[arch-dev-public] user/group management in packages
Allan McRae
allan at archlinux.org
Tue Feb 3 11:46:42 UTC 2015
Hi all,
While looking into how best handle those directory permission warnings
with pacman-4.2, I have noticed a couple of things about user/group
management in our packages.
1) We should not remove users/groups when packages are uninstalled. This
is a potential security issue if any files are left owned by the
non-existent user/group.
2) Most packages that chown files in the install file could do it use
the user/group number in the PKGBUILD. This works on any package with a
reserved user/group ID. The advantage of doing this is that pacman can
track the permissions. (A solution is being worked on for dynamically
created user/groups whose id number can vary.)
Should I create a rebuild list?
Cheers,
Allan
More information about the arch-dev-public
mailing list