Comment 6 for bug 924224

Robert Ancell (robert-ancell) wrote :

<seb128> what should packages handle deluser calls in postrm/purge that fail because the user is logged in
 like lightdm when users try to remove the package from a system when the login manager is in use
<pitti> seb128: TBH I think nothing should ever call deluser automatically
 if a postrm is trying to, then at least with || true
<seb128> pitti, so purging lightdm should just let a lightdm user around?
<pitti> but the possibility of reusing a previously removed uid for a new account is a security issue
 seb128: yeah, I think that's the lesser evil
<seb128> pitti, so you would just drop the deluser call?
 rather than adding || true?
<pitti> lightdm is prone to leaking processes and leftover sessions unfortunately
 seb128: no strong opinion between || true and drop, but I'd prefer dropping it, yes
<seb128> pitti, thanks
<seb128> robert_ancell, ^
<pitti> seb128: so the problem is:
<pitti> 1. you uninstall package foo with sysuser foo, removing the sysuser foo with uid 123
 2. you install a package bar, adding sysuser bar with uid 123 (reusing)
 3. now bar's daemons "take over" any running processes of foo, and can meddle with its leftover files, etc.
<robert_ancell> pitti, fair point
<seb128> right
<pitti> in some cases (when foo doesn't write any files, or makes sure to kill its processes), deluser is a nice cleanup, but this should be ascertained before
 and lightdm in particular writes lots of files and leaks lots of sessions and processes
 at least while it's running I always have a lightdm session around; not sure whether that's still true after stopping lightdm