[arch-dev-public] user/group management in packages

Andrew Gregory andrew.gregory.8 at gmail.com
Tue Feb 3 15:58:58 UTC 2015


On 02/03/15 at 02:27pm, Evangelos Foutras wrote:
> On 03/02/15 13:46, Allan McRae wrote:
> > Hi all,
> > 
> > While looking into how best handle those directory permission warnings
> > with pacman-4.2, I have noticed a couple of things about user/group
> > management in our packages.
> > 
> > 1) We should not remove users/groups when packages are uninstalled. This
> > is a potential security issue if any files are left owned by the
> > non-existent user/group.
> > 
> > 2) Most packages that chown files in the install file could do it use
> > the user/group number in the PKGBUILD.  This works on any package with a
> > reserved user/group ID.  The advantage of doing this is that pacman can
> > track the permissions.  (A solution is being worked on for dynamically
> > created user/groups whose id number can vary.)
> > 
> > Should I create a rebuild list?
> 
> I'd say yes and I agree on both points.
> 
> This is also a perfect opportunity to mention systemd-sysusers(8) which,
> along with sysusers.d(5) entries, can greatly simplify the creation of
> system users.
> 
> For an example, check out the openldap package:
> 
> https://projects.archlinux.org/svntogit/packages.git/tree/trunk/slapd.sysusers?h=packages/openldap
> 
> https://projects.archlinux.org/svntogit/packages.git/tree/trunk/openldap.install?h=packages/openldap

-1 for systemd-sysusers unless you can figure out a way to use it in
pre_install.  In order for the dynamic user creation Allan mentioned
to work, pacman will have to be changed to use symbolic user names for
file ownership which requires the user to exist *before* the package
is extracted.

apg


More information about the arch-dev-public mailing list