FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Debian > Debian Development

 
 
LinkBack Thread Tools
 
Old 04-12-2011, 07:31 PM
sean finney
 
Default Bug#621833: System users: removing them

Hi Lars,

On Tue, Apr 12, 2011 at 06:41:10PM +0100, Lars Wirzenius wrote:
> > But shouldn't we say they _must_ lock package-specific system users
> > and groups when the package is removed ?
>
> I think that's a good idea. Steve Langasek in the bug (#621833) and
> others agree, so I think there's a strong consensus on that.

I don't think I'd agree there, at least without also addressing:

* It also needs to limit the scope to locally defined users (i.e. not
fail when it is unable to lock an NIS/LDAP/etc account).
* There needs to be a way to explicitly do that with adduser or a similar
tool[1][2][3][4].

Also, we haven't discussed what should be done in the case of a user
account possibly shared between different packages, where any one of
them may create it and 1..N of them might be installed. For example,
nagios/nrpe comes to mind, or maybe parallel installed postgres versions
and related tools. Alternatively, if we strictly interpret what
Ian suggested to not include such packages, we should state that and/or
give alternate instructions for this case.


I second your original proposal though, that packages must not delete
system users that they have created. I don't think anyone had objections
to that, and the question is whether things should be taken further.


sean

[1] Assuming it must be done with one tool, it should also state "lock
users with $thiscommand $theseoptions", and depend on "$thisversion"
of the tool in question if the tool needs to be updated.
[2] And if "$theseoptions" are not specifically for the "local only case",
we need a way to tell the difference between a "locking failed" error and
a "user is remote" error.
[3] Or maybe instead of using a tool we have something like declarative
users, where we state policy and farm it off to dpkg to implement?
[4] Whoa, footnotespam ftw, sorry.


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20110412193147.GA15850@cobija.connexer.com">http://lists.debian.org/20110412193147.GA15850@cobija.connexer.com
 
Old 04-12-2011, 08:03 PM
Bill Allombert
 
Default Bug#621833: System users: removing them

On Tue, Apr 12, 2011 at 06:41:10PM +0100, Lars Wirzenius wrote:
> (Cc to the relevant bug added.)
>
> On ma, 2011-04-11 at 14:05 +0100, Ian Jackson wrote:
> > Lars Wirzenius writes ("Re: System users: removing them"):
> > > Thus, I propose to change 9.2.2 "UID and GID classes", the paragraph on
> > > uids in the range 100-999, to add the following sentence to the end of
> > > the paragraph:
> > >
> > > Packages must not remove system users and groups they have
> > > created.
> >
> > But shouldn't we say they _must_ lock package-specific system users
> > and groups when the package is removed ?
>
> I think that's a good idea. Steve Langasek in the bug (#621833) and
> others agree, so I think there's a strong consensus on that.

Also, we need to provide a way for sysadmin to know they can safely remove a stale
system user.

Cheers,
--
Bill. <ballombe@debian.org>

Imagine a large red swirl here.


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20110412200330.GA3817@yellowpig">http://lists.debian.org/20110412200330.GA3817@yellowpig
 

Thread Tools




All times are GMT. The time now is 01:40 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org