System users: removing them

To: debian-devel@lists.debian.org
Subject: System users: removing them
From: Lars Wirzenius <liw@liw.fi>
Date: Thu, 31 Mar 2011 09:23:33 +0100
Message-id: <[🔎] 1301559813.11500.34.camel@havelock.liw.fi>

We have some packages that require a dedicated user to be created, and
calling "adduser --system" in postinst does that. However, it is not
always clear whether such users should be removed when the package is
removed.

      * The user might be administered centrally, via LDAP. (So postinst
        never actually created it, and thus postrm shouldn't remove it.)
      * There might be files owned by the user that the package does not
        know about.
      * There might be other site policies about this.

The easy solution for this would be to never remove the user, but that's
also not so clear.

      * Extra accounts are just wasteful, and may cause some confusion.
      * There is a tiny risk of having unused accounts on the system.
        (We have tens of them anyway, but still.)

Most hosts, however, can safely remove the system user when the package
is removed, if the user is to be removed at all. There may be cases
where a package's system user should not be removed, because some files
that belong to it will not be removed, such as a Usenet spool.

I propose the following:

      * We patch deluser to check for a boolean DELETE_SYSTEM_USERS
        setting in /etc/adduser.conf. If set to false, it does not
        remove the user. Default the setting to true, since that is
        status quo and works for most hosts and sites. Maybe also add a
        --force option to override the config file setting?
      * Review all packages and their use of adduser/deluser. Make sure
        that they don't have unnecessary scaffolding ("if ! getenet
        passwd ..."), since it's unnecessary, and also not needed. Make
        sure they have the appropriate call to deluser in postrm. Add a
        versioned dependency to packages to make sure they depend on a
        version of adduser that implements DELETE_SYSTEM_USERS.

Would this be a good thing to do? Comments? Problems I've forgotten
about?

Would a debhelper tool to create/remove system users be useful? I
suspect there's only relatively few packages that do that, so perhaps
not.

I earlier blogged about an "addsysuser" tool[0], but Stephen Gran
pointed out to me that it's mostly unnecessary scaffolding. In my blog
post I also outlined a way for packages to share a system user, without
having to depend on it, but I think that's not so useful, so I don't
include it in this proposal.

[0] http://blog.liw.fi/posts/addsysuser/
[1] http://i.imgur.com/3XuAi.jpg (gratuitous cat picture; NSFW language)

-- 
Blog/wiki/website hosting with ikiwiki (free for free software):
http://www.branchable.com/

Reply to:

Follow-Ups:
- Re: System users: removing them
  - From: Ian Jackson <ijackson@chiark.greenend.org.uk>
- Re: System users: removing them
  - From: Scott Kitterman <debian@kitterman.com>

Prev by Date: Re: Bits from the Release Team - Kicking off Wheezy
Next by Date: Re: "expected stable-updates but got squeeze-updates"
Previous by thread: Re: Bug#620202: ITP: lcrt -- Linux remote login tool
Next by thread: Re: System users: removing them
Index(es):
- Date
- Thread