 0x25BFB848   Please GPG sign your mail.
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Policy List <debian-policy@lists.debian.org>:
Bug#621833; Package debian-policy. (Mon, 30 May 2011 08:45:08 GMT) Full text and rfc822 format available.

Acknowledgement sent to Marc Haber <mh+debian-packages@zugschlus.de>:
Extra info received and forwarded to list. Copy sent to Debian Policy List <debian-policy@lists.debian.org>. (Mon, 30 May 2011 08:45:08 GMT) Full text and rfc822 format available.

Message #114 received at 621833@bugs.debian.org (full text, mbox):

From: Marc Haber <mh+debian-packages@zugschlus.de>
To: Roger Leigh <rleigh@codelibre.net>, 621833@bugs.debian.org
Cc: Ian Jackson <ijackson@chiark.greenend.org.uk>, Steve Langasek <vorlon@debian.org>, sean finney <seanius@seanius.net>, Lars Wirzenius <liw@liw.fi>, debian-devel@lists.debian.org
Subject: Re: Bug#621833: System users: removing them
Date: Mon, 30 May 2011 10:43:13 +0200
On Sun, May 29, 2011 at 12:04:35PM +0100, Roger Leigh wrote:
> 2) Reinstallation.
> 
>    I'm currently using this logic (in postinst)
> 
>      # Create dedicated sbuild user
>      if ! getent passwd sbuild > /dev/null; then
>          adduser --system --quiet --home /var/lib/sbuild --no-create-home \
>          --shell /bin/bash --ingroup sbuild --gecos "Debian source builder" sbuild
>      fi

Cheking for the account already being present in postinst should not
be necessary. Adduser is designed to do the right thing without
additional logic in maintainer scripts. If it doesn't, please file a
bug.

If people find it desireable to automatically unlock an existing
account on adduser --system <name>, this could easily be implemented
in adduser, doing the right thing to locked accounts. If that may be
necessary, please file a bug against adduser.

> I do agree that a --local option would be a valuable and useful
> addition to the adduser and deluser etc. tools, even if currently
> a no-op.  However, due to the above I don't think that adding
> special-case user locking to deluser is the correct course of action.

What should the --local option do? If you want adduser to grow this
option, please file a bug.

Greetings
Marc

-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany  |  lose things."    Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 3221 2323190




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Policy List <debian-policy@lists.debian.org>:
Bug#621833; Package debian-policy. (Mon, 30 May 2011 08:51:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Marc Haber <mh+debian-packages@zugschlus.de>:
Extra info received and forwarded to list. Copy sent to Debian Policy List <debian-policy@lists.debian.org>. (Mon, 30 May 2011 08:51:26 GMT) Full text and rfc822 format available.

Message #119 received at 621833@bugs.debian.org (full text, mbox):

From: Marc Haber <mh+debian-packages@zugschlus.de>
To: Roger Leigh <rleigh@codelibre.net>, 621833@bugs.debian.org
Cc: Jonathan Nieder <jrnieder@gmail.com>, sean finney <seanius@seanius.net>, debian-devel@lists.debian.org
Subject: Re: Bug#621833: System users: removing them
Date: Mon, 30 May 2011 10:47:08 +0200
On Sun, May 29, 2011 at 08:32:21PM +0100, Roger Leigh wrote:
> We could add special behaviour to adduser to unlock the account
> if it already exists when run in the postinst.

Yes.

>   However, most postinsts wrap the call to adduser with a check for
>   whether the account already exists,

Which would be a bug in the maintainer scripts.

> I dislike the fact that the behaviour of adduser and deluser would,
> in effect, /not/ add or delete users as intended, which is rather
> counter-intuitive.

adduser --system is designed (and, IIRC, documented) to have the
effect of "after the call to adduser --system, the account will exist
and is useable. The only case when adduser --system really errors out
is when the account already exists but is not a system account."

>   Providing that we have consensus on a recommended strategy for
>   locking and unlocking accounts which can go into policy, I think all
>   we need are examples for how maintainer scripts are expected to
>   handle account creation and locking/unlocking.

The would be rather easy. Account creation/unlocking would happen with
an unwrapped call to adduser --system, account locking with a call to
the appropriate back-end command, or we could add an lockuser command
to the adduser package. I think, the latter would be preferable since
we would then be able to add sugar to the locking process. A wishlist
bug against adduser is in order.

Greetings
Marc, with a rather worn and dusty adduser hat on

-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany  |  lose things."    Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 3221 2323190




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Policy List <debian-policy@lists.debian.org>:
Bug#621833; Package debian-policy. (Mon, 30 May 2011 15:33:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Henrique de Moraes Holschuh <hmh@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Policy List <debian-policy@lists.debian.org>. (Mon, 30 May 2011 15:33:05 GMT) Full text and rfc822 format available.

Message #124 received at 621833@bugs.debian.org (full text, mbox):

From: Henrique de Moraes Holschuh <hmh@debian.org>
To: Nicholas Bamber <nicholas@periapt.co.uk>, 621833@bugs.debian.org
Subject: Re: Bug#621833: What about userdel?
Date: Mon, 30 May 2011 12:29:40 -0300
On Sun, 29 May 2011, Nicholas Bamber wrote:
> I am managing a package that does 'userdel' in a purge. It removes the
> home directory as that contains config files. I am a bit concerned about

I've seen that cause data loss.  You must make sure the homedir is
exactly as you set it when you created the system user.  If it isn't,
abort.

If you want to know how bad it can be, we've had once packages that had
/ set as the home dir of system users they created.

-- 
  "One disk to rule them all, One disk to find them. One disk to bring
  them all and in the darkness grind them. In the Land of Redmond
  where the shadows lie." -- The Silicon Valley Tarot
  Henrique Holschuh




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Policy List <debian-policy@lists.debian.org>:
Bug#621833; Package debian-policy. (Fri, 10 Jun 2011 09:39:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Lars Wirzenius <liw@liw.fi>:
Extra info received and forwarded to list. Copy sent to Debian Policy List <debian-policy@lists.debian.org>. (Fri, 10 Jun 2011 09:39:08 GMT) Full text and rfc822 format available.

Message #129 received at 621833@bugs.debian.org (full text, mbox):

From: Lars Wirzenius <liw@liw.fi>
To: 621833@bugs.debian.org
Subject: System user handling in packages: status of discussion
Date: Fri, 10 Jun 2011 10:12:20 +0100
I've just reviewed the discussion so far, here's my best attempt
at a summary of the current status:

* To create an user, a maintainer script should call
  "adduser --system foo". It is not necessary to wrap this in
  a check for whether the user exists.
* When the package is removed, the user should be locked:
  "lockuser foo".
* lockuser is a still-hypothetical tool, which needs to be added
  to the adduser package. It is a wrapper around "usermod -L -e 1 foo".
* Similarly, adduser needs to be changed to unlock:
  "usermod -U -e '' foo".
* Policy 9.2.2, the description of the 100-999 UID range for system
  users, should be changed to mention when and how users need to
  be locked. Perhaps by adding the following sentence to the end of
  the paragraph: "When the package is removed, it should lock the
  user it created using 'lockuser'."
* We need a lintian check to verify that packages create and lock
  users properly.
* Once the lintian check is done, bugs on all packages that fail it
  should be filed.

