Bug#291177: [PROPOSAL] Policy for user/groups creation/removal in package maintainer scripts
Package: debian-policy Version: 3.6.1.1 Priority: wishlist There is currently no policy on how should per-package users be created and removed. Eeven though the 'UID and GID classes' sections determines that packages _should_ use adduser --system in some occasions it doesn't describe why a package would want to do that. IMHO it would be worthwhile writing in the policy that: - maintainers should strive to make daemons run as non-root users (this helps reduce the severity of many security bugs) - maintainers scripts should create a system user for their daemon in postinst. User creation should not fail if the user already exists (example code should be provided here, since this is sometimes not done properly in maintainer scripts). Maintainer scripts can ask to the admin if the user already exists. - maintainers scripts can remove users on purge of the package. This should only be done if the files created by the user are being removed in purge too. - package configuration files (under /etc) should not be owned by the package user (this is to prevent attacks to daemons that might introduce a way to modify their own configuration). In some occasions access to a file (since it includes sensitive information) needs to be restricted, for this, a group should be created and the files should be chowned root:group. (note that there is some *buggy* software in which the daemon needs to write to its configuration files) For reference here are some relevant discussions: (there are probably many more) http://lists.debian.org/debian-policy/2003/05/msg00022.html http://lists.debian.org/debian-devel/2001/09/msg01960.html http://lists.debian.org/debian-devel/2004/08/msg01798.html http://lists.debian.org/debian-devel/2004/05/msg01156.html http://lists.debian.org/debian-devel/2003/11/msg02231.html http://lists.debian.org/debian-devel/1996/05/msg00159.html http://lists.debian.org/debian-user/1996/05/msg00106.html http://lists.debian.org/debian-mentors/2004/10/msg00338.html If others agree I can go forward, write a proposal text for this and provide a patch. Regards Javier signature.asc Description: Digital signature
Bug#291177: [PROPOSAL] Policy for user/groups creation/removal in package maintainer scripts
On Wed, 19 Jan 2005, Javier Fernández-Sanguino Peña wrote: There is currently no policy on how should per-package users be created and removed. Eeven though the 'UID and GID classes' sections determines that packages _should_ use adduser --system in some occasions it doesn't Make it *must* use adduser --system, *if* they add an user at all. - maintainers scripts should create a system user for their daemon in postinst. User creation should not fail if the user already exists (example code should be provided here, since this is sometimes not done properly in maintainer scripts). Maintainer scripts can ask to the admin if the user already exists. Maintainer scripts can ask about an already existing user *if and only if* it is not a system user... no more useless, aggravating postinst prompts, please. -- One disk to rule them all, One disk to find them. One disk to bring them all and in the darkness grind them. In the Land of Redmond where the shadows lie. -- The Silicon Valley Tarot Henrique Holschuh
Bug#291177: [PROPOSAL] Policy for user/groups creation/removal in package maintainer scripts
On Wed, 19 Jan 2005, Javier Fernández-Sanguino Peña wrote: On Wed, Jan 19, 2005 at 09:54:50AM -0200, Henrique de Moraes Holschuh wrote: On Wed, 19 Jan 2005, Javier Fernández-Sanguino Peña wrote: There is currently no policy on how should per-package users be created and removed. Eeven though the 'UID and GID classes' sections determines that packages _should_ use adduser --system in some occasions it doesn't Make it *must* use adduser --system, *if* they add an user at all. Some packages might need to use a hardcoded UID (and there's a UID range for those) those don't use 'adduser --system' Then they *must* request that UID to be statically allocated to them, and add a proper versioned dep to the base-passwd package providing it. This is an old, old rule, if it is not a must yet, it is about time it becomes one... Maintainer scripts can ask about an already existing user *if and only if* it is not a system user... no more useless, aggravating postinst prompts, please. True. I would love to see a sample for that so that postinst scripts would reuse that. Actually, it could even be integrated into a dh_adduser script, couldn't it? Yes, it could. For a sample, please see the amavisd-new or cyrus21-imapd packages. Both do it. I do not claim they do it in the best possible way, but it works. -- One disk to rule them all, One disk to find them. One disk to bring them all and in the darkness grind them. In the Land of Redmond where the shadows lie. -- The Silicon Valley Tarot Henrique Holschuh
