Re: Bug#621833: System users: removing them
On ti, 2011-04-12 at 21:31 +0200, sean finney wrote:
> Hi Lars,
>
> On Tue, Apr 12, 2011 at 06:41:10PM +0100, Lars Wirzenius wrote:
> > > But shouldn't we say they _must_ lock package-specific system users
> > > and groups when the package is removed ?
> >
> > I think that's a good idea. Steve Langasek in the bug (#621833) and
> > others agree, so I think there's a strong consensus on that.
>
> I don't think I'd agree there, at least without also addressing:
>
> * It also needs to limit the scope to locally defined users (i.e. not
> fail when it is unable to lock an NIS/LDAP/etc account).
> * There needs to be a way to explicitly do that with adduser or a similar
> tool[1][2][3][4].
Yes, and these were already suggested in the bug log, if I've undertood
everyone correctly (not all those mails were on -devel, though).
> Also, we haven't discussed what should be done in the case of a user
> account possibly shared between different packages, where any one of
> them may create it and 1..N of them might be installed.
In my opinion, those packages should arrange for things to work right
amongst themselves. The typical case would be to have a -common package,
which creates and locks down the user, and everything else depends on
it. But other options are also possible; I guess anything that achieves
the same effect should be OK by the policy manual.
--
Blog/wiki/website hosting with ikiwiki (free for free software):
http://www.branchable.com/
Reply to: