On 31/10/2005 Javier Fernández-Sanguino Peña wrote:
> After the feedback of the recent d-d thread, I've adapted the section I wrote
> on the best practices related to system users and groups, it is currently
> available at:
> http://www.debian.org/doc/manuals/developers-reference/ch-best-pkging-practices.en.html#s-bpp-lower-privs
the group deletion has currently a problem. From 6.5.1.3 'Removing system
users':
# Remove system group if is a system group
CREATEDGROUP=server_group
if [ -r /etc/adduser.conf ] ; then
FIRST_USER_GID=`grep ^USERS_GID /etc/adduser.conf | cut -f2 -d '='`
else
FIRST_USER_GID=1000
fi
if [ -n "$FIST_USER_GID" ] then
if GROUPGID=`getent group $CREATEDGROUP | cut -f 3 -d ':'`; then
if [ -n "$GROUPGID" ]; then
if [ "$FIST_USER_GID" -gt "$GROUPGID" ]; then
echo -n "Removing $CREATEDGROUP group.."
delgroup --only-if-empty $CREATEDGROUP || true
echo "..done"
fi
fi
fi
fi
first, the 'if [ -n "$FIST_USER_GID" ] then' should better be
'if [ -n "$FIRST_USER_GID"]; then' (two small typos).
second, and more important, the default GID for the group 'users' is 100
for adduser, so the check above will always fail. system groups created
via 'addgroup --system' have GIDs between 100 and 199.
in my eyes it would be more sane to check for FIRST_SYSTEM_GID instead
of USERS_GID.
...
jonas
Attachment:
signature.asc
Description: Digital signature