Have I understood the discussion correctly? Any corrections or
objections to the above?

Unclear to me are the following two points:

* Should packages also remove the contents of the system account's
  home directory? Should this be done upon package remove or purge?
  If this is to be done, should we also provide a tool for it, to
  make sure everyone does it the right way? "clearuserhome foo"
  would essentially be "find ~foo -mindepth 1 -exec rm '{}' +",
  except it needs to delete directories as well, and should
  possibly have protection against crossing mount points,
  and perhaps verifying ownership of files before removing, etc.

* Is there consensus that adduser should get a --local option,
  and if so, what should its semantics be, and should packages
  start using it now? Or can this wait until there's an actual
  need for --local, so that the precise semantics can be defined?
  There's a fairly few packages that create users, so we should
  be able to deal with them fairly easily later.

-- 
Freedom-based blog/wiki/web hosting: http://www.branchable.com/




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Policy List <debian-policy@lists.debian.org>:
Bug#621833; Package debian-policy. (Fri, 10 Jun 2011 10:03:13 GMT) Full text and rfc822 format available.

Acknowledgement sent to Roger Leigh <rleigh@codelibre.net>:
Extra info received and forwarded to list. Copy sent to Debian Policy List <debian-policy@lists.debian.org>. (Fri, 10 Jun 2011 10:03:21 GMT) Full text and rfc822 format available.

Message #134 received at 621833@bugs.debian.org (full text, mbox):

From: Roger Leigh <rleigh@codelibre.net>
To: Lars Wirzenius <liw@liw.fi>, 621833@bugs.debian.org
Subject: Re: Bug#621833: System user handling in packages: status of discussion
Date: Fri, 10 Jun 2011 11:00:14 +0100
[Message part 1 (text/plain, inline)]
On Fri, Jun 10, 2011 at 10:12:20AM +0100, Lars Wirzenius wrote:
> I've just reviewed the discussion so far, here's my best attempt
> at a summary of the current status:
> 
> * To create an user, a maintainer script should call
>   "adduser --system foo". It is not necessary to wrap this in
>   a check for whether the user exists.
> * When the package is removed, the user should be locked:
>   "lockuser foo".
> * lockuser is a still-hypothetical tool, which needs to be added
>   to the adduser package. It is a wrapper around "usermod -L -e 1 foo".
> * Similarly, adduser needs to be changed to unlock:
>   "usermod -U -e '' foo".

Would "lockuser" need to be in the adduser package?  Given that
adduser is only priority:important, it's not guaranteed to be present
when postrm is run, so the operation could fail.  Maybe passwd is a
better place for it, given that it contains useradd etc., and is
priority:required.


Regards,
Roger

-- 
  .''`.  Roger Leigh
 : :' :  Debian GNU/Linux             http://people.debian.org/~rleigh/
 `. `'   Printing on GNU/Linux?       http://gutenprint.sourceforge.net/
   `-    GPG Public Key: 0x25BFB848   Please GPG sign your mail.
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Policy List <debian-policy@lists.debian.org>:
Bug#621833; Package debian-policy. (Fri, 10 Jun 2011 17:27:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Bill Allombert <Bill.Allombert@math.u-bordeaux1.fr>:
Extra info received and forwarded to list. Copy sent to Debian Policy List <debian-policy@lists.debian.org>. (Fri, 10 Jun 2011 17:27:03 GMT) Full text and rfc822 format available.

Message #139 received at 621833@bugs.debian.org (full text, mbox):

From: Bill Allombert <Bill.Allombert@math.u-bordeaux1.fr>
To: Lars Wirzenius <liw@liw.fi>, 621833@bugs.debian.org
Subject: Re: Bug#621833: System user handling in packages: status of discussion
Date: Fri, 10 Jun 2011 19:25:53 +0200
On Fri, Jun 10, 2011 at 10:12:20AM +0100, Lars Wirzenius wrote:
> I've just reviewed the discussion so far, here's my best attempt
> at a summary of the current status:
> 
> * To create an user, a maintainer script should call
>   "adduser --system foo". It is not necessary to wrap this in
>   a check for whether the user exists.
> * When the package is removed, the user should be locked:
>   "lockuser foo".
> * lockuser is a still-hypothetical tool, which needs to be added
>   to the adduser package. It is a wrapper around "usermod -L -e 1 foo".
> * Similarly, adduser needs to be changed to unlock:
>   "usermod -U -e '' foo".
> * Policy 9.2.2, the description of the 100-999 UID range for system
>   users, should be changed to mention when and how users need to
>   be locked. Perhaps by adding the following sentence to the end of
>   the paragraph: "When the package is removed, it should lock the
>   user it created using 'lockuser'."
> * We need a lintian check to verify that packages create and lock
>   users properly.

Maybe also a piuparts check.

> * Once the lintian check is done, bugs on all packages that fail it
>   should be filed.

> Have I understood the discussion correctly? Any corrections or
> objections to the above?
> 
> Unclear to me are the following two points:
> 
> * Should packages also remove the contents of the system account's
>   home directory? Should this be done upon package remove or purge?
>   If this is to be done, should we also provide a tool for it, to
>   make sure everyone does it the right way? "clearuserhome foo"
>   would essentially be "find ~foo -mindepth 1 -exec rm '{}' +",
>   except it needs to delete directories as well, and should
>   possibly have protection against crossing mount points,
>   and perhaps verifying ownership of files before removing, etc.

I think this should be done is the content is exactly the same as when the
package was just installed. But this might be too hard to check.

Cheers,
-- 
Bill. <ballombe@debian.org>

Imagine a large red swirl here. 




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Policy List <debian-policy@lists.debian.org>:
Bug#621833; Package debian-policy. (Sat, 11 Jun 2011 09:48:10 GMT) Full text and rfc822 format available.

Acknowledgement sent to Julien Cristau <jcristau@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Policy List <debian-policy@lists.debian.org>. (Sat, 11 Jun 2011 09:48:16 GMT) Full text and rfc822 format available.

Message #144 received at 621833@bugs.debian.org (full text, mbox):

From: Julien Cristau <jcristau@debian.org>
To: Roger Leigh <rleigh@codelibre.net>, 621833@bugs.debian.org
Cc: Lars Wirzenius <liw@liw.fi>
Subject: Re: Bug#621833: System user handling in packages: status of discussion
Date: Fri, 10 Jun 2011 18:33:04 +0200
On Fri, Jun 10, 2011 at 11:00:14 +0100, Roger Leigh wrote:

> Would "lockuser" need to be in the adduser package?  Given that
> adduser is only priority:important, it's not guaranteed to be present
> when postrm is run, so the operation could fail.  Maybe passwd is a
> better place for it, given that it contains useradd etc., and is
> priority:required.
> 
Wouldn't lockuser be called on package removal, instead of purge?  In
which case a dependency on adduser would cover it?

Cheers,
Julien




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Policy List <debian-policy@lists.debian.org>:
Bug#621833; Package debian-policy. (Sat, 11 Jun 2011 11:30:17 GMT) Full text and rfc822 format available.

