RPM spec: home directory name/location, user/group delete on uninstall
15 views
Skip to first unread message
Eric Smith
Nov 23, 2009, 3:50:53 PM11/23/09
to neatx
I'm just trying out neatx now, and it is nice to see that there's an
RPM spec file for it. The RPM spec mostly looks good, but I think
there are two minor issues with it.
In the RPM, I don't think it's a good idea to have the nx user home
directory hidden (/home/.nx), and I don't think RPMs should create
directories in /home. Most RPM-created users have home directories
in /usr/share or /var, but I don't think /usr/share is appropriate
since the .ssh directory obviously shouldn't be shared, and /var isn't
appropriate since .ssh is effectively part of configuration. I think
it should probably be /usr/lib/neatx.
There should also be a postun script to delete the user and group, and
possibly the home directory.
Best regards,
Eric
RPM spec file for it. The RPM spec mostly looks good, but I think
there are two minor issues with it.
In the RPM, I don't think it's a good idea to have the nx user home
directory hidden (/home/.nx), and I don't think RPMs should create
directories in /home. Most RPM-created users have home directories
in /usr/share or /var, but I don't think /usr/share is appropriate
since the .ssh directory obviously shouldn't be shared, and /var isn't
appropriate since .ssh is effectively part of configuration. I think
it should probably be /usr/lib/neatx.
There should also be a postun script to delete the user and group, and
possibly the home directory.
Best regards,
Eric
Alexander Todorov
Nov 24, 2009, 5:50:03 AM11/24/09
to ne...@googlegroups.com
Eric Smith wrote:
> I'm just trying out neatx now, and it is nice to see that there's an
> RPM spec file for it. The RPM spec mostly looks good, but I think
> there are two minor issues with it.
>
> In the RPM, I don't think it's a good idea to have the nx user home
> directory hidden (/home/.nx), and I don't think RPMs should create
> directories in /home. Most RPM-created users have home directories
> in /usr/share or /var, but I don't think /usr/share is appropriate
> since the .ssh directory obviously shouldn't be shared, and /var isn't
> appropriate since .ssh is effectively part of configuration. I think
> it should probably be /usr/lib/neatx.
>
I agree. I've put the home directory under /home/.nx because otherwise SELinux
> I'm just trying out neatx now, and it is nice to see that there's an
> RPM spec file for it. The RPM spec mostly looks good, but I think
> there are two minor issues with it.
>
> In the RPM, I don't think it's a good idea to have the nx user home
> directory hidden (/home/.nx), and I don't think RPMs should create
> directories in /home. Most RPM-created users have home directories
> in /usr/share or /var, but I don't think /usr/share is appropriate
> since the .ssh directory obviously shouldn't be shared, and /var isn't
> appropriate since .ssh is effectively part of configuration. I think
> it should probably be /usr/lib/neatx.
>
was not creating the proper context for it and the files under it. I didn't find
a way how to fix it. If you do please send a patch.
> There should also be a postun script to delete the user and group, and
> possibly the home directory.
>
that use the same user/group or home directory. There could be some files in the
home directory (probably written there by mistake) which should not be deleted
before examined. There's no perfect solution to this but leaving a dangling user
account (a system account) is better than deleting it without making sure it's
not in use.
--
Alexander.
Eric Smith
Nov 24, 2009, 7:02:45 PM11/24/09
to neatx
> I agree. I've put the home directory under /home/.nx because otherwise SELinux
> was not creating the proper context for it and the files under it. I didn't find
> a way how to fix it. If you do please send a patch.
I have had so many problems with SELinux that I ended up disabling
> was not creating the proper context for it and the files under it. I didn't find
> a way how to fix it. If you do please send a patch.
it. I guess an SELinux expert will have to help with this.
Was it putting it under /home, or naming it with a leading dot, that
made SELinux do the right thing? Or were both required?
> > There should also be a postun script to delete the user and group, and
> > possibly the home directory.
>
> Nope, that's wrong. You can't be certain if there are other files or programs
> that use the same user/group or home directory. There could be some files in the
> home directory (probably written there by mistake) which should not be deleted
> before examined. There's no perfect solution to this but leaving a dangling user
> account (a system account) is better than deleting it without making sure it's
> not in use.
neatx server in the postinstall script, nothing else should be dumping
files in there. If you look at other Fedora and RHEL packages that
create a package-specific user and group, they delete them on
uninstall. I think this may even be part of the Fedora packaging
guidelines, but I haven't checked.
Best regards,
Eric
Alexander Todorov
Nov 25, 2009, 2:23:00 AM11/25/09
to ne...@googlegroups.com
Eric Smith wrote:
>> I agree. I've put the home directory under /home/.nx because otherwise SELinux
>> was not creating the proper context for it and the files under it. I didn't find
>> a way how to fix it. If you do please send a patch.
>
> I have had so many problems with SELinux that I ended up disabling
> it. I guess an SELinux expert will have to help with this.
>
> Was it putting it under /home, or naming it with a leading dot, that
> made SELinux do the right thing? Or were both required?
>
Putting it under /home made it use the proper SELinux context automatically. The
>> I agree. I've put the home directory under /home/.nx because otherwise SELinux
>> was not creating the proper context for it and the files under it. I didn't find
>> a way how to fix it. If you do please send a patch.
>
> I have had so many problems with SELinux that I ended up disabling
> it. I guess an SELinux expert will have to help with this.
>
> Was it putting it under /home, or naming it with a leading dot, that
> made SELinux do the right thing? Or were both required?
>
dot was not required. It's mainly to avoid visual clutter.
>>> There should also be a postun script to delete the user and group, and
>>> possibly the home directory.
>> Nope, that's wrong. You can't be certain if there are other files or programs
>> that use the same user/group or home directory. There could be some files in the
>> home directory (probably written there by mistake) which should not be deleted
>> before examined. There's no perfect solution to this but leaving a dangling user
>> account (a system account) is better than deleting it without making sure it's
>> not in use.
>
> I disagree. If you're dynamically creating the user and group for the
> neatx server in the postinstall script, nothing else should be dumping
> files in there. If you look at other Fedora and RHEL packages that
> create a package-specific user and group, they delete them on
> uninstall.
> I think this may even be part of the Fedora packaging
> guidelines, but I haven't checked.
>
<quote>
We never remove users or groups created by packages. There's no sane way to
check if files owned by those users/groups are left behind (and even if there
would, what would we do to them?), and leaving those behind with ownerships
pointing to now nonexistent users/groups may result in security issues when a
semantically unrelated user/group is created later and reuses the UID/GID. Also,
in some setups deleting the user/group might not be possible or/nor desirable
(eg. when using a shared remote user/group database). Cleanup of unused
users/groups is left to the system administrators to take care of if they so
desire.
</quote>
[1] https://fedoraproject.org/wiki/Packaging:UsersAndGroups
--
Alexander.
Duncan
Dec 9, 2009, 5:44:01 AM12/9/09
to neatx
From my experience (and I'm by no means an expert), SELinux does
indeed create the right context when users are created in /home. A
policy should be created, however, to provide the right contexts etc
to the home directory and have it created elsewhere. This is just
what I see from my experiences with SELinux. I never turn it off -
may leave it in permissive mode. This forces me to fix the issues
that it suggests and to write my software using methods & contexts
that it deems safe.
As for removing users/groups - I'm with the "leave them in there"
camp. Trying to verify all files were OK to remove would be a sure
fire way to lose sanity quickly.
I'd definitely stick the home directory somewhere other than /home
though - I'll poke around with SELinux to see if I can help. As I
said, though, I'm no expert!
Duncan
indeed create the right context when users are created in /home. A
policy should be created, however, to provide the right contexts etc
to the home directory and have it created elsewhere. This is just
what I see from my experiences with SELinux. I never turn it off -
may leave it in permissive mode. This forces me to fix the issues
that it suggests and to write my software using methods & contexts
that it deems safe.
As for removing users/groups - I'm with the "leave them in there"
camp. Trying to verify all files were OK to remove would be a sure
fire way to lose sanity quickly.
I'd definitely stick the home directory somewhere other than /home
though - I'll poke around with SELinux to see if I can help. As I
said, though, I'm no expert!
Duncan
Reply all
Reply to author
Forward
0 new messages