On Thu, 2009-05-28 at 18:47 +0200, ludovic coues wrote:
That
2009/5/28, Jan Spakula <jan.spakula@gmx.com>:
Excerpts from ludovic coues's message of Do Mai 28 17:09:52 +0200 2009:
A solution in pacman, getting rid of user adding in .install script, can allow security like asking user to confirm creation of group and user.
This would be a secure way of doing thing, and users/admin would be aware of new user/group.
I don't get how is adding/removing users/groups from pacman directly safer then doing the same from the install script.
How about just *informing* the user what's happening in the install script? Then there would be no 'unexpected behavior'.
That's what I want to when I suggest to confirm the creation. And pacman can have some internal security that can be by-pass if some PKGBUILD field are used. For example, pacman could have a database with which app have add which user, and will not remove a user which is needed by an app when another app want remove it on uninstall.
Packages shouldn't share user accounts usually, and in case they do, they should be in the filesystem package. As for (re)starting daemons: don't. It's up to the user to do that. Usually these things need configuration, it's a no-go to add them to rc.conf by default.