Acknowledgement sent to Roger Leigh <rleigh@codelibre.net>:
Extra info received and forwarded to list. Copy sent to Debian Policy List <debian-policy@lists.debian.org>. (Sat, 11 Jun 2011 11:30:21 GMT) Full text and rfc822 format available.

Message #149 received at 621833@bugs.debian.org (full text, mbox):

From: Roger Leigh <rleigh@codelibre.net>
To: Julien Cristau <jcristau@debian.org>
Cc: 621833@bugs.debian.org, Lars Wirzenius <liw@liw.fi>
Subject: Re: Bug#621833: System user handling in packages: status of discussion
Date: Sat, 11 Jun 2011 12:27:07 +0100
[Message part 1 (text/plain, inline)]
On Fri, Jun 10, 2011 at 06:33:04PM +0200, Julien Cristau wrote:
> On Fri, Jun 10, 2011 at 11:00:14 +0100, Roger Leigh wrote:
> 
> > Would "lockuser" need to be in the adduser package?  Given that
> > adduser is only priority:important, it's not guaranteed to be present
> > when postrm is run, so the operation could fail.  Maybe passwd is a
> > better place for it, given that it contains useradd etc., and is
> > priority:required.
> > 
> Wouldn't lockuser be called on package removal, instead of purge?  In
> which case a dependency on adduser would cover it?

I guess since you're not removing the user after any files they owned
are purged (which necessitates doing it in at purge) then doing it in
at remove time is just fine.  If the depends on adduser is still
valid at remove time (I'm certain it is), then I agree it lockuser
could be in the adduser package.


Regards,
Roger

-- 
  .''`.  Roger Leigh
 : :' :  Debian GNU/Linux             http://people.debian.org/~rleigh/
 `. `'   Printing on GNU/Linux?       http://gutenprint.sourceforge.net/
   `-    GPG Public Key: 0x25BFB848   Please GPG sign your mail.
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Policy List <debian-policy@lists.debian.org>:
Bug#621833; Package debian-policy. (Sun, 04 Mar 2012 19:03:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Andreas Beckmann <debian@abeckmann.de>:
Extra info received and forwarded to list. Copy sent to Debian Policy List <debian-policy@lists.debian.org>. (Sun, 04 Mar 2012 19:03:06 GMT) Full text and rfc822 format available.

Message #154 received at 621833@bugs.debian.org (full text, mbox):

From: Andreas Beckmann <debian@abeckmann.de>
To: Roger Leigh <rleigh@codelibre.net>
Cc: Julien Cristau <jcristau@debian.org>, 621833@bugs.debian.org, Lars Wirzenius <liw@liw.fi>
Subject: Re: Bug#621833: System user handling in packages: status of discussion
Date: Sun, 4 Mar 2012 20:00:28 +0100
Hi all,

the discussion on handling of system users on package removal became silent 
again, let me try to summarize ...:

* To avoid reusing uids, system users created by packages should not be 
removed by the package. There may be still files owned by that user (think 
also about removable media, backups, ...) that a different user (with 
recycled uid) should not get access to. Of course the sysadmin may manually 
remove such obsolete users and groups.
* A 'lockuser' tool should be added to the adduser package to properly disable 
an unused system account, to be called from postrm remove. adduser needs to 
properly unlock a previously locked account.


... and revive the discussion with some new points:

Concerning removing the home directory ... I think there are three groups of 
files:
1) the home directory itself
2) files created by running the daemon
   (or whatever the package was supposed to do)
3) files created by the sysadmin by doing something like 
     su - $pkgsysuser
   in order to debug things, ...

I don't think maintainer scripts should care for group 3 files as they don't 
result from proper operation of the package (and will cause group 1 to be 
left over). These files could be covered by 
  rm -rf $(getent passwd $pkgsysuser | cut -d: -f6)/
which could be harmful if the sysadmin modified $pkgsysuser.
  rm -rf /var/lib/$pkgsysuser/
could be problematic as well.
Group 2 (probably state files) should be taken care of by postrm purge.
For the homedirectory itself (usually /var/lib/$whatever) I would suggest to 
ship this as an empty directory in the package, and let the postinst script 
set proper ownership and permissions after creating the user.
That way dpkg should take care and remove it if it's empty. I don't think 
leaving a (locked) system user with a nonexisting home is a problem.


There may be problems if the user/homedir already exists. These need to be 
addressed by adduser or the maintainer script. Following is a list I could 
think of, but I didn't check the behavior of adduser in these cases:

The user exists
* but is not a system user
* but remotely (nis, ldap, ...) and modification may not be possible
* but the group is different
* but the gecos is different
* but the homedir is different
* but the shell is different

The homedirectory exists
* but is a file
* but is owned by someone else
* but has weird permissions (including 777, 000)
* but is a symbolic link (+ combine with above cases)

The homedirectory cannot be created.

Potentially different handling of these discrepancies is needed during new 
installations and upgrades.


I still think that using dpkg-maintscript-helper may be helpful for adding 
system users. A system_user sub-command that would take arguments like 
adduser (and might add some defaults if not specified, e.g. gecos). Some 
possible extensions could be --home-owner, --home-group, --home-permissions.
A proper dependency on adduser should be added to the misc:Depends substvar 
(at least if debhelper is used, e.g. via debian/package.maintscript)
In postinst configure this would produce in an adduser call (with some 
chown/chmod following).
In postrm remove this would produce a lockuser call (or could even implement a 
lockuser equivalent) and in postrm purge (and remove?) it should try a rmdir 
on the homedir of the system user (unless --no-create-home is given). If this 
fails (and the directory still exists), a diagnostic should be emitted (only 
in purge because any state files etc. in the homedir are expected to be 
removed by the postrm purge first).


Concerning piuparts, we should probably have an install-purge-install test for 
packages that create system users and also an install-purge-mangle-install 
test that mangles the passwd entries of added system users before the package 
gets installed a second time.

Andreas




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Policy List <debian-policy@lists.debian.org>:
Bug#621833; Package debian-policy. (Sat, 30 Jun 2012 13:15:18 GMT) Full text and rfc822 format available.

Acknowledgement sent to Simon McVittie <smcv@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Policy List <debian-policy@lists.debian.org>. (Sat, 30 Jun 2012 13:15:20 GMT) Full text and rfc822 format available.

Message #159 received at 621833@bugs.debian.org (full text, mbox):

From: Simon McVittie <smcv@debian.org>
To: debian-devel@lists.debian.org
Cc: Stephan Springl <debian-sysvrc@springl.homeip.net>, 679642@bugs.debian.org, 621833@bugs.debian.org, Roger Leigh <rleigh@codelibre.net>
Subject: locking system users on package removal
Date: Sat, 30 Jun 2012 14:12:45 +0100
On 30/06/12 13:24, Stephan Springl wrote (on Bug #679642):
> quake-server does neither install nor purge properly on systems
> without shadow password because usermod gives an error for its
> e option in this case.

I took this use of usermod from the discussion on debian-devel regarding
Policy bug #621833 (where it was originally suggested by Roger Leigh),
so this potentially affects quite a few packages.

