On Mon, Oct 02, 2006 at 08:43:26PM +0100, Stephen Gran wrote: > This one time, at band camp, Marc Haber said: > > I'd like to see deluser --system having a configuration option which > > would prevent an account from actually being deleted. That way, a > > local administrator could make sure that UIDs are not being re-used. > > > > If this option is enabled, deluser --system would set the shell to > > /bin/false and invalidate the password (I am not sure whether the > > password should be destroyed or invalidated in a reversible way). > > > > The default would, of course, be current behavior with actually > > deleting the account. > > This is repeating logic already available (chsh and passwd -l) that > don't really buy all that much security.
deluser would do its work by invoking chsh and password -l. > Add a --permanent flag to adduser, which writes the uid to a state file. > Make deluser exit 0 (or some specific non-zero) if called for a uid in that > file. > Add --force to deluser to override it. That would mean touching a lot of packages. > Maintainers could then individually decide if they think the accounts > they set up are sensitive enough to be worth preserving, and call chsh > and passwd -l themselves in postrm, or, maybe better: > > if deluser $user; then > if [ $? = 6 ]; then > chsh -s /bin/false $user > passwd -l $user > else > ... > fi > fi The idea of adduser and deluser is to move complexity needed in maintainer scripts to adduser and deluser. What you are suggesting is adding eight lines of code to a lot of maintainer scripts. I do not like that idea as bugs in that code are going to show up and need to be fixed in a gazillion of packages. Greetings Marc -- ----------------------------------------------------------------------------- Marc Haber | "I don't trust Computers. They | Mailadresse im Header Mannheim, Germany | lose things." Winona Ryder | Fon: *49 621 72739834 Nordisch by Nature | How to make an American Quilt | Fax: *49 621 72739835 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
