Re: should postrm script purge system-users?

To: Peymaneh <peymaneh@posteo.net>
Cc: debian-mentors@lists.debian.org
Subject: Re: should postrm script purge system-users?
From: Lorenzo <plorenzo@disroot.org>
Date: Sat, 24 Dec 2022 04:48:32 +0100
Message-id: <[🔎] 20221224044832.636ece9b@lorenz.fritz.box>
In-reply-to: <[🔎] b95e6029-233b-cd21-b407-aa448ff207c2@posteo.net>
References: <[🔎] b95e6029-233b-cd21-b407-aa448ff207c2@posteo.net>

Hello,

[ I'm not a DD nor an expert, so you may want to wait for others opinion
too ]

On Fri, 23 Dec 2022 21:18:48 +0000
Peymaneh <peymaneh@posteo.net> wrote:

> Dear mentors list,
> 
> a package that I maintain[1] creates a new system-user and -group 
> ("caddy") and creates a homedirectory in /var/lib/caddy upon 
> installation[2] intended for the systemd service file.
> 
> When purging the package, all of these are currently left on the
> system.
> 
> It was suggested to me that the not only the directories, but also
> user and group should be removed.[3] but i am unsure if purging even
> users from the system could maybe a bad idea, because they still
> might be owners of other files on the system?

I don't think there is a fixed rule to follow on this: the safest thing
(for reason you mentioned above and others too) is to leave everything
on the system and lock the user.
On the other hand leaving files around and not freeing the UID has a
cost, so if you know that the user doesn't leave files around or that it
writes only to some predictable location it might worth to search and
remove all files owned by the user and then remove the user on purge.
Removing non empty home and files around requires some extra check, see
links at the bottom

> 
> The debian wiki and policy only covers removal of files/dirs and does 
> not seem to mention the handling of system users..
> 
> Peymaneh
> 
> ps: please keep me in CC, i am not member of the list
> 
> ---
> [1] https://salsa.debian.org/go-team/packages/caddy/
> [2] 
> https://salsa.debian.org/go-team/packages/caddy/-/blob/debian/sid/dist/scripts/postinstall.sh

user created with 'nologin', so only the caddy service should create
files with that user?
But I see that you also add the www-data supplementary group, so I
guess it your service write/read also somewhere else under /var ?
You should know this as maintainer or you can ask to upstream.

> [3] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1022260

Lorenzo

For reference, see also

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=981918
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=%23848239
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=848240

Reply to:

References:
- should postrm script purge system-users?
  - From: Peymaneh <peymaneh@posteo.net>

Prev by Date: Bug#1026921: RFS: speedcrunch/0.12.0-6 [RC] -- High precision calculator
Next by Date: freerouter, a routing engine is seeking for debian packaging
Previous by thread: should postrm script purge system-users?
Next by thread: Re: should postrm script purge system-users?
Index(es):
- Date
- Thread