Adduser devel - Oct 2006 - Bug#390457: adduser: deluser --system should be configurable to not delete the account

Package: adduser
Version: 3.97
Severity: wishlist

Hi,

I''d like to see deluser --system having a configuration option which
would prevent an account from actually being deleted. That way, a
local administrator could make sure that UIDs are not being re-used.

If this option is enabled, deluser --system would set the shell to
/bin/false and invalidate the password (I am not sure whether the
password should be destroyed or invalidated in a reversible way).

The default would, of course, be current behavior with actually
deleting the account.

Greetings
Marc

-- System Information:
Debian Release: testing/unstable
  APT prefers unstable
  APT policy: (500, ''unstable''), (500,
''stable'')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.17.13-zgsrv
Locale: LANG=C, LC_CTYPE=de_DE (charmap=ISO-8859-1)

Versions of packages adduser depends on:
ii  debconf [debconf-2.0]       1.5.5        Debian configuration management sy
ii  passwd                      1:4.0.18.1-3 change and administer password and
ii  perl-base                   5.8.8-6.1    The Pathologically Eclectic Rubbis

adduser recommends no packages.

-- debconf information excluded

This one time, at band camp, Marc Haber said:
> I''d like to see deluser --system having a configuration option
which
> would prevent an account from actually being deleted. That way, a
> local administrator could make sure that UIDs are not being re-used.
> 
> If this option is enabled, deluser --system would set the shell to
> /bin/false and invalidate the password (I am not sure whether the
> password should be destroyed or invalidated in a reversible way).
> 
> The default would, of course, be current behavior with actually
> deleting the account.
This is repeating logic already available (chsh and passwd -l) that
don''t really buy all that much security.  passwd -l doesn''t
prevent key
based logins, for instance.

I''d rather see the logic work another way:

Add a --permanent flag to adduser, which writes the uid to a state file.
Make deluser exit 0 (or some specific non-zero) if called for a uid in that
file.
Add --force to deluser to override it.

Maintainers could then individually decide if they think the accounts
they set up are sensitive enough to be worth preserving, and call chsh
and passwd -l themselves in postrm, or, maybe better:

if deluser $user; then
  if [ $? = 6 ]; then
    chsh -s /bin/false $user
    passwd -l $user
  else
    ...
  fi
fi

This would mean making deluser return something non-zero, and
documenting how to use it for maintainer scripts.  This would allow the
local admin to easily override maintainer decisions about what uid''s
are
too important to remove.

I''m open to other suggestions, but that''s how I see it.

Take care,
-- 
 -----------------------------------------------------------------
|   ,''''`.                                            Stephen
Gran |
|  : :'' :                                        sgran@debian.org |
|  `. `''                        Debian user, admin, and developer |
|    `-                                     http://www.debian.org |
 -----------------------------------------------------------------
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url :
http://lists.alioth.debian.org/pipermail/adduser-devel/attachments/20061002/71d90f1b/attachment.pgp

On Mon, Oct 02, 2006 at 08:43:26PM +0100, Stephen Gran
wrote:
> This one time, at band camp, Marc Haber said:
> > I''d like to see deluser --system having a configuration
option which
> > would prevent an account from actually being deleted. That way, a
> > local administrator could make sure that UIDs are not being re-used.
> > 
> > If this option is enabled, deluser --system would set the shell to
> > /bin/false and invalidate the password (I am not sure whether the
> > password should be destroyed or invalidated in a reversible way).
> > 
> > The default would, of course, be current behavior with actually
> > deleting the account.
> 
> This is repeating logic already available (chsh and passwd -l) that
> don''t really buy all that much security.
deluser would do its work by invoking chsh and password -l.
> Add a --permanent flag to adduser, which writes the uid to a state file.
> Make deluser exit 0 (or some specific non-zero) if called for a uid in that
file.
> Add --force to deluser to override it.
That would mean touching a lot of packages.
> Maintainers could then individually decide if they think the accounts
> they set up are sensitive enough to be worth preserving, and call chsh
> and passwd -l themselves in postrm, or, maybe better:
> 
> if deluser $user; then
>   if [ $? = 6 ]; then
>     chsh -s /bin/false $user
>     passwd -l $user
>   else
>     ...
>   fi
> fi
The idea of adduser and deluser is to move complexity needed in
maintainer scripts to adduser and deluser. What you are suggesting is
adding eight lines of code to a lot of maintainer scripts. I do not
like that idea as bugs in that code are going to show up and need to
be fixed in a gazillion of packages.

Greetings
Marc

-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don''t trust Computers. They | Mailadresse
im Header
Mannheim, Germany  |  lose things."    Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 621 72739835