Stephan's proposed patch (below) makes me think we really need a script
(or dpkg-maintscript-helper subcommand) that locks and unlocks system
users, in which we can make changes like this once and have them affect
every relevant package, rather than individually patching every
maintainer script.

Roger: does the change below look appropriate?

Regards,
    S

[in the preinst]
> -    usermod -U -e '' quake-server
> +    if [ -f /etc/shadow ]; then
> +      usermod -U -e '' quake-server
> +    else
> +      usermod -U quake-server
> +    fi
[in the postrm]
>      # Lock account on purge
> -    usermod -L -e 1 quake-server
> +    if [ -f /etc/shadow ]; then
> +        usermod -L -e 1 quake-server
> +    else
> +        usermod -L quake-server
> +    fi




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Policy List <debian-policy@lists.debian.org>:
Bug#621833; Package debian-policy. (Sat, 30 Jun 2012 13:39:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Roger Leigh <rleigh@codelibre.net>:
Extra info received and forwarded to list. Copy sent to Debian Policy List <debian-policy@lists.debian.org>. (Sat, 30 Jun 2012 13:39:06 GMT) Full text and rfc822 format available.

Message #164 received at 621833@bugs.debian.org (full text, mbox):

From: Roger Leigh <rleigh@codelibre.net>
To: Simon McVittie <smcv@debian.org>
Cc: debian-devel@lists.debian.org, Stephan Springl <debian-sysvrc@springl.homeip.net>, 679642@bugs.debian.org, 621833@bugs.debian.org
Subject: Re: locking system users on package removal
Date: Sat, 30 Jun 2012 14:36:47 +0100
On Sat, Jun 30, 2012 at 02:12:45PM +0100, Simon McVittie wrote:
> On 30/06/12 13:24, Stephan Springl wrote (on Bug #679642):
> > quake-server does neither install nor purge properly on systems
> > without shadow password because usermod gives an error for its
> > e option in this case.
> 
> I took this use of usermod from the discussion on debian-devel regarding
> Policy bug #621833 (where it was originally suggested by Roger Leigh),
> so this potentially affects quite a few packages.
> 
> Stephan's proposed patch (below) makes me think we really need a script
> (or dpkg-maintscript-helper subcommand) that locks and unlocks system
> users, in which we can make changes like this once and have them affect
> every relevant package, rather than individually patching every
> maintainer script.
> 
> Roger: does the change below look appropriate?
> 
> [in the preinst]
> > -    usermod -U -e '' quake-server
> > +    if [ -f /etc/shadow ]; then
> > +      usermod -U -e '' quake-server
> > +    else
> > +      usermod -U quake-server
> > +    fi
> [in the postrm]
> >      # Lock account on purge
> > -    usermod -L -e 1 quake-server
> > +    if [ -f /etc/shadow ]; then
> > +        usermod -L -e 1 quake-server
> > +    else
> > +        usermod -L quake-server
> > +    fi

It looks sane to me.  Having a dh_ command or some other dpkg
maintscript helper shell function to do this automatically would
IMO be a very nice improvement.


Regards,
Roger

-- 
  .''`.  Roger Leigh
 : :' :  Debian GNU/Linux    http://people.debian.org/~rleigh/
 `. `'   schroot and sbuild  http://alioth.debian.org/projects/buildd-tools
   `-    GPG Public Key      F33D 281D 470A B443 6756 147C 07B3 C8BC 4083 E800




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Policy List <debian-policy@lists.debian.org>:
Bug#621833; Package debian-policy. (Sat, 30 Jun 2012 15:33:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Marc Haber <mh+debian-devel@zugschlus.de>:
Extra info received and forwarded to list. Copy sent to Debian Policy List <debian-policy@lists.debian.org>. (Sat, 30 Jun 2012 15:33:03 GMT) Full text and rfc822 format available.

Message #169 received at 621833@bugs.debian.org (full text, mbox):

From: Marc Haber <mh+debian-devel@zugschlus.de>
To: Roger Leigh <rleigh@codelibre.net>
Cc: debian-devel@lists.debian.org, 679642@bugs.debian.org, 621833@bugs.debian.org
Subject: Re: locking system users on package removal
Date: Sat, 30 Jun 2012 17:29:11 +0200
On Sat, 30 Jun 2012 14:36:47 +0100, Roger Leigh <rleigh@codelibre.net>
wrote:
>On Sat, Jun 30, 2012 at 02:12:45PM +0100, Simon McVittie wrote:
>> [in the preinst]
>> > -    usermod -U -e '' quake-server
>> > +    if [ -f /etc/shadow ]; then
>> > +      usermod -U -e '' quake-server
>> > +    else
>> > +      usermod -U quake-server
>> > +    fi
>> [in the postrm]
>> >      # Lock account on purge
>> > -    usermod -L -e 1 quake-server
>> > +    if [ -f /etc/shadow ]; then
>> > +        usermod -L -e 1 quake-server
>> > +    else
>> > +        usermod -L quake-server
>> > +    fi
>
>It looks sane to me.  Having a dh_ command or some other dpkg
>maintscript helper shell function to do this automatically would
>IMO be a very nice improvement.

Given the amount of code lines that were spent in adduser to allow its
transparent usage in maintainer scripts, I would prefer having that
code in adduser. with adduser --lock locking an account and adduser
--system unlocking a locked user that is present but locked.

Having debhelper code for that is wrong since it means rebuilding
packages to fix bugs in that code.

Greetings
Marc
-- 
-------------------------------------- !! No courtesy copies, please !! -----
Marc Haber         |   " Questions are the         | Mailadresse im Header
Mannheim, Germany  |     Beginning of Wisdom "     | http://www.zugschlus.de/
Nordisch by Nature | Lt. Worf, TNG "Rightful Heir" | Fon: *49 621 72739834




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Policy List <debian-policy@lists.debian.org>:
Bug#621833; Package debian-policy. (Sun, 01 Jul 2012 09:54:15 GMT) Full text and rfc822 format available.

Acknowledgement sent to Marc Haber <mh+debian-packages@zugschlus.de>:
Extra info received and forwarded to list. Copy sent to Debian Policy List <debian-policy@lists.debian.org>. (Sun, 01 Jul 2012 09:54:18 GMT) Full text and rfc822 format available.

Message #174 received at 621833@bugs.debian.org (full text, mbox):

From: Marc Haber <mh+debian-packages@zugschlus.de>
To: Roger Leigh <rleigh@codelibre.net>, 621833@bugs.debian.org, 621833-submitter@bugs.debian.org
Cc: Ian Jackson <ijackson@chiark.greenend.org.uk>, Steve Langasek <vorlon@debian.org>, sean finney <seanius@seanius.net>, Lars Wirzenius <liw@liw.fi>, debian-devel@lists.debian.org
Subject: Re: Bug#621833: System users: removing them
Date: Sun, 1 Jul 2012 11:53:11 +0200
On Sun, May 29, 2011 at 12:04:35PM +0100, Roger Leigh wrote:
>    I'm currently using this logic (in postinst)
> 
>      # Create dedicated sbuild user
>      if ! getent passwd sbuild > /dev/null; then
>          adduser --system --quiet --home /var/lib/sbuild --no-create-home \
>          --shell /bin/bash --ingroup sbuild --gecos "Debian source builder" sbuild
>      fi
> 
>   However, consider that if the account is locked, the user already
>   exists and no unlocking will occur, leaving the reinstalled
>   package broken.  This logic is common to many packages.

