https://bugzilla.altlinux.org/show_bug.cgi?id=17718 suggests that the intended configuration of permissions for klogd be checked in a working system. The "configuration" is the relation between the dedicated user "klogd", his primary group (stored in /etc/passwd), the group named "klogd" (stored in /etc/groups) and the permissions on the working directory (/var/lib/klogd/...).
This inconsistency could have been formally discovered.
This feature request suggests there could be a general mechanism for this in the system (and it could be employed, say, on every startup of a service, or after the administrator edited something).
Now the intended configuration is expressed in an imperative way by the commands in the RPM preinstall script:
but this intention could be installed as a declarative policy ("the primary gid of user klogd is the group with name klogd"). Then this policy could be checked any time.
https:/ /bugzilla. altlinux. org/show_ bug.cgi? id=17718 suggests that the intended configuration of permissions for klogd be checked in a working system. The "configuration" is the relation between the dedicated user "klogd", his primary group (stored in /etc/passwd), the group named "klogd" (stored in /etc/groups) and the permissions on the working directory (/var/lib/ klogd/. ..).
The situation reported in https:/ /bugzilla. altlinux. org/show_ bug.cgi? id=17250 was caused by a typo in /etc/passwd which had lead to an inconsistency between /etc/passwd and /etc/group.
This inconsistency could have been formally discovered.
This feature request suggests there could be a general mechanism for this in the system (and it could be employed, say, on every startup of a service, or after the administrator edited something).
Now the intended configuration is expressed in an imperative way by the commands in the RPM preinstall script:
# rpm -q klogd --scripts
preinstall scriptlet (through /bin/sh):
/usr/sbin/groupadd -r -f klogd
/usr/sbin/useradd -r -g klogd -d /dev/null -s /dev/null -n klogd >/dev/null 2>&1 ||:
but this intention could be installed as a declarative policy ("the primary gid of user klogd is the group with name klogd"). Then this policy could be checked any time.
(And such a check would discover my typo.)