[Pkg-freeipa-devel] [Git][freeipa-team/389-ds-base][master] 2 commits: Stop deleting system user on remove/purge
Timo Aaltonen (@tjaalton)
gitlab at salsa.debian.org
Thu May 28 14:28:46 BST 2026
Timo Aaltonen pushed to branch master at FreeIPA packaging / 389-ds-base
Commits:
b72f8abd by Luca Boccassi at 2026-05-26T21:29:59+01:00
Stop deleting system user on remove/purge
This is widely considered bad practice, as the kernel recycles
UIDs/GIDs. So any potential leftover file/directory can then become
owned by the next user/group that gets added, with unpredictable
consequences.
- - - - -
09ee1d3c by Luca Boccassi at 2026-05-26T21:33:37+01:00
Install and use sysusers.d/tmpfiles.d config files
sysusers.d/tmpfiles.d config files allow a package to use declarative
configuration instead of manually written maintainer scripts. This also
allows image-based systems to be created with /usr/ only, and also
allows for factory resetting a system and recreating /etc/ on boot.
https://www.freedesktop.org/software/systemd/man/latest/sysusers.d.html
https://www.freedesktop.org/software/systemd/man/latest/tmpfiles.d.html
- - - - -
6 changed files:
- − debian/389-ds-base.dirs
- debian/389-ds-base.postinst
- debian/389-ds-base.postrm
- + debian/389-ds-base.sysusers
- + debian/389-ds-base.tmpfiles
- debian/control
Changes:
=====================================
debian/389-ds-base.dirs deleted
=====================================
@@ -1,2 +0,0 @@
-var/log/dirsrv
-var/lib/dirsrv
=====================================
debian/389-ds-base.postinst
=====================================
@@ -3,24 +3,8 @@ set -e
. /usr/share/debconf/confmodule
-CONFIG_DIR=/etc/dirsrv
-OUT=/dev/null
INSTANCES=`ls -d /etc/dirsrv/slapd-* 2>/dev/null | grep -v removed | sed 's/.*slapd-//'`
-if [ "$1" = configure ]; then
- # lets give them a user/group in all cases.
- if ! getent passwd dirsrv > $OUT; then
- adduser --quiet --system --home /var/lib/dirsrv \
- --disabled-password --group \
- --gecos "389 Directory Server user" \
- --no-create-home \
- dirsrv > $OUT
- fi
-
- chown -R dirsrv:dirsrv /etc/dirsrv/ /var/log/dirsrv/ /var/lib/dirsrv/ > $OUT || true
- chmod 750 /etc/dirsrv/ /var/log/dirsrv/ /var/lib/dirsrv/ > $OUT || true
-fi
-
invoke_failure() {
# invoke-rc.d failed, likely because no instance has been configured yet
# but exit with an error if an instance is configured and the invoke failed
=====================================
debian/389-ds-base.postrm
=====================================
@@ -4,9 +4,6 @@ set -e
. /usr/share/debconf/confmodule
if [ "$1" = "purge" ]; then
- if getent group dirsrv > /dev/null; then
- deluser --system dirsrv || true
- fi
rm -f /etc/systemd/system/dirsrv.target.wants/dirsrv@*.service
rm -rf /etc/dirsrv
rm -rf /var/lib/dirsrv
=====================================
debian/389-ds-base.sysusers
=====================================
@@ -0,0 +1 @@
+u! dirsrv - "389 Directory Server user" /var/lib/dirsrv
=====================================
debian/389-ds-base.tmpfiles
=====================================
@@ -0,0 +1,3 @@
+Z /etc/dirsrv 0750 dirsrv dirsrv
+d /var/lib/dirsrv 0750 dirsrv dirsrv
+d /var/log/dirsrv 0750 dirsrv dirsrv
=====================================
debian/control
=====================================
@@ -10,6 +10,7 @@ Build-Depends:
debhelper-compat (= 13),
dh-cargo,
dh-python,
+ dh-sequence-installsysusers,
doxygen,
libbz2-dev,
libcrack2-dev,
@@ -123,7 +124,6 @@ Architecture: any
Pre-Depends: debconf (>= 0.5) | debconf-2.0
Depends:
389-ds-base-libs (= ${binary:Version}),
- adduser,
acl,
ldap-utils,
libsasl2-modules-gssapi-mit,
View it on GitLab: https://salsa.debian.org/freeipa-team/389-ds-base/-/compare/5f05321422f3abcbdff74e3fdddae1e6a2197751...09ee1d3c079b9f93b2424254d7bc84b3284df8f6
--
View it on GitLab: https://salsa.debian.org/freeipa-team/389-ds-base/-/compare/5f05321422f3abcbdff74e3fdddae1e6a2197751...09ee1d3c079b9f93b2424254d7bc84b3284df8f6
You're receiving this email because of your account on salsa.debian.org. Manage all notifications: https://salsa.debian.org/-/profile/notifications | Help: https://salsa.debian.org/help
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-freeipa-devel/attachments/20260528/b625ae03/attachment-0001.htm>
More information about the Pkg-freeipa-devel
mailing list