Bug#228692: User/group creation/removal in package maintainer scripts

To: Andreas Henriksson <a.henriksson@gmail.com>, 228692@bugs.debian.org
Subject: Bug#228692: User/group creation/removal in package maintainer scripts
From: Simon McVittie <smcv@debian.org>
Date: Tue, 31 Jul 2018 19:37:46 +0100
Message-id: <[🔎] 20180731183746.GA32216@espresso.pseudorandom.co.uk>
Reply-to: Simon McVittie <smcv@debian.org>, 228692@bugs.debian.org
In-reply-to: <[🔎] 20180731155350.6atl4vpregrd4msh@mbpah>
References: <20040120092955.32A3635@trider-g7.fabbione.net> <20040120092955.32A3635@trider-g7.fabbione.net> <[🔎] 20180731155350.6atl4vpregrd4msh@mbpah> <20040120092955.32A3635@trider-g7.fabbione.net>

On Tue, 31 Jul 2018 at 17:53:50 +0200, Andreas Henriksson wrote:
> previously created users should *not* (ever) be removed

There has been a suggestion in the past that these users should be locked
on package removal and unlocked on reinstallation, as implemented in
(for example) openarena-server. It is not entirely clear to me what
technical benefit this has, given that these users normally have a
disabled password anyway.

> Packages commonly check if user/group already exists before calling
> adduser to create them.

I have seen it suggested elsewhere that this is a bug or misunderstanding,
because adduser --system is already meant to exit successfully if the
requested user or group already exists in the system range. Calling
adduser conditionally prevents adduser from detecting whether the user
or group exists but is outside the system range.

> Writing manual mantainerscript code should always be avoided, because
> it's a common source of bugs.

Some alternatives to open-coding this:

systemd-sysusers(8) creates system users from declarative text files,
either at package installation or during early boot (part of a wider goal
for it to be feasible to boot a stateless or generic system after emptying
/etc and /var), in a way that is feasible to reimplement outside systemd
if people want to (but has not been reimplemented, as far as I'm aware).

dh-sysuser encapsulates maintainer script code into a single command,
although imperative rather than declarative. It uses useradd directly,
so it might be NIHing adduser(8).

> An example of a mechanism that
> allows not creating static system users/groups is unit file option
> DynamicUser=yes from systemd (and likely many others that I'm not aware
> of). For further information see:
> https://www.freedesktop.org/software/systemd/man/systemd.exec.html#DynamicUser=
> http://0pointer.net/blog/dynamic-users-with-systemd.html

But note that:

- this doesn't work if some other daemon needs to know about your
  system user ahead of time: in particular, dbus-daemon system.d snippets
  cannot currently refer to dynamic users

- this is systemd-specific (suitable for systemd-systems-only software like
  systemd-cron, but not suitable for general daemons, unless Debian drops
  support for non-systemd init systems and non-Linux kernels)

Regards,
    smcv

Reply to:

References:
- Bug#228692: User/group creation/removal in package maintainer scripts
  - From: Andreas Henriksson <a.henriksson@gmail.com>

Prev by Date: Bug#904934: [debian-policy] Add footnote to find easily the corresponding days for the urgency field
Previous by thread: Bug#228692: User/group creation/removal in package maintainer scripts
Index(es):
- Date
- Thread