That's a bug in a lot of packages, yes. adduser has been designed to
allow adduser --system to be called without that logic:

       If  called  with one non-option argument and the --system option, adduser
       will add a system user. If a user with the same name  already  exists  in
       the  system  uid  range (or, if the uid is specified, if a user with that
       uid already exists), adduser will exit with a warning. This  warning  can
       be suppressed by adding "--quiet".

So, just remove the extra getent passwd check and you should be fine.

Greetings
Marc

-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany  |  lose things."    Winona Ryder | Fon: *49 621 31958061
Nordisch by Nature |  How to make an American Quilt | Fax: *49 621 31958062




Message sent on to Lars Wirzenius <liw@liw.fi>:
Bug#621833. (Sun, 01 Jul 2012 09:54:23 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Policy List <debian-policy@lists.debian.org>:
Bug#621833; Package debian-policy. (Sun, 01 Jul 2012 09:57:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Marc Haber <mh+debian-packages@zugschlus.de>:
Extra info received and forwarded to list. Copy sent to Debian Policy List <debian-policy@lists.debian.org>. (Sun, 01 Jul 2012 09:57:09 GMT) Full text and rfc822 format available.

Message #182 received at 621833@bugs.debian.org (full text, mbox):

From: Marc Haber <mh+debian-packages@zugschlus.de>
To: Roger Leigh <rleigh@codelibre.net>, 621833@bugs.debian.org, 621833-submitter@bugs.debian.org
Cc: Jonathan Nieder <jrnieder@gmail.com>, sean finney <seanius@seanius.net>, debian-devel@lists.debian.org
Subject: Re: Bug#621833: System users: removing them
Date: Sun, 1 Jul 2012 11:55:39 +0200
On Sun, May 29, 2011 at 08:32:21PM +0100, Roger Leigh wrote:
> We could add special behaviour to adduser to unlock the account
> if it already exists when run in the postinst.

Yes, that would be the way to go for adduser --system

>   However, most postinsts wrap the call to adduser with a check for
>   whether the account already exists, so it would not be called
>   without an update to every preinst employing this strategy.

Yes, packages having used that approached are buggy in the first place.

>   It would also alter the existing behaviour of adduser, which is to
>   return nonzero if the user already exists, which could cause
>   breakage.

NACK, adduser --system does return zero if the user already exists and
its parameters are sufficiently similiar to the parameters requested
by the maintainer script.

> I dislike the fact that the behaviour of adduser and deluser would,
> in effect, /not/ add or delete users as intended, which is rather
> counter-intuitive.  Providing that we have consensus on a recommended
> strategy for locking and unlocking accounts which can go into policy,
> I think all we need are examples for how maintainer scripts are
> expected to handle account creation and locking/unlocking.

NACK, don't put the same logic into a hundred maintainer scripts where
they'll have two hundred different bugs. Put the logic into a central
place where bugs can be handled centrally.

Greetings
Marc

-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany  |  lose things."    Winona Ryder | Fon: *49 621 31958061
Nordisch by Nature |  How to make an American Quilt | Fax: *49 621 31958062




Message sent on to Lars Wirzenius <liw@liw.fi>:
Bug#621833. (Sun, 01 Jul 2012 09:57:13 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Policy List <debian-policy@lists.debian.org>:
Bug#621833; Package debian-policy. (Sun, 01 Jul 2012 10:00:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Marc Haber <mh+debian-packages@zugschlus.de>:
Extra info received and forwarded to list. Copy sent to Debian Policy List <debian-policy@lists.debian.org>. (Sun, 01 Jul 2012 10:00:07 GMT) Full text and rfc822 format available.

Message #190 received at 621833@bugs.debian.org (full text, mbox):

From: Marc Haber <mh+debian-packages@zugschlus.de>
To: Nicholas Bamber <nicholas@periapt.co.uk>, 621833@bugs.debian.org
Subject: Re: Bug#621833: What about userdel?
Date: Sun, 1 Jul 2012 11:56:55 +0200
On Sun, May 29, 2011 at 11:52:40AM +0100, Nicholas Bamber wrote:
> I am managing a package that does 'userdel' in a purge.

Don't do that, use deluser, if you insist. And even that is dangerous.

Greetings
Marc

-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany  |  lose things."    Winona Ryder | Fon: *49 621 31958061
Nordisch by Nature |  How to make an American Quilt | Fax: *49 621 31958062




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Policy List <debian-policy@lists.debian.org>:
Bug#621833; Package debian-policy. (Sun, 01 Jul 2012 10:03:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Marc Haber <mh+debian-packages@zugschlus.de>:
Extra info received and forwarded to list. Copy sent to Debian Policy List <debian-policy@lists.debian.org>. (Sun, 01 Jul 2012 10:03:08 GMT) Full text and rfc822 format available.

Message #195 received at 621833@bugs.debian.org (full text, mbox):

From: Marc Haber <mh+debian-packages@zugschlus.de>
To: Lars Wirzenius <liw@liw.fi>, 621833@bugs.debian.org, 621833-submitter@bugs.debian.org
Subject: Re: Bug#621833: System user handling in packages: status of discussion
Date: Sun, 1 Jul 2012 12:00:25 +0200
On Fri, Jun 10, 2011 at 10:12:20AM +0100, Lars Wirzenius wrote:
> * To create an user, a maintainer script should call
>   "adduser --system foo". It is not necessary to wrap this in
>   a check for whether the user exists.

It would be a bug to do so. Add --quiet to the adduser call if you
don't want to show the resulting warning to your users, but I'd
recommend to leave the warning active.

> * When the package is removed, the user should be locked:
>   "lockuser foo".
> * lockuser is a still-hypothetical tool, which needs to be added
>   to the adduser package. It is a wrapper around "usermod -L -e 1 foo".
> * Similarly, adduser needs to be changed to unlock:
>   "usermod -U -e '' foo".

Why not extending deluser to not delete the user if it is a system
account?

> Unclear to me are the following two points:
> 
> * Should packages also remove the contents of the system account's
>   home directory?

No, the local admin might have put important additional data in there.
It may be an idea to remove all files that the _package_ has put
there, but that would be a _significant_ burden IMO.

>  Should this be done upon package remove or purge?

Purge, of course. When you remove and reinstall, you should be exactly
where you were before.

> * Is there consensus that adduser should get a --local option,
>   and if so, what should its semantics be, and should packages
>   start using it now? Or can this wait until there's an actual
>   need for --local, so that the precise semantics can be defined?
>   There's a fairly few packages that create users, so we should
>   be able to deal with them fairly easily later.

Actually --system was meant for that.

Greetings
Marc, who has for quite some time taken care of adduser but has lost
touch to the package recently

-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany  |  lose things."    Winona Ryder | Fon: *49 621 31958061
Nordisch by Nature |  How to make an American Quilt | Fax: *49 621 31958062




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Policy List <debian-policy@lists.debian.org>:
Bug#621833; Package debian-policy. (Sun, 01 Jul 2012 10:03:19 GMT) Full text and rfc822 format available.

