[arch-dev-public] user/group management in packages
Evangelos Foutras
evangelos at foutrelis.com
Tue Feb 3 12:27:14 UTC 2015
On 03/02/15 13:46, Allan McRae wrote:
> Hi all,
>
> While looking into how best handle those directory permission warnings
> with pacman-4.2, I have noticed a couple of things about user/group
> management in our packages.
>
> 1) We should not remove users/groups when packages are uninstalled. This
> is a potential security issue if any files are left owned by the
> non-existent user/group.
>
> 2) Most packages that chown files in the install file could do it use
> the user/group number in the PKGBUILD. This works on any package with a
> reserved user/group ID. The advantage of doing this is that pacman can
> track the permissions. (A solution is being worked on for dynamically
> created user/groups whose id number can vary.)
>
> Should I create a rebuild list?
I'd say yes and I agree on both points.
This is also a perfect opportunity to mention systemd-sysusers(8) which,
along with sysusers.d(5) entries, can greatly simplify the creation of
system users.
For an example, check out the openldap package:
https://projects.archlinux.org/svntogit/packages.git/tree/trunk/slapd.sysusers?h=packages/openldap
https://projects.archlinux.org/svntogit/packages.git/tree/trunk/openldap.install?h=packages/openldap
More information about the arch-dev-public
mailing list