From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id C88051396D0 for ; Wed, 30 Aug 2017 13:15:14 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id E9F47E0DAC; Wed, 30 Aug 2017 13:15:06 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id A079EE0D49 for ; Wed, 30 Aug 2017 13:15:06 +0000 (UTC) Received: from [192.168.1.100] (c-98-218-46-55.hsd1.md.comcast.net [98.218.46.55]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: mjo) by smtp.gentoo.org (Postfix) with ESMTPSA id 76797340AC7 for ; Wed, 30 Aug 2017 13:15:05 +0000 (UTC) Subject: Re: [gentoo-dev] Of death and prerm To: gentoo-dev@lists.gentoo.org References: <09043e39-bcec-f73b-683e-17de59b8e5d5@gentoo.org> <1504085131.22591.6.camel@gentoo.org> From: Michael Orlitzky Message-ID: Date: Wed, 30 Aug 2017 09:15:02 -0400 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.2.0 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org MIME-Version: 1.0 In-Reply-To: <1504085131.22591.6.camel@gentoo.org> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 8bit X-Archives-Salt: d04353f3-0040-4207-b518-a0bcefe6ea04 X-Archives-Hash: f267563ac8d2f6e060109d2791348e1b On 08/30/2017 05:25 AM, Michał Górny wrote: > > This package does not belong in Gentoo. We do packaging, not some ugly > malware that prevents users from uninstalling itself. Every package must > be uninstallable. Even if it destroys my system, developers have no > right to prevent valid uninstall action from proceeding. > So you're saying I should have it "sleep 2983702947523704" in prerm? =) I've been working on the user packages GLEP that I started and then forgot about sometime at the beginning of the year. I'm trying to finish up the reference implementation. When it comes to removing users, everyone's suggestions were along the same lines: 1a. If you try to uninstall a user package, it should die(), because calling userdel can be a security risk if the user still owns files. 1b. Same as 1a, with an I_KNOW_WHAT_I_AM_DOING override. 2. We can scan the file system to see if the user owns anything, and if he doesn't, call userdel. If he does, warn the user, and die(). 3. During upgrades, the existing user will be left in place. But If a user package tries to switch it's UID in a new version, check to make sure that the old UID doesn't own any files, maybe die(), etc. But all of them involve being able to die() out of a removal action. It's not refusing to uninstall the system user -- that's already the status quo -- it's just refusing to remove the /package/ given that we can't actually remove the system user. Trying to keep the system and the PM in agreement (with an override). Anyway, I was trying to implement (1b), so that's how I found myself asking this question. Since I'm providing an I_KNOW_WHAT_IM_DOING override, you still have the ability to shoot yourself in the foot, but for all of this to work I'd still need a way to stop an uninstallation.