[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Policy on Account creation and deletion?


some packages dynamically create system accounts during installation.
This has been increasingly popular since nowadays you don't like to
run unrelated subsystems with the same privileges.

I didn't find any policy documentation how a package should handle
this, and I'd like to have this discusses for future reference.

(1) Account Name
This has been discussed in the past, with no real consensus being
reached. It is clear that we should use a namespace that doesn't clash
with names that our users my use on their systems since we might
remove an account that the local administrator manually created.
Possibilities include _foo, foo_, Debian-foo and foo-Debian, with the
only package I am aware of that already does this being exim4 (using
Debian-exim, and receiving gazillion of bug reports "this account name
is ugly").

(2) Creation
Most packages create their account in postinst. exim4 uses getent to
determin whether the account already exists (this has shown to be
unreliable, see #237657), and bind9 touches a file in /var/run and
tries to chown the file to the account name before creating the
account (with a comment basically saying that there is no other way to
detect account existence).

I am wondering what a package should do if the account already exists:
   * use this account verbatim?
     This might be undesireable as the account might be in use for
     something else.
   * delete and recreate the account using the package's settings?
     This might overwrite a change done by the local admin, and it
      might break unrelated local subsystems using this account.
   * fail
     This is the safest method, but probably undesireable as well.

(3) Deletion
I think that the account should be deleted when the package is
uninstalled. dpkg documentation says that the only difference between
remove and purge is that remove doesn't delete conffiles while purge
does. This can be interpreted as a requirement to remove the account
even on remove, which might lead to files becoming unowned.

So, it might be necessary to chown all files owned by the package
account to root:root when removing, and to chown them back to the
newly created package account on installation. This can create a
significant amount of work in the maintainer scripts.

Other people say that an account should - once created - never be
automatically removed to block the uid from being recycled because of
file ownership purposes. While these people surely have a point, I
think this is a violation since our users depend on leaving the system
in its original state after purge.

For the record: exim4 does remove its user in postrm on purge, bind9
leaves the user on the system.

Thanks for your opinions.


-------------------------------------- !! No courtesy copies, please !! -----
Marc Haber          |   " Questions are the         | Mailadresse im Header
Karlsruhe, Germany  |     Beginning of Wisdom "     | Fon: *49 721 966 32 15
Nordisch by Nature  | Lt. Worf, TNG "Rightful Heir" | Fax: *49 721 966 31 29

Reply to: