On 03/02/15 06:05 PM, Allan McRae wrote:
On 03/02/15 22:01, Jerome Leclanche wrote:
2015-02-03 12:46 GMT+01:00 Allan McRae <allan@archlinux.org>:
1) We should not remove users/groups when packages are uninstalled. This is a potential security issue if any files are left owned by the non-existent user/group.
When should the cleanup be done? Installing and immediately uninstalling a package should really not do permanent changes to the system; iow, ideally, users shouldn't have to do regular cleanups on their system like that.
Never - what does on extra line in a file matter?
There are a few cases where the user/group isn't actually used for any files, like these ones: https://projects.archlinux.org/svntogit/community.git/tree/trunk/grsec-commo... I wouldn't mind leaving them around, but deleting them isn't really problematic. It's definitely a security issue when it comes to the dynamically assigned range (500..999) since files may be left behind and the user/group could be reused. It doesn't seem like it could be an issue with the reserved static ids though.