On Tue, 31 Jul 2018 at 17:53:50 +0200, Andreas Henriksson wrote: > previously created users should *not* (ever) be removed
There has been a suggestion in the past that these users should be locked on package removal and unlocked on reinstallation, as implemented in (for example) openarena-server. It is not entirely clear to me what technical benefit this has, given that these users normally have a disabled password anyway. > Packages commonly check if user/group already exists before calling > adduser to create them. I have seen it suggested elsewhere that this is a bug or misunderstanding, because adduser --system is already meant to exit successfully if the requested user or group already exists in the system range. Calling adduser conditionally prevents adduser from detecting whether the user or group exists but is outside the system range. > Writing manual mantainerscript code should always be avoided, because > it's a common source of bugs. Some alternatives to open-coding this: systemd-sysusers(8) creates system users from declarative text files, either at package installation or during early boot (part of a wider goal for it to be feasible to boot a stateless or generic system after emptying /etc and /var), in a way that is feasible to reimplement outside systemd if people want to (but has not been reimplemented, as far as I'm aware). dh-sysuser encapsulates maintainer script code into a single command, although imperative rather than declarative. It uses useradd directly, so it might be NIHing adduser(8). > An example of a mechanism that > allows not creating static system users/groups is unit file option > DynamicUser=yes from systemd (and likely many others that I'm not aware > of). For further information see: > https://www.freedesktop.org/software/systemd/man/systemd.exec.html#DynamicUser= > http://0pointer.net/blog/dynamic-users-with-systemd.html But note that: - this doesn't work if some other daemon needs to know about your system user ahead of time: in particular, dbus-daemon system.d snippets cannot currently refer to dynamic users - this is systemd-specific (suitable for systemd-systems-only software like systemd-cron, but not suitable for general daemons, unless Debian drops support for non-systemd init systems and non-Linux kernels) Regards, smcv