Acknowledgement sent to Marc Haber <mh+debian-packages@zugschlus.de>:
Extra info received and forwarded to list. Copy sent to Debian Policy List <debian-policy@lists.debian.org>. (Sun, 01 Jul 2012 10:03:23 GMT) Full text and rfc822 format available.

Message #200 received at 621833@bugs.debian.org (full text, mbox):

From: Marc Haber <mh+debian-packages@zugschlus.de>
To: Roger Leigh <rleigh@codelibre.net>, 621833@bugs.debian.org, 621833-submitter@bugs.debian.org
Cc: Lars Wirzenius <liw@liw.fi>
Subject: Re: Bug#621833: System user handling in packages: status of discussion
Date: Sun, 1 Jul 2012 12:01:30 +0200
On Fri, Jun 10, 2011 at 11:00:14AM +0100, Roger Leigh wrote:
> Would "lockuser" need to be in the adduser package?  Given that
> adduser is only priority:important, it's not guaranteed to be present
> when postrm is run, so the operation could fail.  Maybe passwd is a
> better place for it, given that it contains useradd etc., and is
> priority:required.

adduser should be elevated to priority:required then. adduser contains
all Debian logic for account handling, while passwd doesn't. adduser
is the logical place for Debianisms.

Greetings
Marc

-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany  |  lose things."    Winona Ryder | Fon: *49 621 31958061
Nordisch by Nature |  How to make an American Quilt | Fax: *49 621 31958062




Message sent on to Lars Wirzenius <liw@liw.fi>:
Bug#621833. (Sun, 01 Jul 2012 10:04:04 GMT) Full text and rfc822 format available.

Message sent on to Lars Wirzenius <liw@liw.fi>:
Bug#621833. (Sun, 01 Jul 2012 10:04:15 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Policy List <debian-policy@lists.debian.org>:
Bug#621833; Package debian-policy. (Sun, 01 Jul 2012 10:21:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Nicholas Bamber <nicholas@periapt.co.uk>:
Extra info received and forwarded to list. Copy sent to Debian Policy List <debian-policy@lists.debian.org>. (Sun, 01 Jul 2012 10:21:05 GMT) Full text and rfc822 format available.

Message #211 received at 621833@bugs.debian.org (full text, mbox):

From: Nicholas Bamber <nicholas@periapt.co.uk>
To: Marc Haber <mh+debian-packages@zugschlus.de>
Cc: 621833@bugs.debian.org
Subject: Re: Bug#621833: What about userdel?
Date: Sun, 01 Jul 2012 11:15:18 +0100
Marc,
	I inherited it. I had the feeling things were going to be clarified so
I was waiting on that clarification.  Also if I recall I was trying to
raise the issue that half the issue was missed.

On 01/07/12 10:56, Marc Haber wrote:
> On Sun, May 29, 2011 at 11:52:40AM +0100, Nicholas Bamber wrote:
>> I am managing a package that does 'userdel' in a purge.
> 
> Don't do that, use deluser, if you insist. And even that is dangerous.
> 
> Greetings
> Marc
> 





Information forwarded to debian-bugs-dist@lists.debian.org, Debian Policy List <debian-policy@lists.debian.org>:
Bug#621833; Package debian-policy. (Sun, 01 Jul 2012 10:27:19 GMT) Full text and rfc822 format available.

Acknowledgement sent to Marc Haber <mh+debian-packages@zugschlus.de>:
Extra info received and forwarded to list. Copy sent to Debian Policy List <debian-policy@lists.debian.org>. (Sun, 01 Jul 2012 10:27:27 GMT) Full text and rfc822 format available.

Message #216 received at 621833@bugs.debian.org (full text, mbox):

From: Marc Haber <mh+debian-packages@zugschlus.de>
To: Nicholas Bamber <nicholas@periapt.co.uk>
Cc: 621833@bugs.debian.org
Subject: Re: Bug#621833: What about userdel?
Date: Sun, 1 Jul 2012 12:25:52 +0200
On Sun, Jul 01, 2012 at 11:15:18AM +0100, Nicholas Bamber wrote:
> I had the feeling things were going to be clarified so
> I was waiting on that clarification.

That is of course acceptable. Don't break things until Policy forces
you to do so ,-)

Greetings
Marc

-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany  |  lose things."    Winona Ryder | Fon: *49 621 31958061
Nordisch by Nature |  How to make an American Quilt | Fax: *49 621 31958062




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Policy List <debian-policy@lists.debian.org>:
Bug#621833; Package debian-policy. (Sun, 01 Jul 2012 10:33:13 GMT) Full text and rfc822 format available.

Acknowledgement sent to Nicholas Bamber <nicholas@periapt.co.uk>:
Extra info received and forwarded to list. Copy sent to Debian Policy List <debian-policy@lists.debian.org>. (Sun, 01 Jul 2012 10:33:20 GMT) Full text and rfc822 format available.

Message #221 received at 621833@bugs.debian.org (full text, mbox):

From: Nicholas Bamber <nicholas@periapt.co.uk>
To: Marc Haber <mh+debian-packages@zugschlus.de>
Cc: 621833@bugs.debian.org
Subject: Re: Bug#621833: What about userdel?
Date: Sun, 01 Jul 2012 11:28:18 +0100
On 01/07/12 11:25, Marc Haber wrote:
> On Sun, Jul 01, 2012 at 11:15:18AM +0100, Nicholas Bamber wrote:
>> I had the feeling things were going to be clarified so
>> I was waiting on that clarification.
> 
> That is of course acceptable. Don't break things until Policy forces
> you to do so ,-)
> 
> Greetings
> Marc
> 

Yeah and next time I'll make sure I really understand policy before
implementing it. ;-)




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Policy List <debian-policy@lists.debian.org>:
Bug#621833; Package debian-policy. (Sun, 01 Jul 2012 10:36:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Nicholas Bamber <nicholas@periapt.co.uk>:
Extra info received and forwarded to list. Copy sent to Debian Policy List <debian-policy@lists.debian.org>. (Sun, 01 Jul 2012 10:36:05 GMT) Full text and rfc822 format available.

Message #226 received at 621833@bugs.debian.org (full text, mbox):

From: Nicholas Bamber <nicholas@periapt.co.uk>
To: Marc Haber <mh+debian-packages@zugschlus.de>
Cc: 621833@bugs.debian.org
Subject: Re: Bug#621833: What about userdel?
Date: Sun, 01 Jul 2012 11:31:57 +0100
On 01/07/12 11:25, Marc Haber wrote:
> On Sun, Jul 01, 2012 at 11:15:18AM +0100, Nicholas Bamber wrote:
>> I had the feeling things were going to be clarified so
>> I was waiting on that clarification.
> 
> That is of course acceptable. Don't break things until Policy forces
> you to do so ,-)
> 
> Greetings
> Marc
> 

Actually  surely a good first step, perhaps even before fixing policy,
would be to get some sort of experimental check in lintian for any sort
of attempt to delete a system user in a maintenance script. Then we
could get a handle on how big the problem is.





Information forwarded to debian-bugs-dist@lists.debian.org, Debian Policy List <debian-policy@lists.debian.org>:
Bug#621833; Package debian-policy. (Sun, 01 Jul 2012 19:39:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Steve Langasek <vorlon@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Policy List <debian-policy@lists.debian.org>. (Sun, 01 Jul 2012 19:39:06 GMT) Full text and rfc822 format available.

Message #231 received at 621833@bugs.debian.org (full text, mbox):

From: Steve Langasek <vorlon@debian.org>
To: Marc Haber <mh+debian-packages@zugschlus.de>, 621833@bugs.debian.org
Cc: Roger Leigh <rleigh@codelibre.net>, Jonathan Nieder <jrnieder@gmail.com>, sean finney <seanius@seanius.net>
Subject: Re: Bug#621833: System users: removing them
Date: Sun, 1 Jul 2012 12:35:26 -0700
[Message part 1 (text/plain, inline)]
On Sun, Jul 01, 2012 at 11:55:39AM +0200, Marc Haber wrote:
> >   It would also alter the existing behaviour of adduser, which is to
> >   return nonzero if the user already exists, which could cause
> >   breakage.

> NACK, adduser --system does return zero if the user already exists and
> its parameters are sufficiently similiar to the parameters requested
> by the maintainer script.

How is "sufficiently similar" defined, and where is it documented?  It's not
in policy, and I don't see anything in the adduser manpage that explains
this.

-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
Ubuntu Developer                                    http://www.debian.org/
slangasek@ubuntu.com                                     vorlon@debian.org
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Policy List <debian-policy@lists.debian.org>:
Bug#621833; Package debian-policy. (Sun, 01 Jul 2012 19:45:07 GMT) Full text and rfc822 format available.

Acknowledgement sent to Steve Langasek <vorlon@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Policy List <debian-policy@lists.debian.org>. (Sun, 01 Jul 2012 19:45:07 GMT) Full text and rfc822 format available.

Message #236 received at 621833@bugs.debian.org (full text, mbox):

From: Steve Langasek <vorlon@debian.org>
To: Marc Haber <mh+debian-packages@zugschlus.de>, 621833@bugs.debian.org
Cc: Lars Wirzenius <liw@liw.fi>, 621833-submitter@bugs.debian.org
Subject: Re: Bug#621833: System user handling in packages: status of discussion
Date: Sun, 1 Jul 2012 12:42:23 -0700
[Message part 1 (text/plain, inline)]
On Sun, Jul 01, 2012 at 12:00:25PM +0200, Marc Haber wrote:
> On Fri, Jun 10, 2011 at 10:12:20AM +0100, Lars Wirzenius wrote:
> > * When the package is removed, the user should be locked:
> >   "lockuser foo".
> > * lockuser is a still-hypothetical tool, which needs to be added
> >   to the adduser package. It is a wrapper around "usermod -L -e 1 foo".
> > * Similarly, adduser needs to be changed to unlock:
> >   "usermod -U -e '' foo".

> Why not extending deluser to not delete the user if it is a system
> account?

Because that's contrary to the obvious meaning of 'deluser' and will be
confusing to maintainers, if it doesn't actually result in the user being
deleted.  It's much better to have an interface that does what it says.

> > Unclear to me are the following two points:

> > * Should packages also remove the contents of the system account's
> >   home directory?

> No, the local admin might have put important additional data in there.
> It may be an idea to remove all files that the _package_ has put
> there, but that would be a _significant_ burden IMO.

This should be configurable by the package maintainer using a --remove-home
flag.  In the general case, admins should not use per-package directories
under /var/lib as a dumping ground for arbitrary files and then expect these
files to be retained when the package is purged.

-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
Ubuntu Developer                                    http://www.debian.org/
slangasek@ubuntu.com                                     vorlon@debian.org
[signature.asc (application/pgp-signature, inline)]

Message sent on to Lars Wirzenius <liw@liw.fi>:
Bug#621833. (Sun, 01 Jul 2012 19:45:10 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Policy List <debian-policy@lists.debian.org>:
Bug#621833; Package debian-policy. (Sun, 01 Jul 2012 19:51:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Steve Langasek <vorlon@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Policy List <debian-policy@lists.debian.org>. (Sun, 01 Jul 2012 19:51:03 GMT) Full text and rfc822 format available.

Message #244 received at 621833@bugs.debian.org (full text, mbox):

From: Steve Langasek <vorlon@debian.org>
To: Marc Haber <mh+debian-packages@zugschlus.de>, 621833@bugs.debian.org
Cc: Roger Leigh <rleigh@codelibre.net>, 621833-submitter@bugs.debian.org, Lars Wirzenius <liw@liw.fi>
Subject: Re: Bug#621833: System user handling in packages: status of discussion
Date: Sun, 1 Jul 2012 12:48:14 -0700
[Message part 1 (text/plain, inline)]
On Sun, Jul 01, 2012 at 12:01:30PM +0200, Marc Haber wrote:
> On Fri, Jun 10, 2011 at 11:00:14AM +0100, Roger Leigh wrote:
> > Would "lockuser" need to be in the adduser package?  Given that
> > adduser is only priority:important, it's not guaranteed to be present
> > when postrm is run, so the operation could fail.  Maybe passwd is a
> > better place for it, given that it contains useradd etc., and is
> > priority:required.

> adduser should be elevated to priority:required then. adduser contains
> all Debian logic for account handling, while passwd doesn't. adduser
> is the logical place for Debianisms.

No, this is not a correct use of Priority: required.  The functionality
*should* be in the adduser package, not in the passwd package; but that's
not a sound reason to raise the priority of adduser, and raising the
priority doesn't guarantee usability in the postrm anyway.

-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
Ubuntu Developer                                    http://www.debian.org/
slangasek@ubuntu.com                                     vorlon@debian.org
[signature.asc (application/pgp-signature, inline)]

Message sent on to Lars Wirzenius <liw@liw.fi>:
Bug#621833. (Sun, 01 Jul 2012 19:51:14 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Policy List <debian-policy@lists.debian.org>:
Bug#621833; Package debian-policy. (Mon, 02 Jul 2012 07:51:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Marc Haber <mh+debian-packages@zugschlus.de>:
Extra info received and forwarded to list. Copy sent to Debian Policy List <debian-policy@lists.debian.org>. (Mon, 02 Jul 2012 07:51:03 GMT) Full text and rfc822 format available.

Message #252 received at 621833@bugs.debian.org (full text, mbox):

From: Marc Haber <mh+debian-packages@zugschlus.de>
To: Steve Langasek <vorlon@debian.org>, 621833@bugs.debian.org
Cc: Roger Leigh <rleigh@codelibre.net>, Jonathan Nieder <jrnieder@gmail.com>, sean finney <seanius@seanius.net>
Subject: Re: Bug#621833: System users: removing them
Date: Mon, 2 Jul 2012 09:48:06 +0200
On Sun, Jul 01, 2012 at 12:35:26PM -0700, Steve Langasek wrote:
> On Sun, Jul 01, 2012 at 11:55:39AM +0200, Marc Haber wrote:
> > >   It would also alter the existing behaviour of adduser, which is to
> > >   return nonzero if the user already exists, which could cause
> > >   breakage.
> 
> > NACK, adduser --system does return zero if the user already exists and
> > its parameters are sufficiently similiar to the parameters requested
> > by the maintainer script.
> 
> How is "sufficiently similar" defined, and where is it documented?  It's not
> in policy, and I don't see anything in the adduser manpage that explains
> this.

