On Tue, 16 Oct. 2018, 19:03 Salvatore Bonaccorso, <car...@debian.org> wrote:
> > This though might not be safe in each variant/setup, as your usecase > shows. > I think the assumption that the SNMP system user and group are always created by an old snmpd package is something we can increasingly say is wrong. There is no hard requirement to remove users and we have the situation where this user may not even be "owned" by the package. I see two solutions here: a) Never remove the SNMP user and group b) Only remove them if it's an upgrade and the previous snmpd version was before the username change. a is real simple but may leave some old config b doesn't catch everything but means that the user only gets deleted during the transition. So if the system user is used by snmpd and something locally it still gets deleted. I'll look into what versions of snmpd we have. I see the second option only useful if stable has the old username. My intention is to release a new SNMP set of packages late this weekend to fix the security bug, so ideally I'll fix this too. - Craig -- Craig Small https://dropbear.xyz/ csmall at : dropbear.xyz Debian GNU/Linux https://www.debian.org/ csmall at : debian.org Mastodon: @smalls...@social.dropbear.xyz Twitter: @smallsees GPG fingerprint: 5D2F B320 B825 D939 04D2 0519 3938 F96B DF50 FEA5
