Adduser devel - Mar 2008 - Bug#472349: adduser: please delay more than 5 seconds during deluser root

Package: adduser
Version: 3.106
Tags: patch
File: /usr/sbin/deluser
See also: #471705

This patch explicit statement that there is a time limit; without
this, users are likely to reread the huge warning rather than quickly
aborting/suspending the process to investigate.

--- /usr/sbin/deluser
+++ /tmp/tmp.FqfaY26055/deluser	2008-03-23 13:50:46.000000000 -0400
@@ -225,11 +225,13 @@
     }
     
     # Warn in any case if you want to remove the root account 
-    if ($uid == 0) {
+    if ($pw_uid == 0) {
+        my $delay=10;
         printf (gtx("WARNING: You are just about to delete the root
account (uid 0)\n"));
+        printf (gtx("This action will proceed in $delay seconds; "));
+        printf (gtx("Press Ctrl+C immediately to abort\n"));
         printf (gtx("Usually this is never required as it may render the
whole system unusable\n"));
-        printf (gtx("Press immediately Ctrl+C if you want to
abort\n"));
-        sleep 5;
+        sleep $delay;
         printf (gtx("Ok, you really want it, I''ll delete that
account\n"));
     }

Pardon the intrusion, I feel I need to speak up on this issue.  I feel that 
waiting on an interval before continuing instead of human confirmation on 
removal of important role accounts is not failsafe behavior.   I also suspect 
this could probably be merged with #470464.

On Sunday 23 March 2008 10:53:15 am Justin Pryzby wrote:
> This patch explicit statement that there is a time limit; without
> this, users are likely to reread the huge warning rather than quickly
> aborting/suspending the process to investigate.
With something as grave as removing the root account, wouldn''t it make
much
more sense to ask for explicit confirmation to be entered and wait 
indefinitely until that happens, similar to what you must do in dpkg or apt 
if you try to remove base required packages?  adduser/deluser sometimes get 
called by apt themselves, possibly while the operator who called it has 
abandoned their console to go get coffee or take care of some other task.  

This has probably come to surprise more than just me thanks to bug #469165.

-- 
Paul Johnson
baloo at ursine.ca
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part.
Url :
http://lists.alioth.debian.org/pipermail/adduser-devel/attachments/20080323/9a837566/attachment.pgp

This one time, at band camp, Paul Johnson said:
> On Sunday 23 March 2008 10:53:15 am Justin Pryzby wrote:
> 
> > This patch explicit statement that there is a time limit; without
> > this, users are likely to reread the huge warning rather than quickly
> > aborting/suspending the process to investigate.
> 
> With something as grave as removing the root account, wouldn''t it
make much
> more sense to ask for explicit confirmation to be entered and wait 
> indefinitely until that happens, similar to what you must do in dpkg or apt
> if you try to remove base required packages?  adduser/deluser sometimes get
> called by apt themselves, possibly while the operator who called it has 
> abandoned their console to go get coffee or take care of some other task.  
This bug is mostly harmless when deluser is called without a foolish
flag like --remove-home or worse, --remove-all-files.  It is possible,
of course, to say "no, you can''t ever do that", but I do feel
a little
uncomfortable second guessing an admin who wants to do something
drastically stupid - unix doesn''t generally do that.

I agree that the harm caused by allowing people to effectively ask for
removal of the root account and all files that are uid 0 is stupid, so
what I propose is: allow removal of a uid 0 account, provided the
username is not root.  Also, fail before doing anything if either of
--remove-home or --remove-all-files is given.  Seem reasonable?
-- 
 -----------------------------------------------------------------
|   ,''''`.                                            Stephen
Gran |
|  : :'' :                                        sgran at debian.org |
|  `. `''                        Debian user, admin, and developer |
|    `-                                     http://www.debian.org |
 -----------------------------------------------------------------
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url :
http://lists.alioth.debian.org/pipermail/adduser-devel/attachments/20080324/02d25a4c/attachment.pgp

