Re: Running dpkg -r foo from a postinst script?
On Wed, Sep 19, 2001 at 10:56:25PM +0200, Ola Lundqvist wrote:
> Ok. Well what I wanted was a better way (more informative and
> flexible) way to remove packages that are insecure.
>
> It is in the harden-servers (and some other harden) packages I wanted
> this.
>
> How it it done when the base system is istalled? It removes (it the
> user tells so) the pcmcia and ppp packages.
not the same thing, what's happening during install is that the user
is prompted about *marking those packages for removal*. this is done
via 'dpkg --set-selections' (I'm speculating at this point, haven't
analyzed much of that code, but that's the standard method for such
things) and is executed before running apt or dselect to carry out the
users wishes. until the next install run those packages are still
available on the system. and actually I don't think it asks about
removal of ppp, it only asks if you need to use it to finish the
initial install, so that it can be configured before attempting to do
any further package management.
note that since all of this happens outside of dselect the dpkg
lockfile is not an issue.
one way of tackling it would be to generate a text file that can be
piped into 'dpkg --set-selections' afterwards, this gives the admin a
chance to double-check everything before you go and hose the end
user's environment in the name of security. they can also switch
between 'purge' and 'remove' if they have a compelling reason to keep
the config files around without the associated binaries.
just a few random thoughts from the peanut gallery,
Marc
Reply to: