[arch-dev-public] user/group management in packages
danielmicay at gmail.com
Wed Feb 4 03:10:26 UTC 2015
On 03/02/15 06:05 PM, Allan McRae wrote:
> On 03/02/15 22:01, Jerome Leclanche wrote:
>> 2015-02-03 12:46 GMT+01:00 Allan McRae <allan at archlinux.org>:
>>> 1) We should not remove users/groups when packages are uninstalled. This
>>> is a potential security issue if any files are left owned by the
>>> non-existent user/group.
>> When should the cleanup be done? Installing and immediately
>> uninstalling a package should really not do permanent changes to the
>> system; iow, ideally, users shouldn't have to do regular cleanups on
>> their system like that.
> Never - what does on extra line in a file matter?
There are a few cases where the user/group isn't actually used for any
files, like these ones:
I wouldn't mind leaving them around, but deleting them isn't really
It's definitely a security issue when it comes to the dynamically
assigned range (500..999) since files may be left behind and the
user/group could be reused. It doesn't seem like it could be an issue
with the reserved static ids though.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 819 bytes
Desc: OpenPGP digital signature
More information about the arch-dev-public