On Mon, Mar 24, 2008 at 12:13:57AM +0000, Stephen Gran
wrote:
> This one time, at band camp, Paul Johnson said:
> > On Sunday 23 March 2008 10:53:15 am Justin Pryzby wrote:
> > 
> > > This patch explicit statement that there is a time limit; without
> > > this, users are likely to reread the huge warning rather than
quickly
> > > aborting/suspending the process to investigate.
> > 
> > With something as grave as removing the root account,
wouldn''t it make much
> > more sense to ask for explicit confirmation to be entered and wait 
> > indefinitely until that happens, similar to what you must do in dpkg
or apt
> > if you try to remove base required packages?
Yes, perhaps unless an environment variable is set (to allow it to
happen in batch, if that''s hypothetically useful).  I don''t
know if
it''d be sufficiently safe to initialize that variable to allow
root''s
removal if the stdio fd''s are /dev/null or such.
> This bug is mostly harmless when deluser is called without a foolish
> flag like --remove-home or worse, --remove-all-files.
Really?  
> It is possible,
> of course, to say "no, you can''t ever do that", but I do
feel a little
> uncomfortable second guessing an admin who wants to do something
> drastically stupid - unix doesn''t generally do that.
OTOH adduser/deluser are considered to be high level tools, so it
perhaps it isn''t entirely unreasonable to reject it at that level?

Justin

On Sun, Mar 23, 2008 at 08:59:57PM -0400, Justin Pryzby
wrote:
> On Mon, Mar 24, 2008 at 12:13:57AM +0000, Stephen Gran wrote:
> > This one time, at band camp, Paul Johnson said:
> > > On Sunday 23 March 2008 10:53:15 am Justin Pryzby wrote:
> > This bug is mostly harmless when deluser is called without a foolish
> > flag like --remove-home or worse, --remove-all-files.
> Really?  
Sorry, I meant to expand on that.  After removing root''s passwd,
shadow and group entries, neither su nor sudo works (although single
user mode might), and I suspect pam prevents things like cron from
running normally.

Justin

On Mon, Mar 24, 2008 at 12:13:57AM +0000, Stephen Gran
wrote:
> 
> This bug is mostly harmless when deluser is called without a foolish
> flag like --remove-home or worse, --remove-all-files.  It is possible,
> of course, to say "no, you can''t ever do that", but I do
feel a little
> uncomfortable second guessing an admin who wants to do something
> drastically stupid - unix doesn''t generally do that.
> 
> I agree that the harm caused by allowing people to effectively ask for
> removal of the root account and all files that are uid 0 is stupid, so
> what I propose is: allow removal of a uid 0 account, provided the
> username is not root.  Also, fail before doing anything if either of
> --remove-home or --remove-all-files is given.  Seem reasonable?
I would suggest to introduce a new parameter "--force"; without this
flag
deluser refuses to remove the "root" account, but with this flag,
deluser
will print a warning and then remove the account. 

Joerg


-- 
What did you do to the cat? It looks half-dead. -Schroedinger''s wife
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url :
http://lists.alioth.debian.org/pipermail/adduser-devel/attachments/20080326/79ae6394/attachment.pgp

This one time, at band camp, Joerg Hoh said:
> On Mon, Mar 24, 2008 at 12:13:57AM +0000, Stephen Gran wrote:
> > 
> > This bug is mostly harmless when deluser is called without a foolish
> > flag like --remove-home or worse, --remove-all-files.  It is possible,
> > of course, to say "no, you can''t ever do that", but
I do feel a little
> > uncomfortable second guessing an admin who wants to do something
> > drastically stupid - unix doesn''t generally do that.
> > 
> > I agree that the harm caused by allowing people to effectively ask for
> > removal of the root account and all files that are uid 0 is stupid, so
> > what I propose is: allow removal of a uid 0 account, provided the
> > username is not root.  Also, fail before doing anything if either of
> > --remove-home or --remove-all-files is given.  Seem reasonable?
> 
> I would suggest to introduce a new parameter "--force"; without
this flag
> deluser refuses to remove the "root" account, but with this flag,
deluser
> will print a warning and then remove the account. 
Seems reasonable as well.
-- 
 -----------------------------------------------------------------
|   ,''''`.                                            Stephen
Gran |
|  : :'' :                                        sgran at debian.org |
|  `. `''                        Debian user, admin, and developer |
|    `-                                     http://www.debian.org |
 -----------------------------------------------------------------
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url :
http://lists.alioth.debian.org/pipermail/adduser-devel/attachments/20080326/0fd40693/attachment.pgp

