Bug#808230: deluser --system should lock the account
On Thu, Dec 17, 2015 at 01:56:50PM +0100, Marc Haber wrote: > how to handle an account on package purge is a discussion going on for > more than a decade now. After the umpteenth re-hash of the issue on > #debian-devel, I have gotten the impression that there is rough > consensus for not deleting system accounts on package purge. The most > prominent argument for this situation is that the local admin might > have given file ownership to the account while the package was > installed, and when the account is deleted and its uid re-used later, > those files may become accessible to an unintended entity. I have filed #1006912 against policy to solicit the policy editor's opinion. adduser might probably go ahead prematurely by implementing deluser --lock --system, locking an account if it's a system account. Greetings Marc
Bug#808230: deluser --system should lock the account
Package: adduser Version: 3.113+nmu3 Severity: wishlist Hi, how to handle an account on package purge is a discussion going on for more than a decade now. After the umpteenth re-hash of the issue on #debian-devel, I have gotten the impression that there is rough consensus for not deleting system accounts on package purge. The most prominent argument for this situation is that the local admin might have given file ownership to the account while the package was installed, and when the account is deleted and its uid re-used later, those files may become accessible to an unintended entity. Currently, deluser --system will just print a warning if the account to be deleted is actually a system user by virtue of its UID range and exit. Maybe it would be a good idea to change this behavior to locking the account ("!" in shadow) if deluser is asked to delete a system account? This doesn't prevent a privileged account to su/sudo/setuid into the account, but it will prevent logins as this account while keeping the UID reserved. Greetings Marc