Bug 32536

Summary: apache13+mod_ssl deletes www user on pkg_delete
Product: Ports & Packages Reporter: Vivek Khera <khera>
Component: Individual Port(s)Assignee: Andrey A. Chernov <ache>
Status: Closed FIXED    
Severity: Affects Only Me    
Priority: Normal    
Version: Latest   
Hardware: Any   
OS: Any   

Description Vivek Khera 2001-12-05 17:00:01 UTC 
	

In a *major* violation of POLA, when I went to upgrade apache +
mod_ssl the other day, it removed and then recreated the www user
account.  However, the UID changed from what it was, the home dir
changed, login class changed, and group memberships were lost.
Bascially, it screwed my environment.  Luckily, it was only a
development server, and it asked me before deleting the crontab file.

What is the point of unilaterally deleting the existing www user
account on deletion of the package?  It just seems wrong.

As a reference, the mail/postfix-current port uses a "postfix" user
account, yet doesn't delete it when the package is deleted.  This
makes for easy upgrades.  At worst, it should ask if the user should
be deleted.

Fix: 

Get rid of the pkg-deinstall script, please!!!
How-To-Repeat: 	
pkg_delete the package.
Comment 1 Jun Kuriyama 2001-12-07 14:07:11 UTC 
Ache, what do you think about this?

At Wed, 5 Dec 2001 17:00:10 +0000 (UTC),
Vivek Khera wrote:
> In a *major* violation of POLA, when I went to upgrade apache +
> mod_ssl the other day, it removed and then recreated the www user
> account.  However, the UID changed from what it was, the home dir
> changed, login class changed, and group memberships were lost.
> Bascially, it screwed my environment.  Luckily, it was only a
> development server, and it asked me before deleting the crontab file.
> 
> What is the point of unilaterally deleting the existing www user
> account on deletion of the package?  It just seems wrong.
> 
> As a reference, the mail/postfix-current port uses a "postfix" user
> account, yet doesn't delete it when the package is deleted.  This
> makes for easy upgrades.  At worst, it should ask if the user should
> be deleted.


-- 
Jun Kuriyama <kuriyama@imgsrc.co.jp> // IMG SRC, Inc.
             <kuriyama@FreeBSD.org> // FreeBSD Project
Comment 2 Андрей Чернов 2001-12-07 14:08:29 UTC 
On Fri, Dec 07, 2001 at 23:07:11 +0900, Jun Kuriyama wrote:
> 
> Ache, what do you think about this?

I plan to fix it.

> 
> At Wed, 5 Dec 2001 17:00:10 +0000 (UTC),
> Vivek Khera wrote:
> > In a *major* violation of POLA, when I went to upgrade apache +
> > mod_ssl the other day, it removed and then recreated the www user
> > account.  However, the UID changed from what it was, the home dir
> > changed, login class changed, and group memberships were lost.
> > Bascially, it screwed my environment.  Luckily, it was only a
> > development server, and it asked me before deleting the crontab file.
> > 
> > What is the point of unilaterally deleting the existing www user
> > account on deletion of the package?  It just seems wrong.
> > 
> > As a reference, the mail/postfix-current port uses a "postfix" user
> > account, yet doesn't delete it when the package is deleted.  This
> > makes for easy upgrades.  At worst, it should ask if the user should
> > be deleted.
> 
> 
> -- 
> Jun Kuriyama <kuriyama@imgsrc.co.jp> // IMG SRC, Inc.
>              <kuriyama@FreeBSD.org> // FreeBSD Project

-- 
Andrey A. Chernov
http://ache.pp.ru/
Comment 3 Pete Fritchman freebsd_committer freebsd_triage 2001-12-07 22:35:14 UTC 
Responsible Changed
From-To: freebsd-ports->ache

ache said he was going to commit a fix.
Comment 4 Andrey A. Chernov freebsd_committer freebsd_triage 2001-12-07 23:12:58 UTC 
State Changed
From-To: open->closed

Fix committed