Source: dnsmasq Severity: wishlist Tags: patch Dear Maintainer(s),
Please find attached patches to install a sysusers.d config file for the system user, and to further clean up (in fact remove) the dnsmasq-base* manually written maintainer scripts. sysusers.d config files allow a package to use declarative configuration instead of manually written maintainer scripts. This also allows image-based systems to be created with /usr/ only, and also allows for factory resetting a system and recreating /etc/ on boot. https://www.freedesktop.org/software/systemd/man/latest/sysusers.d.html
From b692c7fe4897c28f03600869ab8e9a4121bb0551 Mon Sep 17 00:00:00 2001 From: Luca Boccassi <[email protected]> Date: Sun, 15 Feb 2026 23:05:50 +0000 Subject: [PATCH 3/3] Install and use sysusers.d config file sysusers.d config files allow a package to use declarative configuration instead of manually written maintainer scripts. This also allows image-based systems to be created with /usr/ only, and also allows for factory resetting a system and recreating /etc/ on boot. https://www.freedesktop.org/software/systemd/man/latest/sysusers.d.html --- debian/control | 6 +++--- debian/dnsmasq-base-lua.postinst | 1 - debian/dnsmasq-base-lua.sysusers | 1 + debian/dnsmasq-base.postinst | 19 ------------------- debian/dnsmasq-base.sysusers | 1 + 5 files changed, 5 insertions(+), 23 deletions(-) delete mode 120000 debian/dnsmasq-base-lua.postinst create mode 120000 debian/dnsmasq-base-lua.sysusers delete mode 100644 debian/dnsmasq-base.postinst create mode 100644 debian/dnsmasq-base.sysusers diff --git a/debian/control b/debian/control index 90dbab0..87254cd 100644 --- a/debian/control +++ b/debian/control @@ -1,7 +1,7 @@ Source: dnsmasq Section: net Priority: optional -Build-Depends: dh-exec, gettext, libnetfilter-conntrack-dev [linux-any], +Build-Depends: dh-exec, dh-sequence-installsysusers, gettext, libnetfilter-conntrack-dev [linux-any], libidn2-dev, libdbus-1-dev (>=0.61), libgmp-dev, nettle-dev (>=2.4-3), libbsd-dev [kfreebsd-any], liblua5.4-dev, dh-runit, debhelper-compat (= 13), @@ -35,7 +35,7 @@ Description: Small caching DNS proxy and DHCP/TFTP server - system daemon Package: dnsmasq-base Architecture: any Multi-Arch: foreign -Depends: passwd, ${misc:Depends}, ${shlibs:Depends} +Depends: ${misc:Depends}, ${shlibs:Depends} Breaks: dnsmasq (<< 2.63-1~) Replaces: dnsmasq (<< 2.63-1~), dnsmasq-base Recommends: dns-root-data @@ -49,7 +49,7 @@ Description: Small caching DNS proxy and DHCP/TFTP server - executable Package: dnsmasq-base-lua Architecture: any Multi-Arch: foreign -Depends: passwd, ${misc:Depends}, ${shlibs:Depends} +Depends: ${misc:Depends}, ${shlibs:Depends} Breaks: dnsmasq (<< 2.63-1~) Replaces: dnsmasq (<< 2.63-1~), dnsmasq-base Recommends: dns-root-data diff --git a/debian/dnsmasq-base-lua.postinst b/debian/dnsmasq-base-lua.postinst deleted file mode 120000 index 20bc4e0..0000000 --- a/debian/dnsmasq-base-lua.postinst +++ /dev/null @@ -1 +0,0 @@ -dnsmasq-base.postinst \ No newline at end of file diff --git a/debian/dnsmasq-base-lua.sysusers b/debian/dnsmasq-base-lua.sysusers new file mode 120000 index 0000000..9f8fa43 --- /dev/null +++ b/debian/dnsmasq-base-lua.sysusers @@ -0,0 +1 @@ +dnsmasq-base.sysusers \ No newline at end of file diff --git a/debian/dnsmasq-base.postinst b/debian/dnsmasq-base.postinst deleted file mode 100644 index 1733259..0000000 --- a/debian/dnsmasq-base.postinst +++ /dev/null @@ -1,19 +0,0 @@ -#!/bin/sh -set -e - -# Create the dnsmasq user in dnsmasq-base, so that Dbus doesn't complain. - -if [ "$1" = "configure" ]; then - # Create the user to run as. - if [ -z "`id -u dnsmasq 2> /dev/null`" ]; then - useradd --system \ - --gid nogroup \ - --comment dnsmasq \ - --home-dir /var/lib/misc --no-create-home \ - --shell /usr/sbin/nologin \ - dnsmasq - fi -fi - -#DEBHELPER# - diff --git a/debian/dnsmasq-base.sysusers b/debian/dnsmasq-base.sysusers new file mode 100644 index 0000000..ceb7aa4 --- /dev/null +++ b/debian/dnsmasq-base.sysusers @@ -0,0 +1 @@ +u! dnsmasq -:nogroup - /var/lib/misc -- 2.47.3
From ee1cd5d390bd34456595240b8c9b04952c218d2a Mon Sep 17 00:00:00 2001 From: Luca Boccassi <[email protected]> Date: Sun, 15 Feb 2026 23:04:49 +0000 Subject: [PATCH 2/3] postinst/postrm: do not manage directory in /run/ /run/ is completely ephemeral, as it's a tmpfs and has been for a very long time now. Packages must not rely on maintainer scripts creating/removing directories/files in /run/, as it is runtime managed, while packages can be installed in chroots, images, etc, and systems can be rebooted. --- debian/dnsmasq-base-lua.postrm | 1 - debian/dnsmasq-base.postinst | 11 ----------- debian/dnsmasq-base.postrm | 9 --------- 3 files changed, 21 deletions(-) delete mode 120000 debian/dnsmasq-base-lua.postrm delete mode 100644 debian/dnsmasq-base.postrm diff --git a/debian/dnsmasq-base-lua.postrm b/debian/dnsmasq-base-lua.postrm deleted file mode 120000 index ecdb249..0000000 --- a/debian/dnsmasq-base-lua.postrm +++ /dev/null @@ -1 +0,0 @@ -dnsmasq-base.postrm \ No newline at end of file diff --git a/debian/dnsmasq-base.postinst b/debian/dnsmasq-base.postinst index e992a36..1733259 100644 --- a/debian/dnsmasq-base.postinst +++ b/debian/dnsmasq-base.postinst @@ -13,17 +13,6 @@ if [ "$1" = "configure" ]; then --shell /usr/sbin/nologin \ dnsmasq fi - - # Make the directory where we keep the pid file - this - # has to be owned by "dnsmasq" so that the file can be unlinked. - # This is only actually used by the dnsmasq binary package, not - # dnsmasq-base, but it's much easier to create it here so that - # we don't have synchronisation issues with the creation of the - # dnsmasq user. - if [ ! -d /run/dnsmasq ]; then - mkdir /run/dnsmasq - chown dnsmasq:nogroup /run/dnsmasq - fi fi #DEBHELPER# diff --git a/debian/dnsmasq-base.postrm b/debian/dnsmasq-base.postrm deleted file mode 100644 index fea7ac7..0000000 --- a/debian/dnsmasq-base.postrm +++ /dev/null @@ -1,9 +0,0 @@ -#!/bin/sh -set -e - -if [ purge = "$1" ]; then - rm -rf /run/dnsmasq -fi - -#DEBHELPER# - -- 2.47.3
From 137fe82b734bd43016f491c2d2bc59f44ec083b0 Mon Sep 17 00:00:00 2001 From: Luca Boccassi <[email protected]> Date: Sun, 15 Feb 2026 23:02:50 +0000 Subject: [PATCH 1/3] postrm: do not delete dnsmasq user Deleting system users/groups is widely considered bad practice, as it is not possible to be reasonably sure there are no files left on persistent storage owned by such users/groups. Given UIDs/GIDs are recycled, this means it is theoretically possible for existing files to end up owned by entirely different users/groups as intended. --- debian/dnsmasq-base.postrm | 4 ---- 1 file changed, 4 deletions(-) diff --git a/debian/dnsmasq-base.postrm b/debian/dnsmasq-base.postrm index 4fa2538..fea7ac7 100644 --- a/debian/dnsmasq-base.postrm +++ b/debian/dnsmasq-base.postrm @@ -2,10 +2,6 @@ set -e if [ purge = "$1" ]; then - # Handle the rare case "userdel" not being available, see bug #1071142. - if [ command -v userdel 1>dev/null 2>&1 ]; then - userdel dnsmasq - fi rm -rf /run/dnsmasq fi -- 2.47.3
