[arch-general] Fix or not fix? install scriptlets with user handling.

ludovic coues couesl at gmail.com
Thu May 28 12:47:23 EDT 2009


That

2009/5/28, Jan Spakula <jan.spakula at gmx.com>:
> Excerpts from ludovic coues's message of Do Mai 28 17:09:52 +0200 2009:
>> A solution in pacman, getting rid of user adding in .install script,
>> can allow security like asking user to confirm creation of group and
>> user.
>>
>> This would be a secure way of doing thing, and users/admin would be
>> aware of new user/group.
>
> I don't get how is adding/removing users/groups from pacman directly safer
> then
> doing the same from the install script.
>
> How about just *informing* the user what's happening in the install script?
> Then there would be no 'unexpected behavior'.
>

That's what I want to when I suggest to confirm the creation.
And pacman can have some internal security that can be by-pass if some
PKGBUILD field are used.
For example, pacman could have a database with which app have add
which user, and will not remove a user which is needed by an app when
another app want remove it on uninstall.


More information about the arch-general mailing list