Re: how to forbid debhelper to modify /home ?
On Fri, Sep 03, 2021 at 08:23:07AM -0400, Roberto C. Sánchez wrote: As a Debian Developer, I would consider it bad form to go creating things under /home from a package's maintainer script, though that does not appear to be a specific policy violation. I idly wonder whether it should be, although, the cost would be a Policy ever-increasing in size, and a lean Policy is also attractive to me. -- Please do not CC me for listmail. Jonathan Dowland ✎j...@debian.org https://jmtd.net
Re: how to forbid debhelper to modify /home ?
On Fri, Sep 03, 2021 at 03:41:00PM +0200, Harald Dunkel wrote: > On 9/3/21 13:57, Roberto C. Sánchez wrote: > > That sounds like potentially buggy behavior. Can you give a specific > > example? > > > > ntp (Debian) > sane (Debian) > gitlab-runner (not Debian) > zabbix-agent (not Debian) > > Apparently the postinst scripts of ntp and sane have been fixed. > I don't want to blame anybody, anyway. > No worries. It's not a question of blame. Rather, maintainers sometimes overlook what to them are trivial things but which impact different use cases which they might not have considered. As far as ntp, as Greg pointed out, it did at one time not specify a directory in the postinst script's adduser command, which would have resulted in the directory /home/ntp being specified. However, as far back as I was able to conveniently look, the --no-create-home option was passed to adduser. Based on that, it seems very unlikely that the postinst script would ever create that directory. Of course, in more recent versions, the home directory is explicitly listed as /nonexistent. I can't find a good explanation for how you might have ended up with /home/ntp being present on your system. On the other hand, sane has logic from around version 1.0.24-6 (December 2014) that changes the saned user home directory from /home/saned to /var/lib/saned. It would seem, however, that if /home/saned was present, that it does not actually get relocated, so that directory might remain on a system that had saned installed long enough ago to have been using the former home directory location. As far as the others, I don't know about their scripts. As to your initial question, is it possible to somehow prevent or redirect dpkg from making modifications under /home? The answer is, probably not easily. The maintainer scripts executed by dpkg are mostly shell scripts (though I think some packages use Perl scripts). They can execute arbitrary commands and are run as root. The ability to prevent modifications to /home depends on the functioning of the commands invoked from the maintainer scripts, which as you've noted, can include adduser, deluser, rm, cp, mv, and any of a number of other commands along with dpkg-specific helper commands. If you have /home in a good state, and you want to at least be made aware of future directory creation operations, I recommend a tool like incron. You can set it to specifically look for new directory creations under /home, which you could either have logged or execute an arbitrary command in response. You can certainly get much fancier with it, but I have found it to be rather of annoyance if I make it too sensitive or have it monitoring too many things, just because of the noise in the logs. Regards, -Roberto -- Roberto C. Sánchez
Re: how to forbid debhelper to modify /home ?
On 9/3/21 13:57, Roberto C. Sánchez wrote: That sounds like potentially buggy behavior. Can you give a specific example? ntp (Debian) sane (Debian) gitlab-runner (not Debian) zabbix-agent (not Debian) Apparently the postinst scripts of ntp and sane have been fixed. I don't want to blame anybody, anyway.
Re: how to forbid debhelper to modify /home ?
On 9/3/21 11:40, Erwan David wrote: I would do this the other way (but not eay tpo migrate) : add your users in another directory (/srv/home or something else) where you mpount your remote home directory, and keep system using /home. I agree, but unfortunately this is not an option.
Re: how to forbid debhelper to modify /home ?
Roberto C. Sánchez wrote: > On Fri, Sep 03, 2021 at 08:03:23AM -0400, Greg Wooledge wrote: >> Out of curiosity, I checked my system to see if there were any system >> users with home directories under /home. The only one I found is "ntp". >> >> Then I looked at the ntp.postinst script, and it has this: >> >> adduser --system --quiet --ingroup ntp --no-create-home --home /nonexistent >> ntp >> >> So presumably my ntp user with /home/ntp as its home directory is from >> an older Debian release, and if it had been created under bullseye, it >> would look different. > How old is your system? I just checked a machine that I initially as a > Woody (3.0) system in 2001 and there is no ntp user directory under > /home. I have a system that was installed as either Slink (2.1) or Potato (2.2) and then kept on Unstable ever since. I *do* have sshd:x:104:65534::/home/sshd:/usr/sbin/nologin ntp:x:106:117::/home/ntp:/bin/false cupsys:x:130:106::/home/cupsys:/bin/false I don't have the directories, though. (Might have gotten lost over the years, though.) So there was a time in the past when system users home dirs were created in /home. Grüße, S° -- Sigmentation fault. Core dumped.
Re: how to forbid debhelper to modify /home ?
On Fri, Sep 03, 2021 at 08:39:09AM -0400, Roberto C. Sánchez wrote: > So, the existence of /home/ntp on the OP's system, or any system > installed from a Debian release prior to the last 4-ish years, could be > attributed to some process or series of actions that decides, "hey, this > ntp user's home directory is missing, I should create it". Whether > those actions be manual or the result of some script or service, that > seems the most likely way for that directory to appear on a system. We haven't heard back from the OP yet. We don't know what packages and/or directories they're talking about. In my case, there *isn't* an actual /home/ntp directory. It's just specified in /etc/passwd as the user's home directory.
