Bug#228692: User/group creation/removal in package maintainer scripts
Hi,
This is my attempt to unlock the progress on this issue.
I'm going to attempt to first collect what I've picked up both from the
previously mentioned mailinglist thread (and other similar ones) and
what I've seen when reviewing maintainerscripts of packages in the
archive. Hopefully others can speak up if they disagree or think I've
missed a common convention. Later we can attempt to formulate a specific
wording for policy.
## common conventions
users/groups should have an "invalid" prefix to avoid clashes with local
users
- sometimes inconvenient to change username and lots of packages doesn't
do this so should only be recommended when possible, not mandatory.
- Debian- (common, see eg. exim4), D (very rarely used?), and _ (also
used) are suggested prefix.
previously created users should *not* (ever) be removed
- it's much less rare these days but still some packages removes
users/groups they created once the package is purged.
- the problem with removing users/groups (reusing uid/gid) is that files
on filesystem can be owned by them which could lead to possible
security issue.
packages generally relies on adduser to do the work, which is basically
a wrapper to implement common debian conventions around useradd, but it
might not be policys place to explicitly require using a specific tool
like adduser.
Packages commonly check if user/group already exists before calling
adduser to create them. Reason being quiet switch to adduser makes it
'too quiet'. Might be better if adduser just gets fixed with eg.
implementing a '--exists-ok' argument, than documenting the current
convention in policy so should leave some room open for this.
Possibly policy should document some of the things adduser does, just in
case someone attempts to /not/ use adduser (why?).
Writing manual mantainerscript code should always be avoided, because
it's a common source of bugs. There are also other issues like sharing
the same namespace and now being able to remove them. Thus adding users
and group should be avoided. Sometimes there are mechanisms that allow
that which can be used in more cases than is currently well known, so it
might be good if debian policy explicitly states that people should
avoid adding users/groups when possible. An example of a mechanism that
allows not creating static system users/groups is unit file option
DynamicUser=yes from systemd (and likely many others that I'm not aware
of). For further information see:
https://www.freedesktop.org/software/systemd/man/systemd.exec.html#DynamicUser=
http://0pointer.net/blog/dynamic-users-with-systemd.html
## example postinst snippet
### Note that packages also needs to depend on adduser!
NEWUSER="_foo"
NEWGROUP="_bar"
if ! getent group "$NEWGROUP" >/dev/null; then
addgroup --force-badname \
--system "$NEWGROUP"
fi
if ! getent passwd "$NEWUSER" >/dev/null; then
adduser --force-badname \
--system --ingroup "$NEWGROUP" \
--home /nonexistent --no-create-home \
"$NEWUSER"
fi
### if username == groupname it can be simplified
NEWUSERGROUP="_foobar"
if ! getent passwd "$NEWUSERGROUP" && ! getent group "$NEWUSERGROUP" >/dev/null>/dev/null; then
adduser --force-badname \
--system --group \
--home /nonexistent --no-create-home \
"$NEWUSERGROUP"
fi
--
Regards,
Andreas Henriksson
Reply to: