[arch-general] Fix or not fix? install scriptlets with user handling.
Jan de Groot
jan at jgc.homeip.net
Thu May 28 12:53:19 EDT 2009
On Thu, 2009-05-28 at 18:47 +0200, ludovic coues wrote:
> 2009/5/28, Jan Spakula <jan.spakula at gmx.com>:
> > Excerpts from ludovic coues's message of Do Mai 28 17:09:52 +0200 2009:
> >> A solution in pacman, getting rid of user adding in .install script,
> >> can allow security like asking user to confirm creation of group and
> >> user.
> >> This would be a secure way of doing thing, and users/admin would be
> >> aware of new user/group.
> > I don't get how is adding/removing users/groups from pacman directly safer
> > then
> > doing the same from the install script.
> > How about just *informing* the user what's happening in the install script?
> > Then there would be no 'unexpected behavior'.
> That's what I want to when I suggest to confirm the creation.
> And pacman can have some internal security that can be by-pass if some
> PKGBUILD field are used.
> For example, pacman could have a database with which app have add
> which user, and will not remove a user which is needed by an app when
> another app want remove it on uninstall.
Packages shouldn't share user accounts usually, and in case they do,
they should be in the filesystem package.
As for (re)starting daemons: don't. It's up to the user to do that.
Usually these things need configuration, it's a no-go to add them to
rc.conf by default.
More information about the arch-general