[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: System users: removing them



On Thursday, March 31, 2011 04:23:33 AM Lars Wirzenius wrote:
> We have some packages that require a dedicated user to be created, and
> calling "adduser --system" in postinst does that. However, it is not
> always clear whether such users should be removed when the package is
> removed.
> 
>       * The user might be administered centrally, via LDAP. (So postinst
>         never actually created it, and thus postrm shouldn't remove it.)
>       * There might be files owned by the user that the package does not
>         know about.
>       * There might be other site policies about this.
> 
> The easy solution for this would be to never remove the user, but that's
> also not so clear.
> 
>       * Extra accounts are just wasteful, and may cause some confusion.
>       * There is a tiny risk of having unused accounts on the system.
>         (We have tens of them anyway, but still.)
> 
> Most hosts, however, can safely remove the system user when the package
> is removed, if the user is to be removed at all. There may be cases
> where a package's system user should not be removed, because some files
> that belong to it will not be removed, such as a Usenet spool.
> 
> I propose the following:
> 
>       * We patch deluser to check for a boolean DELETE_SYSTEM_USERS
>         setting in /etc/adduser.conf. If set to false, it does not
>         remove the user. Default the setting to true, since that is
>         status quo and works for most hosts and sites. Maybe also add a
>         --force option to override the config file setting?
>       * Review all packages and their use of adduser/deluser. Make sure
>         that they don't have unnecessary scaffolding ("if ! getenet
>         passwd ..."), since it's unnecessary, and also not needed. Make
>         sure they have the appropriate call to deluser in postrm. Add a
>         versioned dependency to packages to make sure they depend on a
>         version of adduser that implements DELETE_SYSTEM_USERS.
> 
> Would this be a good thing to do? Comments? Problems I've forgotten
> about?
> 
> Would a debhelper tool to create/remove system users be useful? I
> suspect there's only relatively few packages that do that, so perhaps
> not.
> 
> I earlier blogged about an "addsysuser" tool[0], but Stephen Gran
> pointed out to me that it's mostly unnecessary scaffolding. In my blog
> post I also outlined a way for packages to share a system user, without
> having to depend on it, but I think that's not so useful, so I don't
> include it in this proposal.
> 
> [0] http://blog.liw.fi/posts/addsysuser/
> [1] http://i.imgur.com/3XuAi.jpg (gratuitous cat picture; NSFW language)

It seems to me that there is not a clear statement about removing users on 
purge in policy.  I'd prefer we get consensus around the policy before diving 
into implementation on this.

Personally I think the risks associated with removal are greater than the 
potential benefits and, except in unusual cases, they should be left.  I've 
got one bug open against one of my packages that I'd love to be able to close 
with "No, policy says X and so the current behavior is correct."  I'm willing 
to accept it the project decides I'm wrong, but I'd like to see a clear 
statement on what the right thing to do is.

Scott K


Reply to: