Hi, This is my attempt to unlock the progress on this issue.
I'm going to attempt to first collect what I've picked up both from the previously mentioned mailinglist thread (and other similar ones) and what I've seen when reviewing maintainerscripts of packages in the archive. Hopefully others can speak up if they disagree or think I've missed a common convention. Later we can attempt to formulate a specific wording for policy. ## common conventions users/groups should have an "invalid" prefix to avoid clashes with local users - sometimes inconvenient to change username and lots of packages doesn't do this so should only be recommended when possible, not mandatory. - Debian- (common, see eg. exim4), D (very rarely used?), and _ (also used) are suggested prefix. previously created users should *not* (ever) be removed - it's much less rare these days but still some packages removes users/groups they created once the package is purged. - the problem with removing users/groups (reusing uid/gid) is that files on filesystem can be owned by them which could lead to possible security issue. packages generally relies on adduser to do the work, which is basically a wrapper to implement common debian conventions around useradd, but it might not be policys place to explicitly require using a specific tool like adduser. Packages commonly check if user/group already exists before calling adduser to create them. Reason being quiet switch to adduser makes it 'too quiet'. Might be better if adduser just gets fixed with eg. implementing a '--exists-ok' argument, than documenting the current convention in policy so should leave some room open for this. Possibly policy should document some of the things adduser does, just in case someone attempts to /not/ use adduser (why?). Writing manual mantainerscript code should always be avoided, because it's a common source of bugs. There are also other issues like sharing the same namespace and now being able to remove them. Thus adding users and group should be avoided. Sometimes there are mechanisms that allow that which can be used in more cases than is currently well known, so it might be good if debian policy explicitly states that people should avoid adding users/groups when possible. An example of a mechanism that allows not creating static system users/groups is unit file option DynamicUser=yes from systemd (and likely many others that I'm not aware of). For further information see: https://www.freedesktop.org/software/systemd/man/systemd.exec.html#DynamicUser= http://0pointer.net/blog/dynamic-users-with-systemd.html ## example postinst snippet ### Note that packages also needs to depend on adduser! NEWUSER="_foo" NEWGROUP="_bar" if ! getent group "$NEWGROUP" >/dev/null; then addgroup --force-badname \ --system "$NEWGROUP" fi if ! getent passwd "$NEWUSER" >/dev/null; then adduser --force-badname \ --system --ingroup "$NEWGROUP" \ --home /nonexistent --no-create-home \ "$NEWUSER" fi ### if username == groupname it can be simplified NEWUSERGROUP="_foobar" if ! getent passwd "$NEWUSERGROUP" && ! getent group "$NEWUSERGROUP" >/dev/null>/dev/null; then adduser --force-badname \ --system --group \ --home /nonexistent --no-create-home \ "$NEWUSERGROUP" fi -- Regards, Andreas Henriksson