Bug#987803: geoclue-2.0: package doesn't purge cleanly
On Fri, 2021-04-30 at 20:50 +0200, Chris Hofstaedtler wrote: > Cleanup works only in trivial cases. For everything else, you will > end up with a free uid and existing files or existing running > processes owned by this uid. A following useradd by the local admin > or a package install will "reassign" ownership of these files to a > user who was never supposed to have access to them, creating a > security problem. > > It could be argued that most packages trying to cleanup users have a > security hole. Indeed... and typically I'm always on the security-hardening side ;-) ... but does geoclue create any files with it's UID or GID, which are not also deleted upon purge? Cause if not,... I might be justifiable to do such a cleanup. Anyway... it's up to you :-) Cheers, Chris.
Bug#987803: geoclue-2.0: package doesn't purge cleanly
* Christoph Anton Mitterer [210430 18:47]: > On Fri, 2021-04-30 at 18:02 +0200, Chris Hofstaedtler wrote: > > > 1) The user/group geoclue aren't removed at all. > > > > This is correct behaviour for Debian packages. > > Is this anywhere in the policy? Nothing in policy says the users are supposed to be removed once created. > There seem to be quite a number of > packages which do clean up properly: > /var/lib/dpkg/info$ grep "deluser " *.*rm -l > davfs2.postrm > dnsmasq-base.postrm > libvirt-daemon-system.postrm > lightdm.postrm > logcheck.postrm > ntp.postrm > openssh-server.postrm > privoxy.postrm > pulseaudio.postrm > strongswan-starter.postrm > And what sense would it make to leave it behind? Cleanup works only in trivial cases. For everything else, you will end up with a free uid and existing files or existing running processes owned by this uid. A following useradd by the local admin or a package install will "reassign" ownership of these files to a user who was never supposed to have access to them, creating a security problem. It could be argued that most packages trying to cleanup users have a security hole. Policy however says that dynamic UIDs are to be used if possible. Chris
Bug#987803: geoclue-2.0: package doesn't purge cleanly
On Fri, 2021-04-30 at 18:02 +0200, Chris Hofstaedtler wrote: > > 1) The user/group geoclue aren't removed at all. > > This is correct behaviour for Debian packages. Is this anywhere in the policy? There seem to be quite a number of packages which do clean up properly: /var/lib/dpkg/info$ grep "deluser " *.*rm -l davfs2.postrm dnsmasq-base.postrm libvirt-daemon-system.postrm lightdm.postrm logcheck.postrm ntp.postrm openssh-server.postrm privoxy.postrm pulseaudio.postrm strongswan-starter.postrm And what sense would it make to leave it behind? Cheers, Chris.
Bug#987803: geoclue-2.0: package doesn't purge cleanly
* Christoph Anton Mitterer [210430 16:02]: > On purging the package there are leftovers: > > 1) The user/group geoclue aren't removed at all. This is correct behaviour for Debian packages. Chris
Bug#987803: geoclue-2.0: package doesn't purge cleanly
Package: geoclue-2.0 Version: 2.5.7-3 Severity: normal Hi. On purging the package there are leftovers: 1) The user/group geoclue aren't removed at all. 2) Files Purging configuration files for geoclue-2.0 (2.5.7-3) ... dpkg: warning: while removing geoclue-2.0, directory '/var/lib/geoclue' not empty so not removed # l /var/lib/geoclue/ total 0 drwxr-xr-x 1 geoclue geoclue 12 Feb 17 2014 . drwxr-xr-x 1 rootroot1,3k Apr 30 00:46 .. drwx-- 1 geoclue geoclue 10 Feb 17 2014 .cache Cheers, Chris.