Re: how to forbid debhelper to modify /home ?
On Fri, Sep 03, 2021 at 08:33:25AM -0400, Greg Wooledge wrote: > On Fri, Sep 03, 2021 at 08:23:07AM -0400, Roberto C. Sánchez wrote: > > On Fri, Sep 03, 2021 at 08:03:23AM -0400, Greg Wooledge wrote: > > > Out of curiosity, I checked my system to see if there were any system > > > users with home directories under /home. The only one I found is "ntp". > > > How old is your system? I just checked a machine that I initially as a > > Woody (3.0) system in 2001 and there is no ntp user directory under > > /home. > > Well, you probably didn't install the ntp pacakge. ;-) > > I *think* this system was installed as stretch, so I downloaded a stretch > package of ntp: > > unicorn:~/tmp/x$ dpkg-deb -R ../ntp_4.2.8p10+dfsg-3+deb9u2_amd64.deb . > unicorn:~/tmp/x$ grep adduser DEBIAN/postinst > adduser --system --quiet --ingroup ntp --no-create-home ntp > > I'm not 100% sure, but I think that creates a user with a home directory > under /home, even though it doesn't actually create that directory. > > I also just fired up a fresh wheezy chroot and the ntp postinst > > has this: > > > > adduser --system --quiet --ingroup ntp --no-create-home ntp > > > > Did you perhaps modify your ntp config at a time when you might have > > been limited on space under /var? > > ... uh, I don't think so? > > Let's test this sucker and find out: > > unicorn:~/tmp/x$ sudo adduser --system --quiet --ingroup ntp --no-create-home > zzntp > unicorn:~/tmp/x$ grep zzntp /etc/passwd > zzntp:x:115:112::/home/zzntp:/usr/sbin/nologin > > As I guessed. That's what it did. Quite right. That explains the motivation a few years ago to begin explicitly specifying the home directory as /nonexistent for system users not meant to have an actual home directory. So, the existence of /home/ntp on the OP's system, or any system installed from a Debian release prior to the last 4-ish years, could be attributed to some process or series of actions that decides, "hey, this ntp user's home directory is missing, I should create it". Whether those actions be manual or the result of some script or service, that seems the most likely way for that directory to appear on a system. Regards, -Roberto -- Roberto C. Sánchez
Re: how to forbid debhelper to modify /home ?
On Fri, Sep 03, 2021 at 08:23:07AM -0400, Roberto C. Sánchez wrote: > On Fri, Sep 03, 2021 at 08:03:23AM -0400, Greg Wooledge wrote: > > Out of curiosity, I checked my system to see if there were any system > > users with home directories under /home. The only one I found is "ntp". > How old is your system? I just checked a machine that I initially as a > Woody (3.0) system in 2001 and there is no ntp user directory under > /home. Well, you probably didn't install the ntp pacakge. ;-) I *think* this system was installed as stretch, so I downloaded a stretch package of ntp: unicorn:~/tmp/x$ dpkg-deb -R ../ntp_4.2.8p10+dfsg-3+deb9u2_amd64.deb . unicorn:~/tmp/x$ grep adduser DEBIAN/postinst adduser --system --quiet --ingroup ntp --no-create-home ntp I'm not 100% sure, but I think that creates a user with a home directory under /home, even though it doesn't actually create that directory. I also just fired up a fresh wheezy chroot and the ntp postinst > has this: > > adduser --system --quiet --ingroup ntp --no-create-home ntp > > Did you perhaps modify your ntp config at a time when you might have > been limited on space under /var? ... uh, I don't think so? Let's test this sucker and find out: unicorn:~/tmp/x$ sudo adduser --system --quiet --ingroup ntp --no-create-home zzntp unicorn:~/tmp/x$ grep zzntp /etc/passwd zzntp:x:115:112::/home/zzntp:/usr/sbin/nologin As I guessed. That's what it did.
Re: how to forbid debhelper to modify /home ?
On Fri, Sep 03, 2021 at 08:03:23AM -0400, Greg Wooledge wrote: > On Fri, Sep 03, 2021 at 07:57:44AM -0400, Roberto C. Sánchez wrote: > > On Fri, Sep 03, 2021 at 11:14:45AM +0200, Harald Dunkel wrote: > > > Hi folks, > > > > > > how can I tell the debhelper scripts to not install home directories > > > for system services in /home (managed on a remote host in my environment), > > > but to use /var/lib instead? > > > > > That sounds like potentially buggy behavior. Can you give a specific > > example? > > Out of curiosity, I checked my system to see if there were any system > users with home directories under /home. The only one I found is "ntp". > > Then I looked at the ntp.postinst script, and it has this: > > adduser --system --quiet --ingroup ntp --no-create-home --home /nonexistent > ntp > > So presumably my ntp user with /home/ntp as its home directory is from > an older Debian release, and if it had been created under bullseye, it > would look different. > How old is your system? I just checked a machine that I initially as a Woody (3.0) system in 2001 and there is no ntp user directory under /home. I also just fired up a fresh wheezy chroot and the ntp postinst has this: adduser --system --quiet --ingroup ntp --no-create-home ntp Did you perhaps modify your ntp config at a time when you might have been limited on space under /var? > Granted, I have only my specific subset of Debian packages installed, > and there could be others that still make system user home directories > in /home. We'll have to await further details from the OP. > As a Debian Developer, I would consider it bad form to go creating things under /home from a package's maintainer script, though that does not appear to be a specific policy violation. In my own case, I don't locate user home directories under /home for most users, so this sort of behavior would very likely have triggered jumped out at me. I have not in my recollection encountered a Debian package that has done this. I too would be interested to know more details from the OP. Regards, -Roberto -- Roberto C. Sánchez
Re: how to forbid debhelper to modify /home ?
