Re: how to forbid debhelper to modify /home ?

To: debian-user@lists.debian.org
Subject: Re: how to forbid debhelper to modify /home ?
From: Roberto C. Sánchez <roberto@debian.org>
Date: Fri, 3 Sep 2021 10:14:56 -0400
Message-id: <[🔎] 20210903141456.GJ19926@connexer.com>
Mail-followup-to: Roberto C. Sánchez <roberto@debian.org>, debian-user@lists.debian.org
In-reply-to: <[🔎] f7444f39-7e4c-6cd2-871e-9674981c40c5@aixigo.com>
References: <[🔎] e167fdde-55bd-5bfa-8c94-2fea12683671@aixigo.com> <[🔎] 20210903115744.GG19926@connexer.com> <[🔎] f7444f39-7e4c-6cd2-871e-9674981c40c5@aixigo.com>

On Fri, Sep 03, 2021 at 03:41:00PM +0200, Harald Dunkel wrote:
> On 9/3/21 13:57, Roberto C. Sánchez wrote:
> > That sounds like potentially buggy behavior.  Can you give a specific
> > example?
> > 
> 
> 	ntp (Debian)
> 	sane (Debian)
> 	gitlab-runner (not Debian)
> 	zabbix-agent (not Debian)
> 
> Apparently the postinst scripts of ntp and sane have been fixed.
> I don't want to blame anybody, anyway.
> 

No worries.  It's not a question of blame.  Rather, maintainers
sometimes overlook what to them are trivial things but which impact
different use cases which they might not have considered.

As far as ntp, as Greg pointed out, it did at one time not specify a
directory in the postinst script's adduser command, which would have
resulted in the directory /home/ntp being specified.  However, as far
back as I was able to conveniently look, the --no-create-home option was
passed to adduser.  Based on that, it seems very unlikely that the
postinst script would ever create that directory.  Of course, in more
recent versions, the home directory is explicitly listed as
/nonexistent.  I can't find a good explanation for how you might have
ended up with /home/ntp being present on your system.

On the other hand, sane has logic from around version 1.0.24-6 (December
2014) that changes the saned user home directory from /home/saned to
/var/lib/saned.  It would seem, however, that if /home/saned was
present, that it does not actually get relocated, so that directory
might remain on a system that had saned installed long enough ago to
have been using the former home directory location.

As far as the others, I don't know about their scripts.

As to your initial question, is it possible to somehow prevent or
redirect dpkg from making modifications under /home?  The answer is,
probably not easily.

The maintainer scripts executed by dpkg are mostly shell scripts (though
I think some packages use Perl scripts).  They can execute arbitrary
commands and are run as root.  The ability to prevent modifications to
/home depends on the functioning of the commands invoked from the
maintainer scripts, which as you've noted, can include adduser, deluser,
rm, cp, mv, and any of a number of other commands along with
dpkg-specific helper commands.

If you have /home in a good state, and you want to at least be made
aware of future directory creation operations, I recommend a tool like
incron.  You can set it to specifically look for new directory creations
under /home, which you could either have logged or execute an arbitrary
command in response.  You can certainly get much fancier with it, but I
have found it to be rather of annoyance if I make it too sensitive or
have it monitoring too many things, just because of the noise in the
logs.

Regards,

-Roberto
-- 
Roberto C. Sánchez

Reply to:

References:
- how to forbid debhelper to modify /home ?
  - From: Harald Dunkel <harald.dunkel@aixigo.com>
- Re: how to forbid debhelper to modify /home ?
  - From: Roberto C. Sánchez <roberto@debian.org>
- Re: how to forbid debhelper to modify /home ?
  - From: Harald Dunkel <harald.dunkel@aixigo.com>

Prev by Date: How to update Debian 11 source.list to testing?
Next by Date: Re: How to update Debian 11 source.list to testing?
Previous by thread: Re: how to forbid debhelper to modify /home ?
Next by thread: gcc-10: options order important?
Index(es):
- Date
- Thread