Add a system user
       If called with one non-option  argument  and  the  --system  option,
       adduser will add a system user. If a user with the same name already
       exists in the system uid range (or, if the uid is  specified,  if  a
       user  with  that uid already exists), adduser will exit with a warn‐
       ing. This warning can be suppressed by adding "--quiet".

If that's not enough, a bug report against adduser is in order.

Greetings
Marc

-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany  |  lose things."    Winona Ryder | Fon: *49 621 31958061
Nordisch by Nature |  How to make an American Quilt | Fax: *49 621 31958062




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Policy List <debian-policy@lists.debian.org>:
Bug#621833; Package debian-policy. (Mon, 02 Jul 2012 07:54:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Marc Haber <mh+debian-packages@zugschlus.de>:
Extra info received and forwarded to list. Copy sent to Debian Policy List <debian-policy@lists.debian.org>. (Mon, 02 Jul 2012 07:54:03 GMT) Full text and rfc822 format available.

Message #257 received at 621833@bugs.debian.org (full text, mbox):

From: Marc Haber <mh+debian-packages@zugschlus.de>
To: Steve Langasek <vorlon@debian.org>, 621833@bugs.debian.org
Cc: Lars Wirzenius <liw@liw.fi>, 621833-submitter@bugs.debian.org
Subject: Re: Bug#621833: System user handling in packages: status of discussion
Date: Mon, 2 Jul 2012 09:50:35 +0200
On Sun, Jul 01, 2012 at 12:42:23PM -0700, Steve Langasek wrote:
> On Sun, Jul 01, 2012 at 12:00:25PM +0200, Marc Haber wrote:
> > On Fri, Jun 10, 2011 at 10:12:20AM +0100, Lars Wirzenius wrote:
> > > * When the package is removed, the user should be locked:
> > >   "lockuser foo".
> > > * lockuser is a still-hypothetical tool, which needs to be added
> > >   to the adduser package. It is a wrapper around "usermod -L -e 1 foo".
> > > * Similarly, adduser needs to be changed to unlock:
> > >   "usermod -U -e '' foo".
> 
> > Why not extending deluser to not delete the user if it is a system
> > account?
> 
> Because that's contrary to the obvious meaning of 'deluser' and will be
> confusing to maintainers, if it doesn't actually result in the user being
> deleted.  It's much better to have an interface that does what it says.

That would mean changing probably thousands of packages.

> > No, the local admin might have put important additional data in there.
> > It may be an idea to remove all files that the _package_ has put
> > there, but that would be a _significant_ burden IMO.
> 
> This should be configurable by the package maintainer using a
> --remove-home flag.  In the general case, admins should not use
> per-package directories under /var/lib as a dumping ground for
> arbitrary files and then expect these files to be retained when the
> package is purged.

If that behavior is documented (in Policy?), I am fine with zapping
user data.

Greetings
Marc

-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany  |  lose things."    Winona Ryder | Fon: *49 621 31958061
Nordisch by Nature |  How to make an American Quilt | Fax: *49 621 31958062




Message sent on to Lars Wirzenius <liw@liw.fi>:
Bug#621833. (Mon, 02 Jul 2012 07:54:06 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Policy List <debian-policy@lists.debian.org>:
Bug#621833; Package debian-policy. (Mon, 02 Jul 2012 08:15:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Lars Wirzenius <liw@liw.fi>:
Extra info received and forwarded to list. Copy sent to Debian Policy List <debian-policy@lists.debian.org>. (Mon, 02 Jul 2012 08:15:04 GMT) Full text and rfc822 format available.

Message #265 received at 621833@bugs.debian.org (full text, mbox):

From: Lars Wirzenius <liw@liw.fi>
To: Marc Haber <mh+debian-packages@zugschlus.de>
Cc: Steve Langasek <vorlon@debian.org>, 621833@bugs.debian.org, 621833-submitter@bugs.debian.org
Subject: Re: Bug#621833: System user handling in packages: status of discussion
Date: Mon, 2 Jul 2012 09:12:00 +0100
[Message part 1 (text/plain, inline)]
On Mon, Jul 02, 2012 at 09:50:35AM +0200, Marc Haber wrote:
> On Sun, Jul 01, 2012 at 12:42:23PM -0700, Steve Langasek wrote:
> > Because that's contrary to the obvious meaning of 'deluser' and will be
> > confusing to maintainers, if it doesn't actually result in the user being
> > deleted.  It's much better to have an interface that does what it says.
> 
> That would mean changing probably thousands of packages.

Back in 2011-04-04 (see first mail in the bug report you're cc'ing to)
I did some greps, and found 103 packages that mention deluser in their
maintainer scripts. How did you come to the conclusion of "thousands
of packages"? If you're just guessing wildly, please stop: Debian
development is hard enough, let's try to stick to facts and when they're
not available, investigate rather than assume.

-- 
I wrote a book on personal productivity: http://gtdfh.branchable.com/
[signature.asc (application/pgp-signature, inline)]

Message sent on to Lars Wirzenius <liw@liw.fi>:
Bug#621833. (Mon, 02 Jul 2012 08:15:14 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Policy List <debian-policy@lists.debian.org>:
Bug#621833; Package debian-policy. (Mon, 02 Jul 2012 10:51:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Marc Haber <mh+debian-packages@zugschlus.de>:
Extra info received and forwarded to list. Copy sent to Debian Policy List <debian-policy@lists.debian.org>. (Mon, 02 Jul 2012 10:51:09 GMT) Full text and rfc822 format available.

Message #273 received at 621833@bugs.debian.org (full text, mbox):

From: Marc Haber <mh+debian-packages@zugschlus.de>
To: Lars Wirzenius <liw@liw.fi>
Cc: Steve Langasek <vorlon@debian.org>, 621833@bugs.debian.org, 621833-submitter@bugs.debian.org
Subject: Re: Bug#621833: System user handling in packages: status of discussion
Date: Mon, 2 Jul 2012 12:48:00 +0200
On Mon, Jul 02, 2012 at 09:12:00AM +0100, Lars Wirzenius wrote:
> Back in 2011-04-04 (see first mail in the bug report you're cc'ing to)
> I did some greps, and found 103 packages that mention deluser in their
> maintainer scripts. How did you come to the conclusion of "thousands
> of packages"? If you're just guessing wildly, please stop: Debian
> development is hard enough, let's try to stick to facts and when they're
> not available, investigate rather than assume.

I was extrapolating from my own packages to Debian proper, which was
probably skewed. I apologize.

Greetings
Marc

-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany  |  lose things."    Winona Ryder | Fon: *49 621 31958061
Nordisch by Nature |  How to make an American Quilt | Fax: *49 621 31958062




Message sent on to Lars Wirzenius <liw@liw.fi>:
Bug#621833. (Mon, 02 Jul 2012 10:53:00 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Apr 17 01:13:03 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.