[arch-dev-public] user/group management in packages
Rashif Ray Rahman
schiv at archlinux.org
Thu Feb 5 13:05:38 UTC 2015
On 4 February 2015 at 12:11, Gaetan Bisson <bisson at archlinux.org> wrote:
> [2015-02-03 22:10:26 -0500] Daniel Micay:
>> It's definitely a security issue when it comes to the dynamically
>> assigned range (500..999) since files may be left behind and the
>> user/group could be reused. It doesn't seem like it could be an issue
>> with the reserved static ids though.
> I concur.
> Besides, if we're not going to remove users/groups in post_remove, we
> might as well ship a default /etc/passwd in the filesystem package with
> every single user/group in it.
Agreed -- I'd like for static id groups to be removed with the
corresponding package. However, that would leave users dangling if
they use the group actively for anything beyond the package's domain.
One argument there is that they should know the consequences of
removing the package associated with the group, but that's not a very
strong argument. Either way works for me personally, so +0.
GPG/PGP ID: C0711BF1
More information about the arch-dev-public