Date: Wed, 5 Dec 2001 11:58:46 -0500 (EST) From: Vivek Khera <khera@kciLink.com> To: FreeBSD-gnats-submit@freebsd.org Subject: ports/32536: apache13+mod_ssl deletes www user on pkg_delete Message-ID: <200112051658.fB5GwjW96368@onceler.kciLink.com>
next in thread | raw e-mail | index | archive | help
>Number: 32536 >Category: ports >Synopsis: apache13+mod_ssl deletes www user on pkg_delete >Confidential: no >Severity: critical >Priority: high >Responsible: freebsd-ports >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Wed Dec 05 09:00:01 PST 2001 >Closed-Date: >Last-Modified: >Originator: Vivek Khera >Release: FreeBSD 4.4-STABLE i386 >Organization: >Environment: System: FreeBSD onceler.kciLink.com 4.4-STABLE FreeBSD 4.4-STABLE #3: Wed Oct 17 12:01:32 EDT 2001 khera@yertle.kciLink.com:/u/yertle2/usr.obj/amd/onceler/u/onceler1/usr/src/sys/ONCELER i386 >Description: In a *major* violation of POLA, when I went to upgrade apache + mod_ssl the other day, it removed and then recreated the www user account. However, the UID changed from what it was, the home dir changed, login class changed, and group memberships were lost. Bascially, it screwed my environment. Luckily, it was only a development server, and it asked me before deleting the crontab file. What is the point of unilaterally deleting the existing www user account on deletion of the package? It just seems wrong. As a reference, the mail/postfix-current port uses a "postfix" user account, yet doesn't delete it when the package is deleted. This makes for easy upgrades. At worst, it should ask if the user should be deleted. >How-To-Repeat: pkg_delete the package. >Fix: Get rid of the pkg-deinstall script, please!!! >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ports" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200112051658.fB5GwjW96368>