Bug#271829: [Adduser-devel] Bug#271829: adduser deleted _all_ files on my disk from a 'dpkg --purge command'

Wed, 15 Sep 2004 23:12:16 +0200

On Wed, Sep 15, 2004 at 18:04:40 +0200, Marc Haber wrote:
> 
> On Wed, Sep 15, 2004 at 04:38:20PM +0200, Ernst Kloppenburg wrote:
> > 
[...]
> > My conclusion would be that either 
> > - deluser should check that 'home' is reasonable
> 
> Define "reasonable".
> 

I suggest that deluser refuses to 'rm -rf /' which is
definitely not reasonable. 

If somebody types 'rm -rf /' himself, he made a decision. But with
adduser this can happen by accident. This risk is not neglectable and
not limited to my amavis-experience. For example, on my current
sarge/sid system the command 'deluser --remove-home telnetd' would
again delete everything. And I definitely did not change the telnetd
home in passwd myself.

Therefore I do think something needs to be done about this to take
this risk out of debian. 

And I also think this is more important than 'severity wishlist'.

> > or
> > - deluser should always be called with the '--home' option in package
> >   removal scripts
> 
> That is an issue with other packages. Or do you suggest that adduser
> won't remove any home dir without --home being explicitly given?
> 
> What exactly is the fix you're suggesting without breaking existing
> packages?

I tried to suggest an alternative fix in case changing adduser would
not be considered. 

This fix would be to require package scripts not to use 'deluser' without
specifying '--home'. This suggestion of course does not apply to
adduser, but to the packaging policies.

But making deluser itself refuse to delete '/' would of course be much
easier and more effective.

Ernst

-- 
Ernst Kloppenburg
Stuttgart, Germany