[Pkg-net-snmp-devel] Bug#911132: Bug#911132: snmpd: Upgrading the snmpd package removes system user named "snmp"

Craig Small csmall at debian.org
Thu Oct 18 23:52:22 BST 2018

On Tue, 16 Oct. 2018, 19:03 Salvatore Bonaccorso, <carnil at debian.org> wrote:

> This though might not be safe in each variant/setup, as your usecase
> shows.
I think the assumption that the SNMP system user and group are always
created by an old snmpd package is something we can increasingly say is

There is no hard requirement to remove users and we have the situation
where this user may not even be "owned" by the package.

I see two solutions here:
a) Never remove the SNMP user and group
b) Only remove them if it's an upgrade and the previous snmpd version was
before the username change.

a is real simple but may leave some old config

b doesn't catch everything but means that the user only gets deleted during
the transition. So if the system user is used by snmpd and something
locally it still gets deleted.

I'll look into what versions of snmpd we have. I see the second option only
useful if stable has the old username.

My intention is to release a new SNMP set of packages late this weekend to
fix the security bug, so ideally I'll fix this too.

 - Craig

Craig Small             https://dropbear.xyz/     csmall at : dropbear.xyz
Debian GNU/Linux        https://www.debian.org/   csmall at : debian.org
Mastodon: @smallsees at social.dropbear.xyz             Twitter: @smallsees
GPG fingerprint:      5D2F B320 B825 D939 04D2  0519 3938 F96B DF50 FEA5
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-net-snmp-devel/attachments/20181019/80e8b8e2/attachment.html>

More information about the Pkg-net-snmp-devel mailing list