On Tue, Jun 30, 2020 at 07:07:50PM +0200, Michael Biebl wrote: > Am 30.06.20 um 11:20 schrieb Niels Thykier: > > What about removal; is there any > > action to be done for locking the users? > > Good question. Afaics there are no provisions in systemd-sysusers to > remove users again.
Indeed. > It's my understanding, that there is no clear consensus what should > happen on package purge. Some packages do manually remove system users > and go to some length to find files/directories owned by a system > user/group and remove them. > Some maintainers are of the opinion, that a system user once created > should not be removed again. > I think both viewpoints are valid, but the never-remove-a-system-user is > probably the safer approach. Agreed. system users are essentially "free" and if system users are removed, there's always a risk of UID reuse if a service owns a file, then the service is removed and the UID reclaimed by a different service, so retaining the UID of a gone service (until the server is reinstalled or decommisioned is definitely the safer route). Also, given that systemd-sysusers relies on declarative configuration of system users, at future time where all system users are created with it, this also allows tooling to detect unused system users. Cheers, Moritz