On Sat, Apr 09, 2011 at 10:14:54AM +0100, Roger Leigh wrote: > On Sat, Apr 09, 2011 at 09:44:28AM +0100, Lars Wirzenius wrote: > > Thus, I propose to change 9.2.2 "UID and GID classes", the paragraph on > > uids in the range 100-999, to add the following sentence to the end of > > the paragraph:
> > Packages must not remove system users and groups they have > > created. > This does sound like a sensible addition. Will the packages be > responsible for locking the accounts? I agree that the accounts should not be deleted, but that the packages should still be responsible for certain forms of cleanup: - removing the user home directory (on purge?) - locking the account - (optional) scanning the filesystem to clean up any other files owned by the user This is the good kind of cleanup to do. Deleting the account entirely is the bad kind of cleanup, because you can never guarantee that you've gotten *all* the files belonging to that user/group, thanks to removable media; so if the UID is reused, some other account gets access to files it wasn't meant to. > I've always found the addition and removal of user accounts in > maintainer scripts difficult, due to the huge difference in > practice between packages, and the lack of detailed guidance on > best practice. Would it be worth adding explicit examples of > how to add system users and groups in Policy. Also, would it > be worth adding support to debhelper or dpkg-maintscript-helper > to do the user addition--it would unify the process so that > packages won't have to reinvent the wheel, and make things > much more simple and reliable. I don't think dpkg-maintscript-helper is the right layer of abstraction for something like this; we already have an imperative interface for account creation/deletion, which is adduser/deluser, and if that interface isn't sufficiently straightforward we should remedy that directly. I'm not sure if debhelper can help here. I guess we would need a new config file (debian/users?), but I'm not sure it could be done with a very debhelper-like syntax. -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. Ubuntu Developer http://www.debian.org/ slanga...@ubuntu.com vor...@debian.org
signature.asc
Description: Digital signature
