Adduser devel - Sep 2004 - Bug#271829: adduser deleted _all_ files on my disk from a ''dpkg --purge command''

Package: adduser
Version: 3.53
Severity: important

Hello,

recently _all_ files on my disk were deleted by issuing a ''dpkg
--purge command''.

A few days ago I did ''dpkg --purge amavisd-new''. The package
had
already been deinstalled a long time ago (it was the version
20021227p2-5). Now I also wanted to get rid of the remaining config
files.

Instead I ended up with _all_ files on _all_ mounted partitions
deleted, except symlinks.

I now found out the reason: the postrm script calls ''deluser
--remove-home amavis''. And the home directory of the amavis user was
set to
''/'' in /etc/passwd on my system, I do not know why.

My conclusion would be that either 
- deluser should check that ''home'' is reasonable
or
- deluser should always be called with the ''--home'' option in
package
  removal scripts

Therefore this bug maybe does not refer to the package but to policy.


E. Kloppenburg


-- System Information:
Debian Release: testing/unstable
  APT prefers unstable
  APT policy: (500, ''unstable''), (500,
''testing'')
Architecture: i386 (i686)
Kernel: Linux 2.6.5-1-k7
Locale: LANG=de_DE@euro, LC_CTYPE=de_DE@euro

Versions of packages adduser depends on:
ii  debconf                     1.4.25       Debian configuration management sy
ii  passwd                      1:4.0.3-28.3 Change and administer password and
ii  perl-base                   5.8.4-2      The Pathologically Eclectic Rubbis

-- debconf information excluded

severity #271829 wishlist
thanks

On Wed, Sep 15, 2004 at 04:38:20PM +0200, Ernst Kloppenburg
wrote:
> recently _all_ files on my disk were deleted by issuing a ''dpkg
> --purge command''.
> 
> A few days ago I did ''dpkg --purge amavisd-new''. The
package had
> already been deinstalled a long time ago (it was the version
> 20021227p2-5). Now I also wanted to get rid of the remaining config
> files.
> 
> Instead I ended up with _all_ files on _all_ mounted partitions
> deleted, except symlinks.
> 
> I now found out the reason: the postrm script calls ''deluser
> --remove-home amavis''. And the home directory of the amavis user
was set to
> ''/'' in /etc/passwd on my system, I do not know why.
This is probably an issue with the amavis-package.
> My conclusion would be that either 
> - deluser should check that ''home'' is reasonable
Define "reasonable".
> or
> - deluser should always be called with the ''--home''
option in package
>   removal scripts
That is an issue with other packages. Or do you suggest that adduser
won''t remove any home dir without --home being explicitly given?

What exactly is the fix you''re suggesting without breaking existing
packages?

Greetings
Marc

-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don''t trust Computers. They | Mailadresse
im Header
Karlsruhe, Germany |  lose things."    Winona Ryder | Fon: *49 721 966 32
15
Nordisch by Nature |  How to make an American Quilt | Fax: *49 721 966 31 29

Processing commands for control@bugs.debian.org:
> severity #271829 wishlist
Bug#271829: adduser deleted _all_ files on my disk from a ''dpkg --purge
command''
Severity set to `wishlist''.
> thanks
Stopping processing here.

Please contact me if you need assistance.

Debian bug tracking system administrator
(administrator, Debian Bugs database)

On Wed, Sep 15, 2004 at 18:04:40 +0200, Marc Haber
wrote:
> 
> On Wed, Sep 15, 2004 at 04:38:20PM +0200, Ernst Kloppenburg wrote:
> > 
[...]
> > My conclusion would be that either 
> > - deluser should check that ''home'' is reasonable
> 
> Define "reasonable".
> 
I suggest that deluser refuses to ''rm -rf /'' which is
definitely not reasonable. 

If somebody types ''rm -rf /'' himself, he made a decision. But
with
adduser this can happen by accident. This risk is not neglectable and
not limited to my amavis-experience. For example, on my current
sarge/sid system the command ''deluser --remove-home telnetd''
would
again delete everything. And I definitely did not change the telnetd
home in passwd myself.

Therefore I do think something needs to be done about this to take
this risk out of debian. 

And I also think this is more important than ''severity
wishlist''.
> > or
> > - deluser should always be called with the ''--home''
option in package
> >   removal scripts
> 
> That is an issue with other packages. Or do you suggest that adduser
> won''t remove any home dir without --home being explicitly given?
> 
> What exactly is the fix you''re suggesting without breaking
existing
> packages?
I tried to suggest an alternative fix in case changing adduser would
not be considered. 

This fix would be to require package scripts not to use
''deluser'' without
specifying ''--home''. This suggestion of course does not apply
to
adduser, but to the packaging policies.

But making deluser itself refuse to delete ''/'' would of course
be much
easier and more effective.

Ernst

-- 
Ernst Kloppenburg
Stuttgart, Germany

On Wed, Sep 15, 2004 at 04:38:20PM +0200, Ernst Kloppenburg
wrote:
> My conclusion would be that either 
> - deluser should check that ''home'' is reasonable
> or
> - deluser should always be called with the ''--home''
option in package
>   removal scripts
Deluser now has a list of important directories where no deletion
takes place even if --remove-home was set.

The corresponding package will be in experimental after next dinstall
run.

