[arch-dev-public] user/group management in packages

Allan McRae allan at archlinux.org
Thu Feb 5 13:30:04 UTC 2015

On 05/02/15 23:05, Rashif Ray Rahman wrote:
> On 4 February 2015 at 12:11, Gaetan Bisson <bisson at archlinux.org> wrote:
>> [2015-02-03 22:10:26 -0500] Daniel Micay:
>>> It's definitely a security issue when it comes to the dynamically
>>> assigned range (500..999) since files may be left behind and the
>>> user/group could be reused. It doesn't seem like it could be an issue
>>> with the reserved static ids though.
>> I concur.
>> Besides, if we're not going to remove users/groups in post_remove, we
>> might as well ship a default /etc/passwd in the filesystem package with
>> every single user/group in it.
> Agreed -- I'd like for static id groups to be removed with the
> corresponding package. However, that would leave users dangling if
> they use the group actively for anything beyond the package's domain.
> One argument there is that they should know the consequences of
> removing the package associated with the group, but that's not a very
> strong argument. Either way works for me personally, so +0.

There is no good argument for removing any user/group IDs.  Potentially
leaving files that are owned by a non-existent user/group is still an
issue, even if these are static IDs that can "never" be used by anything


More information about the arch-dev-public mailing list