[arch-dev-public] [signoff] man-db 2.5.3-1 replacing man
Dan McGee
dpmcgee at gmail.com
Thu Feb 19 08:27:01 EST 2009
On Thu, Feb 19, 2009 at 2:36 AM, Jan de Groot <jan at jgc.homeip.net> wrote:
> On Wed, 2009-02-18 at 23:10 +0100, Andreas Radke wrote:
>> I didn't want to add a new system user "man" as the community package
>> does. It seems to run fine without serious security concerns for me. If
>> you think different feel free to drop a mail here.
> chown -R man.users -> chown -R man:users. The . syntax is not POSIX
> compliant and I still have no idea why linux accepts this bullshit
> post_remove: you remove the man user, which leaves a /var/cache/man
> directory with files owned by an unknown user. This is a security bug,
> as the user is created with a >1000 userid also. When adding a new user
> afterwards, the user owns /var/cache/man. Either don't remove the user
> on post_remove, or delete /var/cache/man with it.
Don't Andy's and Jan's words here contradict with regard to creating a man user?
-Dan
More information about the arch-dev-public
mailing list