Re: Policy on Account creation and deletion?
Hi, Marc Haber wrote:
> Hi,
>
> some packages dynamically create system accounts during installation. This
> has been increasingly popular since nowadays you don't like to run
> unrelated subsystems with the same privileges.
>
> I didn't find any policy documentation how a package should handle this,
> and I'd like to have this discusses for future reference.
>
> (1) Account Name
> This has been discussed in the past, with no real consensus being reached.
> It is clear that we should use a namespace that doesn't clash with names
> that our users my use on their systems since we might remove an account
> that the local administrator manually created. Possibilities include _foo,
> foo_, Debian-foo and foo-Debian, with the only package I am aware of that
> already does this being exim4 (using Debian-exim, and receiving gazillion
> of bug reports "this account name is ugly").
>
> (2) Creation
> Most packages create their account in postinst. exim4 uses getent to
> determin whether the account already exists (this has shown to be
> unreliable, see #237657), and bind9 touches a file in /var/run and tries
> to chown the file to the account name before creating the account (with a
> comment basically saying that there is no other way to detect account
> existence).
>
Sure there is.
# id smurf
uid=501(smurf) gid=501(smurf) groups=501(smurf),40(src),100(users),200(urlichs),230(sbuild)
# id fhzruiqhfiuqw
id: fhzruiqhfiuqw: No such user
# echo $?
1
Q.E.D.
> * use this account verbatim?
> This might be undesireable as the account might be in use for
> something else.
Idea: check the account's home directory; ask if it's "wrong".
> (3) Deletion
> I think that the account should be deleted when the package is
> uninstalled.
I'd do it on purge.
> dpkg documentation says that the only difference between
> remove and purge is that remove doesn't delete conffiles while purge does.
Deleting an /etc/passwd entry would fall under that restriction, I'd say.
> For the record: exim4 does remove its user in postrm on purge, bind9
> leaves the user on the system.
>
IMHO both are valid.
--
Matthias Urlichs
Reply to: