<!ENTITY % dynamicdata SYSTEM "dynamic.ent" > %dynamicdata;
<!-- CVS revision of this document -->
- <!ENTITY cvs-rev "$Revision: 1.275 $">
+ <!ENTITY cvs-rev "$Revision: 1.280 $">
<!-- if you are translating this document, please notate the CVS
revision of the original developer's reference in cvs-en-rev -->
<sect2 id="bpp-create-sysuser">
<heading>Creating system users and groups
-<p>If you want to create system groups on package installatino you
+<p>If you want to create system groups on package installation you
need to create it in either the <em>preinst</em> or in the <em>postinst</em>
and have the package depend on <tt>adduser (>= 3.11)</tt>.
# create user to avoid running server as root
# 1. create group if not existing
if ! getent group | grep -q "^$SERVER_GROUP:" ; then
- echo -n "Adding group $SERVER_GROUP.."
- addgroup --quiet --system $SERVER_GROUP 2>/dev/null ||true
- echo "..done"
+ echo -n "Adding system group $SERVER_GROUP.."
+ addgroup --quiet --system $SERVER_GROUP
+ if ! getent group | grep -q "^$SERVER_GROUP:"; then
+ echo "..ERROR creating system group. Aborting installation."
+ exit 1
+ fi
+ echo "..done"
fi
# 2. create homedir if it does not exist
test -d $SERVER_HOME || mkdir $SERVER_HOME
--ingroup $SERVER_GROUP \
--no-create-home \
--disabled-password \
- $SERVER_USER 2>/dev/null || true
+ $SERVER_USER
+ if ! getent passwd | grep -q "^$SERVER_USER:"; then
+ echo "..ERROR creating system user. Aborting installation."
+ exit 1
+ fi
echo "..done"
# 4. adjust passwd entry, only do this if the package
- # creates the user
+ # creates the user
usermod -c "$SERVER_NAME" \
-d $SERVER_HOME \
-g $SERVER_GROUP \
$SERVER_USER
else
# The package might want to check if the user already exists
- # and it is *not* a system user, in this case it should abort
- # the installation (like in this example) or ask the administrator
- # since otherwrise it might have unexpected consequences.
- # Some packages try to prevent collision by using a prefix such as 'Debian-'
+ # and it is *not* a system user, in this case it could abort
+ # the installation (like in this example) or ask the administrator.
+ # Using a non-system user as the one in our package could
+ # have unexpected consequences.
+ # Some packages try to prevent this kind of collision by using
+ # a prefix such as 'Debian-'
for LINE in `grep SYSTEM_UID /etc/adduser.conf | grep -v "^#"`; do
case $LINE in
FIRST_SYSTEM_UID*)
- FIST_SYSTEM_UID=`echo $LINE | cut -f2 -d '='`
+ FIRST_SYSTEM_UID=`echo $LINE | cut -f2 -d '='`
;;
LAST_SYSTEM_UID*)
LAST_SYSTEM_UID=`echo $LINE | cut -f2 -d '='`
esac
done
# Abort package installation if the user has not been created by
- # us.
- if [ -n "$FIST_SYSTEM_UID" ] && [ -n "$LAST_SYSTEM_UID" ]; then
+ # us.
+ if [ -n "$FIRST_SYSTEM_UID" ] && [ -n "$LAST_SYSTEM_UID" ]; then
if USERID=`getent passwd $SERVER_USER | cut -f 3 -d ':'`; then
if [ -n "$USERID" ]; then
- if [ "$FIST_SYSTEM_UID" -le "$USERID" ] && \
+ if [ "$FIRST_SYSTEM_UID" -le "$USERID" ] && \
[ "$USERID" -le "$LAST_SYSTEM_UID" ]; then
echo "The user $SERVER_USER already exists as a non system user!" >&2
echo "Aborting package installation" >&2
fi
fi
fi
- fi
+ fi
fi
# 5. adjust file and directory permissions
<item>Configuration files should be readable by the system user, if they
contain sensitive information the system user should not own them unless there
is a need for it to write to its own configuration files. Typically this means
-that the configuration files are owned by group, belong to the group of the
-system user and are mode 0640.
+that the configuration files are owned by root and by the system group created
+by the package and are mode 0640.
-<item>The system user if it generates state files (such as pidfiles) should
-have a directory under <tt>/var/run</tt> owned by it. This directory should be
-recreated by the init.d script since the state directory might be wiped out
-after a system boot.
+<item>If the The system user generates state files (such as pidfiles) it will
+need to have a directory under <tt>/var/run</tt> owned by itself. It can be
+created by the package maintainers script but, since it can be wiped after a
+system reboot, it should be be recreated by the init.d script since the state
+directory.
<item>If the daemon logs directly to <tt>/var/log</tt> logfiles should be
writable by the system user but, once rotated, they should not be either owned
or writable by it to prevent it from overwritting old log entries if a security
vulnerability in the software were to be used. If the daemon logs to a
-directory under <tt>/var/log/</tt> then it should be owned by the system user
-and rotated log files need not be changed ownership.
+directory under <tt>/var/log/</tt> then the directory should be owned by the
+system user and rotated log files need not be changed ownership.
</list>
<p>If the package creates the system user it can remove it when it is
purged in its <em>postrm</em> script. This currently <em>not</em> recommended
-since it has a few known
+for all situations since it has a few known
<footnote>
Some relevant threads discussing these issues include:
<url
for LINE in `grep SYSTEM_UID /etc/adduser.conf | grep -v "^#"`; do
case $LINE in
FIRST_SYSTEM_UID*)
- FIST_SYSTEM_UID=`echo $LINE | cut -f2 -d '='`
+ FIRST_SYSTEM_UID=`echo $LINE | cut -f2 -d '='`
;;
LAST_SYSTEM_UID*)
LAST_SYSTEM_UID=`echo $LINE | cut -f2 -d '='`
;;
+ FIRST_SYSTEM_GID*)
+ FIRST_SYSTEM_GID=`echo $LINE | cut -f2 -d '='`
+ ;;
+ LAST_SYSTEM_GID*)
+ LAST_SYSTEM_GID=`echo $LINE | cut -f2 -d '='`
+ ;;
*)
;;
esac
done
- else
- # Sane defaults
- FIRST_SYSTEM_UID=100
- LAST_SYSTEM_UID=499
- fi
+ fi
+ # Sane defaults
+ [ -z "$FIRST_SYSTEM_UID" ] && FIRST_SYSTEM_UID=100
+ [ -z "$LAST_SYSTEM_UID" ] && LAST_SYSTEM_UID=999
+ [ -z "$FIRST_SYSTEM_GID" ] && FIRST_SYSTEM_GID=100
+ [ -z "$LAST_SYSTEM_GID" ] && LAST_SYSTEM_GID=999
+
# Remove system account if it is a system user
CREATEDUSER="<var>server_user</var>"
- if [ -n "$FIST_SYSTEM_UID" ] && [ -n "$LAST_SYSTEM_UID" ]; then
+ if [ -n "$FIRST_SYSTEM_UID" ] && [ -n "$LAST_SYSTEM_UID" ]; then
if USERID=`getent passwd $CREATEDUSER | cut -f 3 -d ':'`; then
if [ -n "$USERID" ]; then
- if [ "$FIST_SYSTEM_UID" -le "$USERID" ] && \
+ if [ "$FIRST_SYSTEM_UID" -le "$USERID" ] && \
[ "$USERID" -le "$LAST_SYSTEM_UID" ]; then
echo -n "Removing $CREATEDUSER system user.."
deluser --quiet $CREATEDUSER || true
fi
fi
fi
- # Remove system group if is a system group
- CREATEDGROUP=<var>server_group</var>
- if [ -r /etc/adduser.conf ] ; then
- FIRST_USER_GID=`grep ^USERS_GID /etc/adduser.conf | cut -f2 -d '='`
- else
- # Sane defaults
- FIRST_USER_GID=1000
- fi
- if [ -n "$FIST_USER_GID" ] then
+ # Remove system group if it is a system group
+ CREATEDGROUP=<var>server_group</var>
+ if [ -n "$FIRST_SYSTEM_GID" ] && [ -n "$LAST_SYSTEM_GID" ]; then
if GROUPGID=`getent group $CREATEDGROUP | cut -f 3 -d ':'`; then
if [ -n "$GROUPGID" ]; then
- if [ "$FIST_USER_GID" -gt "$GROUPGID" ]; then
+ if [ "$FIRST_SYSTEM_GID" -le "$GROUPID" ] && \
+ [ "$GROUPID" -le "$LAST_SYSTEM_GID" ]; then
echo -n "Removing $CREATEDGROUP group.."
delgroup --only-if-empty $CREATEDGROUP || true
echo "..done"
[...]
</example>
-<p>Other possibilities, are to make sure the account is locked (has an invalid
-password and <em>/bin/false</em> as a shell) and modify the GECOS field
+<p>Other possibilities, are making sure the account is locked (has an invalid
+password and <em>/bin/false</em> as a shell) and/or changing the GECOS field
pointing out that the account is no longer used.
+<!-- There is currently no consensus as to how any of the above should be
+ done in a way that would make it easy for administrators to locate
+ unused (but not removed) accounts -->
+
</sect1>
</sect>