[arch-dev-public] user/group management in packages

Gaetan Bisson bisson at archlinux.org
Wed Feb 4 06:11:56 UTC 2015


[2015-02-03 22:10:26 -0500] Daniel Micay:
> It's definitely a security issue when it comes to the dynamically
> assigned range (500..999) since files may be left behind and the
> user/group could be reused. It doesn't seem like it could be an issue
> with the reserved static ids though.

I concur.

Besides, if we're not going to remove users/groups in post_remove, we
might as well ship a default /etc/passwd in the filesystem package with
every single user/group in it.

There's also the issue of packages like postfix that use an upstream
script to set permissions right after the package is installed.

Well... I'll wait to see all this issues addressed before looking at the
new todo list.

Cheers.

-- 
Gaetan
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 213 bytes
Desc: not available
URL: <https://lists.archlinux.org/pipermail/arch-dev-public/attachments/20150203/058f207a/attachment.asc>


More information about the arch-dev-public mailing list