Hi Stephen

On Wed, Mar 26, 2008 at 07:28:02PM +0000, Stephen Gran
wrote:
> This one time, at band camp, Joerg Hoh said:
> > 
> > I would suggest to introduce a new parameter "--force";
without this flag
> > deluser refuses to remove the "root" account, but with this
flag, deluser
> > will print a warning and then remove the account. 
> 
> Seems reasonable as well.
I just added that feature to SVN (release 781); I tested it on my machine
trying to remove the root account without --force (warning and exit) and
removing a "normal" user (works without warnings). Can you just do a
quick
review and upload it then?

Many thanks.

Joerg

-- 
What did you do to the cat? It looks half-dead. -Schroedinger''s wife
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url :
http://lists.alioth.debian.org/pipermail/adduser-devel/attachments/20080327/373b6e1d/attachment.pgp

This one time, at band camp, Joerg Hoh said:
> Hi Stephen
> 
> On Wed, Mar 26, 2008 at 07:28:02PM +0000, Stephen Gran wrote:
> > This one time, at band camp, Joerg Hoh said:
> > > 
> > > I would suggest to introduce a new parameter "--force";
without this flag
> > > deluser refuses to remove the "root" account, but with
this flag, deluser
> > > will print a warning and then remove the account. 
> > 
> > Seems reasonable as well.
> 
> I just added that feature to SVN (release 781); I tested it on my machine
> trying to remove the root account without --force (warning and exit) and
> removing a "normal" user (works without warnings). Can you just
do a quick
> review and upload it then?
Looks good.  Uploaded.
-- 
 -----------------------------------------------------------------
|   ,''''`.                                            Stephen
Gran |
|  : :'' :                                        sgran at debian.org |
|  `. `''                        Debian user, admin, and developer |
|    `-                                     http://www.debian.org |
 -----------------------------------------------------------------
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url :
http://lists.alioth.debian.org/pipermail/adduser-devel/attachments/20080327/c50d0e0a/attachment.pgp

Your message dated Thu, 27 Mar 2008 21:17:03 +0000
with message-id <E1JezT5-0004qy-Bu at ries.debian.org>
and subject line Bug#472349: fixed in adduser 3.107
has caused the Debian Bug report #472349,
regarding adduser: please delay more than 5 seconds during deluser root
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner at bugs.debian.org
immediately.)


-- 
472349: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=472349
Debian Bug Tracking System
Contact owner at bugs.debian.org with problems
-------------- next part --------------
An embedded message was scrubbed...
From: Justin Pryzby <justinpryzby at users.sourceforge.net>
Subject: adduser: please delay more than 5 seconds during deluser root
Date: Sun, 23 Mar 2008 13:53:15 -0400
Size: 2547
Url:
http://lists.alioth.debian.org/pipermail/adduser-devel/attachments/20080327/5a295f84/attachment-0002.eml
-------------- next part --------------
An embedded message was scrubbed...
From: Stephen Gran <sgran at debian.org>
Subject: Bug#472349: fixed in adduser 3.107
Date: Thu, 27 Mar 2008 21:17:03 +0000
Size: 3471
Url:
http://lists.alioth.debian.org/pipermail/adduser-devel/attachments/20080327/5a295f84/attachment-0003.eml