[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: mock mock.spec,1.5,1.6



On Sun, 2005-06-05 at 16:27 +0200, Matthias Saou wrote:
> seth vidal wrote :
> 
> > > groupdel and userdel are always bad ideas in packages.  Just remove the
> > > %postun scriptlet altogether.
> > 
> > so it's okay to just leave a created group/user? That seems ugly and
> > messy to me. We're always saying packages should clean up all of their
> > directories - why not have them clean up all of their groups, too.
> 
> Quite simple : Install the package, the user/group gets created. Remove
> it, if files are left behind that still belong to the user/group, then
> when the new user/group is created later on if the same package is
> reinstalled, the uid/gid will be different and those files won't have the
> proper owner.
> 
> Say that /etc/program.d/ is mode 700 with a non root owner. If you
> modified a file in there, the directory won't get removed because
> some .rpmsave files will be there when you remove the package that owned
> all the files. This is an example of where side-effects begin.

One more example: as said above when these files with the original
user/group removed are left behind, the permissions for the leftover
files will be uid/gid based.  Now, a completely different package
installed later may get its unrelated user/group created with the
uid/gid earlier used by the erased package; depending on the nature of
the leftover files, this may be a security issue.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]