On 10/10/23 23:10, mail.sh@xxxxxxx wrote:
Users and groups created when installing some packages (avahi, usbmuxd) are not deleted along with its removal. Is it related to https://archlinux.org/todo/pacman-hooks-systemd-sysuserstmpfiles/ and requires some changes? Or should I always delete them manually?
There's a security reason for this. If you removed users and groups, but some file was still left (think stuff under /var, for example... or because you didn't pass -n to 'pacman -R'), that file would become "orphaned." An "orphan" file is a file that retains its UID and GID in its metadata, but those UID/GID numbers now don't correlate to any existing user/group. Now imagine a new user/group is created with that exact same UID/GID (e.g., possible to do using 'useradd -uo' and 'groupadd -go', respectively). All those files would fall under the ownership of that new user/group... which could open the way for non-desired access.
OTOH, this also makes reinstalling the software easier if files were left on the system. All previously owned files will be immediately accesible by the reinstalled software.
That's why removal of groups and users is left to the manual intervention of the sysadmins.
-- Ariadna Vigo
Attachment:
OpenPGP_signature.asc
Description: OpenPGP digital signature
