Bug#291177: [PROPOSAL] Policy for user/groups creation/removal in package maintainer scripts

To: submit@bugs.debian.org
Subject: Bug#291177: [PROPOSAL] Policy for user/groups creation/removal in package maintainer scripts
From: Javier Fernández-Sanguino Peña <jfs@computer.org>
Date: Wed, 19 Jan 2005 09:38:15 +0100
Message-id: <20050119083815.GD25612@dat.etsit.upm.es>
Reply-to: Javier Fernández-Sanguino Peña <jfs@computer.org>, 291177@bugs.debian.org

Package: debian-policy
Version: 3.6.1.1
Priority: wishlist

There is currently no policy on how should per-package users be created and 
removed. Eeven though the 'UID and GID classes' sections determines that 
packages _should_ use adduser --system in some occasions it doesn't 
describe why a package would want to do that.

IMHO it would be worthwhile writing in the policy that:

- maintainers should strive to make daemons run as non-root users
(this helps reduce the severity of many security bugs)

- maintainers scripts should create a system user for their daemon in
postinst.  User creation should not fail if the user already exists
(example code should be provided here, since this is sometimes not done
properly in maintainer scripts). Maintainer scripts can ask to the admin if 
the user already exists.

- maintainers scripts can remove users on purge of the package. 
This  should only be done if the files created by the user are being
removed in purge too.

- package configuration files (under /etc) should not be owned by the 
package user (this is to prevent attacks to daemons that might introduce a 
way to modify their own configuration). In some occasions access to a file 
(since it includes sensitive information) needs to be restricted, for this, 
a group should be created and the files should be chowned root:group.
(note that there is some *buggy* software in which the daemon needs to 
write to its configuration files)

For reference here are some relevant discussions:
(there are probably many more)

http://lists.debian.org/debian-policy/2003/05/msg00022.html
http://lists.debian.org/debian-devel/2001/09/msg01960.html
http://lists.debian.org/debian-devel/2004/08/msg01798.html
http://lists.debian.org/debian-devel/2004/05/msg01156.html
http://lists.debian.org/debian-devel/2003/11/msg02231.html
http://lists.debian.org/debian-devel/1996/05/msg00159.html
http://lists.debian.org/debian-user/1996/05/msg00106.html
http://lists.debian.org/debian-mentors/2004/10/msg00338.html

If others agree I can go forward, write a proposal text for this and 
provide a patch.

Regards

Javier

Attachment: signature.asc
Description: Digital signature

Reply to:

Follow-Ups:
- Bug#291177: [PROPOSAL] Policy for user/groups creation/removal in package maintainer scripts
  - From: Henrique de Moraes Holschuh <hmh@debian.org>

Prev by Date: Bug#291148: [PROPOSAL] Add a 'status' option in init.d scripts
Next by Date: Bug#291177: [PROPOSAL] Policy for user/groups creation/removal in package maintainer scripts
Previous by thread: Re: Bug#291148: [PROPOSAL] Add a 'status' option in init.d scripts
Next by thread: Bug#291177: [PROPOSAL] Policy for user/groups creation/removal in package maintainer scripts
Index(es):
- Date
- Thread