On Fri, Sep 03, 2021 at 08:03:23AM -0400, Greg Wooledge wrote: > On Fri, Sep 03, 2021 at 07:57:44AM -0400, Roberto C. Sánchez wrote: > > On Fri, Sep 03, 2021 at 11:14:45AM +0200, Harald Dunkel wrote: > > > Hi folks, > > > > > > how can I tell the debhelper scripts to not install home directories > > > for system services in /home (managed on a remote host in my environment), > > > but to use /var/lib instead? > > > > > That sounds like potentially buggy behavior. Can you give a specific > > example? > > Out of curiosity, I checked my system to see if there were any system > users with home directories under /home. The only one I found is "ntp". > > Then I looked at the ntp.postinst script, and it has this: > > adduser --system --quiet --ingroup ntp --no-create-home --home /nonexistent > ntp > > So presumably my ntp user with /home/ntp as its home directory is from > an older Debian release, and if it had been created under bullseye, it > would look different. > > Granted, I have only my specific subset of Debian packages installed, > and there could be others that still make system user home directories > in /home. We'll have to await further details from the OP. > As another datum point, this is a fairly newly installed Debian 11 system, the only user in /home is the single human user on this system. This is a full GNOME desktop so has services running. I'd anticipate that everything service related would now be under /etc or /etc/default/ All best, as ever, Andy Cater
Re: how to forbid debhelper to modify /home ?
On Friday, September 03, 2021 05:40:18 AM Erwan David wrote: > Le 03/09/2021 à 11:14, Harald Dunkel a écrit : > > how can I tell the debhelper scripts to not install home directories > > for system services in /home (managed on a remote host in my > > environment), but to use /var/lib instead? > I would do this the other way (but not eay tpo migrate) : add your users > in another directory (/srv/home or something else) where you mpount your > remote home directory, and keep system using /home. Especially if you have only one user, I would mount your remote home directory (presumably containing your "real user data" documents, photos, etc) as a top level directory, /.
Re: how to forbid debhelper to modify /home ?
On Fri, Sep 03, 2021 at 07:57:44AM -0400, Roberto C. Sánchez wrote: > On Fri, Sep 03, 2021 at 11:14:45AM +0200, Harald Dunkel wrote: > > Hi folks, > > > > how can I tell the debhelper scripts to not install home directories > > for system services in /home (managed on a remote host in my environment), > > but to use /var/lib instead? > > > That sounds like potentially buggy behavior. Can you give a specific > example? Out of curiosity, I checked my system to see if there were any system users with home directories under /home. The only one I found is "ntp". Then I looked at the ntp.postinst script, and it has this: adduser --system --quiet --ingroup ntp --no-create-home --home /nonexistent ntp So presumably my ntp user with /home/ntp as its home directory is from an older Debian release, and if it had been created under bullseye, it would look different. Granted, I have only my specific subset of Debian packages installed, and there could be others that still make system user home directories in /home. We'll have to await further details from the OP.
Re: how to forbid debhelper to modify /home ?
On Fri, Sep 03, 2021 at 11:14:45AM +0200, Harald Dunkel wrote: > Hi folks, > > how can I tell the debhelper scripts to not install home directories > for system services in /home (managed on a remote host in my environment), > but to use /var/lib instead? > That sounds like potentially buggy behavior. Can you give a specific example? Regards, -Roberto -- Roberto C. Sánchez
Re: how to forbid debhelper to modify /home ?
Le 03/09/2021 à 11:14, Harald Dunkel a écrit : Hi folks, how can I tell the debhelper scripts to not install home directories for system services in /home (managed on a remote host in my environment), but to use /var/lib instead? I know I can block dpkg using apparmor, but this would break many postinst scripts, at least for 3rd-party packages. Some kind of redirect would be helpful. Regards Harri I would do this the other way (but not eay tpo migrate) : add your users in another directory (/srv/home or something else) where you mpount your remote home directory, and keep system using /home.
how to forbid debhelper to modify /home ?
Hi folks, how can I tell the debhelper scripts to not install home directories for system services in /home (managed on a remote host in my environment), but to use /var/lib instead? I know I can block dpkg using apparmor, but this would break many postinst scripts, at least for 3rd-party packages. Some kind of redirect would be helpful. Regards Harri
