Adrian 'Dagurashibanipal' von Bidder [u] wrote on 28/10/2004 11:02:
ms419@freezone.co.uk:
If a package creates a user when it is installed, should it remove
this
user when it is removed, on only when it is purged?
>
I think not removing the user is the safe option: If ever some files
(potentially containing sensitive information) are owned by the
package's user and left behind after purge (perhaps because the admin
moved them to some other place), removing the user would allow some
other package inherit the files - and possibly would let the world
access these files.
Completely right. However, I have seen packages (I think it was back
in my slackware days) which searched the disc for non-packaged files
owned by that user. If they found none, they removed the user. If they
found any, they asked wether to
1) remove those files and the corresponding user
2) remove the user but keep the files orphaned
3) remove the user and chown the files to root
4) keep user and files
Though the search took quite some time on large systems (even when
excluding /home from the search), I always thought this behaviour was
nice and secure.
I support every effort not to clutter the system with left-overs of
old packages, but security is more important here.
Right again.
I wish though that there was some way to achieve the behaviour
outlined above without the performance issue attached to it. One way
could be to teach dpkg to do a search of the system (excluding /home
and potentially other user homedirs) and fill a database of user/group
-> file relations which the packages may read during (de)
installation. I haven't thought about it much though.