Your message dated Fri, 07 May 2021 20:31:12 +0000
with message-id <[email protected]>
and subject line unblock lacme
has caused the Debian Bug report #988216,
regarding unblock: lacme/0.8.0-2
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
988216: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=988216
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: [email protected]
Usertags: unblock
Dear Release Team,
Please unblock package lacme/0.8.0-2:
[ Reason ]
As of lacme 0.8.0-1 dedicated system users _lacme-* are created at
install time and removed on purge. The later was done under the
assumption that no file owned by these users is ever created on disk.
While that is true with the default configuration, it's possible to
configure lacme in a way that requires manual creation of a directory
owned by one of these system users. The user in question (_lacme-client)
should therefore *not* be deleted on purge. Cf. #988032.
[ Impact ]
In a non-default configuration, a directory owned by _lacme-client might
be left after package removal. That system user is removed on purge,
which could have security implications should its ID be recycled later.
[ Tests ]
Ensured _lacme-client remained after purging 0.8.0-2.
[ Risks ]
The fix is trivial with modifications in postrm only. Only _lacme-client
needs to remain after package purge, but for symmetry I decided to keep
_lacme-www as well.
[ Checklist ]
[x] all changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in testing
unblock lacme/0.8.0-2
--
Guilhem.
diffstat for lacme-0.8.0 lacme-0.8.0
changelog | 8 ++++++++
lacme.postrm | 15 ---------------
2 files changed, 8 insertions(+), 15 deletions(-)
diff -Nru lacme-0.8.0/debian/changelog lacme-0.8.0/debian/changelog
--- lacme-0.8.0/debian/changelog 2021-02-22 03:31:23.000000000 +0100
+++ lacme-0.8.0/debian/changelog 2021-05-04 01:37:13.000000000 +0200
@@ -1,3 +1,11 @@
+lacme (0.8.0-2) unstable; urgency=medium
+
+ * d/lacme.postrm: Don't delete system users on purge. There might be files
+ on disk owned by _lacme-client when 'challenge-directory' is set in the
+ configuration (closes: #988032).
+
+ -- Guilhem Moulin <[email protected]> Tue, 04 May 2021 01:37:13 +0200
+
lacme (0.8.0-1) unstable; urgency=low
* New upstream release (closes: #970458, #970800, #972456).
diff -Nru lacme-0.8.0/debian/lacme.postrm lacme-0.8.0/debian/lacme.postrm
--- lacme-0.8.0/debian/lacme.postrm 2021-02-22 03:31:23.000000000 +0100
+++ lacme-0.8.0/debian/lacme.postrm 1970-01-01 01:00:00.000000000 +0100
@@ -1,15 +0,0 @@
-#!/bin/sh
-
-set -e
-
-if [ "$1" = "purge" ]; then
- if getent passwd _lacme-www >/dev/null; then
- deluser --quiet --system _lacme-www
- fi
- if getent passwd _lacme-client >/dev/null; then
- deluser --quiet --system _lacme-client
- fi
-fi
-
-#DEBHELPER#
-exit 0
signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---
Unblocked.
--- End Message ---
