[arch-dev-public] user/group management in packages

Daniel Micay danielmicay at gmail.com
Wed Feb 4 03:10:26 UTC 2015


On 03/02/15 06:05 PM, Allan McRae wrote:
> On 03/02/15 22:01, Jerome Leclanche wrote:
>> 2015-02-03 12:46 GMT+01:00 Allan McRae <allan at archlinux.org>:
>>>
>>> 1) We should not remove users/groups when packages are uninstalled. This
>>> is a potential security issue if any files are left owned by the
>>> non-existent user/group.
>>
>> When should the cleanup be done? Installing and immediately
>> uninstalling a package should really not do permanent changes to the
>> system; iow, ideally, users shouldn't have to do regular cleanups on
>> their system like that.
>>
> 
> Never - what does on extra line in a file matter?

There are a few cases where the user/group isn't actually used for any
files, like these ones:

https://projects.archlinux.org/svntogit/community.git/tree/trunk/grsec-common.install?h=packages/grsec-common

I wouldn't mind leaving them around, but deleting them isn't really
problematic.

It's definitely a security issue when it comes to the dynamically
assigned range (500..999) since files may be left behind and the
user/group could be reused. It doesn't seem like it could be an issue
with the reserved static ids though.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-dev-public/attachments/20150203/8be6f75e/attachment.asc>


More information about the arch-dev-public mailing list