Greetings
Marc

-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don''t trust Computers. They | Mailadresse
im Header
Mannheim, Germany  |  lose things."    Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 621 72739835

Your message dated Fri, 6 May 2005 14:21:10 +0200
with message-id <20050506122110.GA17295@lefler.int.l21.ma.zugschlus.de>
and subject line Closing bugs
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--------------------------------------
Received: (at submit) by bugs.debian.org; 15 Sep 2004 14:38:26
+0000
>From ernst.kloppenburg@gmx.de Wed Sep 15 07:38:26 2004
Return-path: <ernst.kloppenburg@gmx.de>
Received: from mail.gmx.de (mail.gmx.net) [213.165.64.20] 
	by spohr.debian.org with smtp (Exim 3.35 1 (Debian))
	id 1C7avR-00083T-00; Wed, 15 Sep 2004 07:38:25 -0700
Received: (qmail 12464 invoked by uid 65534); 15 Sep 2004 14:37:53 -0000
Received: from host-212-9-163-74.dial.netic.de (EHLO rechner4) (212.9.163.74)
  by mail.gmx.net (mp004) with SMTP; 15 Sep 2004 16:37:53 +0200
X-Authenticated: #1154334
Received: from ernst by rechner4 with local (Exim 3.36 #1 (Debian))
	id 1C7avM-0001PZ-00; Wed, 15 Sep 2004 16:38:20 +0200
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: Ernst Kloppenburg <ernst.kloppenburg@gmx.de>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: adduser deleted _all_ files on my disk from a ''dpkg --purge
command''
X-Mailer: reportbug 2.60
Date: Wed, 15 Sep 2004 16:38:20 +0200
Message-Id: <E1C7avM-0001PZ-00@rechner4>
Sender: Ernst Kloppenburg <ernst@rechner4.zuhause.de>
Delivered-To: submit@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2004_03_25 
	(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE 
	autolearn=no version=2.60-bugs.debian.org_2004_03_25
X-Spam-Level: 

Package: adduser
Version: 3.53
Severity: important

Hello,

recently _all_ files on my disk were deleted by issuing a ''dpkg
--purge command''.

A few days ago I did ''dpkg --purge amavisd-new''. The package
had
already been deinstalled a long time ago (it was the version
20021227p2-5). Now I also wanted to get rid of the remaining config
files.

Instead I ended up with _all_ files on _all_ mounted partitions
deleted, except symlinks.

I now found out the reason: the postrm script calls ''deluser
--remove-home amavis''. And the home directory of the amavis user was
set to
''/'' in /etc/passwd on my system, I do not know why.

My conclusion would be that either 
- deluser should check that ''home'' is reasonable
or
- deluser should always be called with the ''--home'' option in
package
  removal scripts

Therefore this bug maybe does not refer to the package but to policy.


E. Kloppenburg


-- System Information:
Debian Release: testing/unstable
  APT prefers unstable
  APT policy: (500, ''unstable''), (500,
''testing'')
Architecture: i386 (i686)
Kernel: Linux 2.6.5-1-k7
Locale: LANG=de_DE@euro, LC_CTYPE=de_DE@euro

Versions of packages adduser depends on:
ii  debconf                     1.4.25       Debian configuration management sy
ii  passwd                      1:4.0.3-28.3 Change and administer password and
ii  perl-base                   5.8.4-2      The Pathologically Eclectic Rubbis

-- debconf information excluded

---------------------------------------
Received: (at 271829-done) by bugs.debian.org; 6 May 2005 12:22:10
+0000
>From mh+debian-packages@zugschlus.de Fri May 06 05:22:10 2005
Return-path: <mh+debian-packages@zugschlus.de>
Received: from 5301d.unt0.torres.l21.ma.zugschlus.de
(torres.int.l21.ma.zugschlus.de) [217.151.83.1] (Debian-exim)
	by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
	id 1DU1qM-0003FP-00; Fri, 06 May 2005 05:22:10 -0700
Received: from lefler.int.l21.ma.zugschlus.de ([192.168.130.38])
	by torres.int.l21.ma.zugschlus.de with esmtps (TLS-1.0:RSA_AES_256_CBC_SHA:32)
	(Exim 4.50)
	id 1DU1pQ-0002Pk-2p; Fri, 06 May 2005 14:21:12 +0200
Received: from mh by lefler.int.l21.ma.zugschlus.de with local (Exim 4.50)
	id 1DU1pP-0004fU-0I; Fri, 06 May 2005 14:21:11 +0200
Date: Fri, 6 May 2005 14:21:10 +0200
From: Marc Haber <mh+debian-packages@zugschlus.de>
To: 293559-done@bugs.debian.org, 283110-done@bugs.debian.org,
	287535-done@bugs.debian.org, 268841-done@bugs.debian.org,
	268837-done@bugs.debian.org, 286227-done@bugs.debian.org,
	268402-done@bugs.debian.org, 278937-done@bugs.debian.org,
	270266-done@bugs.debian.org, 279659-done@bugs.debian.org,
	273010-done@bugs.debian.org, 271142-done@bugs.debian.org,
	271829-done@bugs.debian.org, 231809-done@bugs.debian.org
Cc: Marc Haber <mh+debian-packages@zugschlus.de>
Subject: Closing bugs
Message-ID: <20050506122110.GA17295@lefler.int.l21.ma.zugschlus.de>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.5.9i
Delivered-To: 271829-done@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
	(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-3.0 required=4.0 tests=BAYES_00 autolearn=no 
	version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level: 
X-CrossAssassin-Score: 7

These bugs have been tagged as fixed-in-experimental, and are now
being closed completely. That should have happened long ago.

Greetings
Marc

-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don''t trust Computers. They | Mailadresse
im Header
Mannheim, Germany  |  lose things."    Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 621 72739835