On Tue, Jun 30, 2020 at 07:07:50PM +0200, Michael Biebl wrote:
> Am 30.06.20 um 11:20 schrieb Niels Thykier:
> > What about removal; is there any
> > action to be done for locking the users?
>
> Good question. Afaics there are no provisions in systemd-sysusers to
> remove users again.
Indeed.
> It's my understanding, that there is no clear consensus what should
> happen on package purge. Some packages do manually remove system users
> and go to some length to find files/directories owned by a system
> user/group and remove them.
> Some maintainers are of the opinion, that a system user once created
> should not be removed again.
> I think both viewpoints are valid, but the never-remove-a-system-user is
> probably the safer approach.
Agreed. system users are essentially "free" and if system users are removed,
there's always a risk of UID reuse if a service owns a file, then the service
is removed and the UID reclaimed by a different service, so retaining the
UID of a gone service (until the server is reinstalled or decommisioned is
definitely the safer route).
Also, given that systemd-sysusers relies on declarative configuration of
system users, at future time where all system users are created with it,
this also allows tooling to detect unused system users.
Cheers,
Moritz
