Bug#808230: deluser --system should lock the account
On Thu, Dec 17, 2015 at 01:56:50PM +0100, Marc Haber wrote: > how to handle an account on package purge is a discussion going on for > more than a decade now. After the umpteenth re-hash of the issue on > #debian-devel, I have gotten the impression that there is rough > consensus for not deleting system accounts on package purge. The most > prominent argument for this situation is that the local admin might > have given file ownership to the account while the package was > installed, and when the account is deleted and its uid re-used later, > those files may become accessible to an unintended entity. I have filed #1006912 against policy to solicit the policy editor's opinion. adduser might probably go ahead prematurely by implementing deluser --lock --system, locking an account if it's a system account. Greetings Marc
Bug#808230: deluser --system should lock the account
Package: adduser
Version: 3.113+nmu3
Severity: wishlist
Hi,
how to handle an account on package purge is a discussion going on for
more than a decade now. After the umpteenth re-hash of the issue on
#debian-devel, I have gotten the impression that there is rough
consensus for not deleting system accounts on package purge. The most
prominent argument for this situation is that the local admin might
have given file ownership to the account while the package was
installed, and when the account is deleted and its uid re-used later,
those files may become accessible to an unintended entity.
Currently, deluser --system will just print a warning if the account
to be deleted is actually a system user by virtue of its UID range and
exit.
Maybe it would be a good idea to change this behavior to locking the
account ("!" in shadow) if deluser is asked to delete a system account?
This doesn't prevent a privileged account to su/sudo/setuid into the
account, but it will prevent logins as this account while keeping the
UID reserved.
Greetings
Marc
