Re: Bug#72738: Unnecessary changes to /etc/passwd
Lindsay Haisley wrote:
> > If you didn't see that, it wasn't base-passwd that did this. If you did see
> > it, it should be in your log file, right?
>
> Don't I wish! I went through the system logs and there was nothing, and
> update-passwd doesn't mention anything about logging on its man page. As
> best I can tell there was no way to back out any changes - no backup, no
> diff, no log.
I was referring to this log file:
> I took care of it immediately on another vt and where appropriate
> I copied the screen data to a review file.
> As I said elsewhere, prudent Unix system administration
> dictates that any changes made by a program or script to a vital system
> config file such as /etc/passwd or /etc/group ought to provide a way to back
> out of any changes, even if it's only an audit trail in a log file.
Perhaps you should file a wishlist bug on base-passwd requiesting that
it back up the passwd file to /etc/passwd- before modifying it.
> Project then what's left? 99% of the time it's a no-nevermind, and
> functionally most such subsystems don't care what UID space they operate in,
> but there are some that do care, and discriminate, such as Debian's
> update-passwd. Same arguments apply to GID space.
I'm not aware of any general purpose unix program that requires a
particular uid/gid number (leaving out root of course). Such a program
would not be very portable at all, especially since whatever number it
demands could well be taken. Qmail, majorodomo, and so on, can use any
uid, although the number may need to be compiled in to them in some
cases (qmail).
> So what's appropriate here? Do we say 0 -> 99 belongs to Debian, 100 -> 199
> belongs to non-Debian system accounts, and the rest is user UID space, or
> should the 0 -> 99 space be divided along this line, or what? Has this been
> given any thought, or addressed by policy?
In general we leave this up to the individual admin to deal with however
they need to to make it work with the rest of their systems. We do
reserve id's from 30000 up for Debian as well (this is probably
excessive, but those with systems with 30 tohusand users can probably
deal).
> > This is complicated by the fact that majordom was distributed along with
> > Debian in non-free until it was yanked during the freeze of potato[2].
>
> Security and license problems combined!
Yes, see http://lists.debian.org/debian-security-announce-00/msg00007.html
> The use of majordomo with qmail
> (not an entirely trivial integration) fixes some of the security problems, I
> believe.
I can't see how unless you don't have to make the wrapper script
suid/sgid anymore.
> I can submit this as a bug report, but I hope I've brought the issue
> sufficiently to enough people's attention that y'all can carry the ball on
> it.
Your bug report is already assigned to the base-passwd package so I
suppose it will be dealt with in due course.
--
see shy jo
Reply to: