On Mon, Mar 12, 2007 at 14:27:13 +0800, Thomas Goirand wrote: > Julien Cristau wrote: > > Package: dtc-xen > > Version: 0.2.6-5 > > Severity: serious > > > > Hi, > > > > dtc-xen's postinst creates (19!!) users with home directories under > > /home, and will break if /home is on nfs (which is a pretty common > > setup). If the users already exist (not necessarily created by this > > package), it will override their settings. > > > > Cheers, > > Julien > > Hi! > > Thanks for reporting this one. > > Even if what you say is right, when using this package, in no way you > want to use things like NFS, setup some users to have account on the > server or other things like that. This is supposed to be the dom0 where > the minimum number of things are setup, especially dangerous things like > NFS !!! I think using /home on a NFS server in the dom0 of a Xen server > is a pretty UNCOMMON and DANGEROUS setup... :) > it may be, but that doesn't mean your package is allowed to break in such a case.
> Did you understand that if the shell of the user is NOT > /bin/dtc-xen_userconsole (the virtual machine console), then this is a > very important security concern as the user will have a user account on > the server rather than an access to the physical console of it's virtual > machine? What do you suggest? > > Do you still think this should be filed as a bug, and if so, what > correction do you think I should do (keep in mind that these users are > needed)? > yes, I do. The first thing to do would probably to use system users, and stay the hell away from /home. > Finally, can't we expect the user to know what he is doing, and expect > that nothing else that dtc-xen and it's dependencies will be installed > on the dom0 if it's a production server? > no we can't. Not every debian installation is a production server. Cheers, Julien -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
