Package: release.debian.org Severity: normal User: release.debian.org@packages.debian.org Usertags: unblock Dear Release Team, Please unblock package lacme/0.8.0-2: [ Reason ] As of lacme 0.8.0-1 dedicated system users _lacme-* are created at install time and removed on purge. The later was done under the assumption that no file owned by these users is ever created on disk. While that is true with the default configuration, it's possible to configure lacme in a way that requires manual creation of a directory owned by one of these system users. The user in question (_lacme-client) should therefore *not* be deleted on purge. Cf. #988032. [ Impact ] In a non-default configuration, a directory owned by _lacme-client might be left after package removal. That system user is removed on purge, which could have security implications should its ID be recycled later. [ Tests ] Ensured _lacme-client remained after purging 0.8.0-2. [ Risks ] The fix is trivial with modifications in postrm only. Only _lacme-client needs to remain after package purge, but for symmetry I decided to keep _lacme-www as well. [ Checklist ] [x] all changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in testing unblock lacme/0.8.0-2 -- Guilhem.
diffstat for lacme-0.8.0 lacme-0.8.0 changelog | 8 ++++++++ lacme.postrm | 15 --------------- 2 files changed, 8 insertions(+), 15 deletions(-) diff -Nru lacme-0.8.0/debian/changelog lacme-0.8.0/debian/changelog --- lacme-0.8.0/debian/changelog 2021-02-22 03:31:23.000000000 +0100 +++ lacme-0.8.0/debian/changelog 2021-05-04 01:37:13.000000000 +0200 @@ -1,3 +1,11 @@ +lacme (0.8.0-2) unstable; urgency=medium + + * d/lacme.postrm: Don't delete system users on purge. There might be files + on disk owned by _lacme-client when 'challenge-directory' is set in the + configuration (closes: #988032). + + -- Guilhem Moulin <guilhem@debian.org> Tue, 04 May 2021 01:37:13 +0200 + lacme (0.8.0-1) unstable; urgency=low * New upstream release (closes: #970458, #970800, #972456). diff -Nru lacme-0.8.0/debian/lacme.postrm lacme-0.8.0/debian/lacme.postrm --- lacme-0.8.0/debian/lacme.postrm 2021-02-22 03:31:23.000000000 +0100 +++ lacme-0.8.0/debian/lacme.postrm 1970-01-01 01:00:00.000000000 +0100 @@ -1,15 +0,0 @@ -#!/bin/sh - -set -e - -if [ "$1" = "purge" ]; then - if getent passwd _lacme-www >/dev/null; then - deluser --quiet --system _lacme-www - fi - if getent passwd _lacme-client >/dev/null; then - deluser --quiet --system _lacme-client - fi -fi - -#DEBHELPER# -exit 0
Attachment:
signature.asc
Description: PGP signature