[arch-general] Fix or not fix? install scriptlets with user handling.
couesl at gmail.com
Thu May 28 13:01:28 EDT 2009
I'm agree with that. Bug report should be filed for operation on
daemon in .install script.
2009/5/28, Jan de Groot <jan at jgc.homeip.net>:
> On Thu, 2009-05-28 at 18:47 +0200, ludovic coues wrote:
>> 2009/5/28, Jan Spakula <jan.spakula at gmx.com>:
>> > Excerpts from ludovic coues's message of Do Mai 28 17:09:52 +0200 2009:
>> >> A solution in pacman, getting rid of user adding in .install script,
>> >> can allow security like asking user to confirm creation of group and
>> >> user.
>> >> This would be a secure way of doing thing, and users/admin would be
>> >> aware of new user/group.
>> > I don't get how is adding/removing users/groups from pacman directly
>> > safer
>> > then
>> > doing the same from the install script.
>> > How about just *informing* the user what's happening in the install
>> > script?
>> > Then there would be no 'unexpected behavior'.
>> That's what I want to when I suggest to confirm the creation.
>> And pacman can have some internal security that can be by-pass if some
>> PKGBUILD field are used.
>> For example, pacman could have a database with which app have add
>> which user, and will not remove a user which is needed by an app when
>> another app want remove it on uninstall.
> Packages shouldn't share user accounts usually, and in case they do,
> they should be in the filesystem package.
> As for (re)starting daemons: don't. It's up to the user to do that.
> Usually these things need configuration, it's a no-go to add them to
> rc.conf by default.
More information about the arch-general