On Wed, Oct 26, 2005 at 05:24:28PM +0200, Frank Küster wrote: > Javier Fernández-Sanguino Peña <jfs@computer.org> wrote: > > > On Wed, Oct 26, 2005 at 01:53:19PM +0200, Gabor Gombas wrote: > >> On Wed, Oct 26, 2005 at 11:11:00AM +0200, Javier Fernández-Sanguino Pe?a wrote: > >> > >> > That really depends on the daemon itself don't you think? There's a number of > >> > daemons that don't create any file at all or, if they do, are created > >> > only on a given directory which is removed on purge. In these cases, removing > >> > the user on postrm's purge might make sense. As I said, that would be an > >> > option. > >> > >> It is still possible that those daemons _read_ some files (e.g. config > >> files), and the admin did a chown/chgrp to the daemon's user. Removing > >> the user and reusing the UID/GID will suddenly make those files > >> accessible for a random new package which may not be intended at all. > > > > Wrong. That is only true in the chown() case. Which is not a sensible thing > > to do. Daemons should be able to read their configuration files but they > > usually *don't* need to *write* them, so they should *not* own them. > > What about log files with sensitive content? Non-issue, as I said in the end of my post, those should be removed on purge. This is mandated by policy: http://www.debian.org/doc/debian-policy/ch-files.html#s10.8 Thus, at the same time that the user is removed and would never be orphaned. Case closed :-) Javier
Attachment:
signature.asc
Description: Digital signature