On Fri, Sep 03, 2021 at 03:41:00PM +0200, Harald Dunkel wrote: > On 9/3/21 13:57, Roberto C. Sánchez wrote: > > That sounds like potentially buggy behavior. Can you give a specific > > example? > > > > ntp (Debian) > sane (Debian) > gitlab-runner (not Debian) > zabbix-agent (not Debian) > > Apparently the postinst scripts of ntp and sane have been fixed. > I don't want to blame anybody, anyway. >
No worries. It's not a question of blame. Rather, maintainers sometimes overlook what to them are trivial things but which impact different use cases which they might not have considered. As far as ntp, as Greg pointed out, it did at one time not specify a directory in the postinst script's adduser command, which would have resulted in the directory /home/ntp being specified. However, as far back as I was able to conveniently look, the --no-create-home option was passed to adduser. Based on that, it seems very unlikely that the postinst script would ever create that directory. Of course, in more recent versions, the home directory is explicitly listed as /nonexistent. I can't find a good explanation for how you might have ended up with /home/ntp being present on your system. On the other hand, sane has logic from around version 1.0.24-6 (December 2014) that changes the saned user home directory from /home/saned to /var/lib/saned. It would seem, however, that if /home/saned was present, that it does not actually get relocated, so that directory might remain on a system that had saned installed long enough ago to have been using the former home directory location. As far as the others, I don't know about their scripts. As to your initial question, is it possible to somehow prevent or redirect dpkg from making modifications under /home? The answer is, probably not easily. The maintainer scripts executed by dpkg are mostly shell scripts (though I think some packages use Perl scripts). They can execute arbitrary commands and are run as root. The ability to prevent modifications to /home depends on the functioning of the commands invoked from the maintainer scripts, which as you've noted, can include adduser, deluser, rm, cp, mv, and any of a number of other commands along with dpkg-specific helper commands. If you have /home in a good state, and you want to at least be made aware of future directory creation operations, I recommend a tool like incron. You can set it to specifically look for new directory creations under /home, which you could either have logged or execute an arbitrary command in response. You can certainly get much fancier with it, but I have found it to be rather of annoyance if I make it too sensitive or have it monitoring too many things, just because of the noise in the logs. Regards, -Roberto -- Roberto C. Sánchez