[Pkg-net-snmp-devel] Bug#911132: snmpd: Upgrading the snmpd package removes system user named "snmp"
Salvatore Bonaccorso
carnil at debian.org
Tue Oct 16 09:01:53 BST 2018
Control: found -1 5.7.3+dfsg-1.1
Hi Ramon,
On Tue, Oct 16, 2018 at 09:21:56AM +0200, Ramon Cahenzli wrote:
> Package: snmpd
> Version: 5.7.3+dfsg-1.7+deb9u1
> Severity: normal
>
> Dear Maintainer,
>
> The snmp package appears to remove any system user named "snmp"
> whenever it is upgraded.
>
> How to reproduce:
>
> 1. Downgrade your snmpd package (e.g. by removing the package,
> removing the security repository and installing the package
> again from the main repository)
>
> 2. Create a system user called "snmp"
>
> 3. Add the security repository, apt-get update and apt-get upgrade.
> Observe that the snmpd package will be upgraded.
>
> 4. Observe that the user "snmp" is gone from the system.
>
> The expected outcome would be that the user "snmp" still exists.
>
> Ever since the migration to the user "Debian-snmp", admins may be using
> users called "snmp" for other purposes than what Debian-snmp is
> intended for, so snmpd shouldn't remove these users.
This seems to have been on purpose since the change from snmp to
Debian-snmp https://salsa.debian.org/debian/net-snmp/commit/deed97ccd6178302f2cda6e98dc2db6416fba3c0
The intention seems to have been, that if it is a system user, then it
was created by the package, and can be as well removed.
This though might not be safe in each variant/setup, as your usecase
shows.
Regards,
Salvatore
More information about the Pkg-net-snmp-devel
mailing list