Subject: pkg/17049: pkg system modifies password database on its own
To: None <gnats-bugs@gnats.netbsd.org>
From: None <jbernard@mines.edu>
List: netbsd-bugs
Date: 05/26/2002 12:02:28 
>Number:         17049
>Category:       pkg
>Synopsis:       pkg system modifies password database on its own
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    pkg-manager
>State:          open
>Class:          change-request
>Submitter-Id:   net
>Arrival-Date:   Sun May 26 11:03:00 PDT 2002
>Closed-Date:
>Last-Modified:
>Originator:     Jim Bernard
>Release:        NetBSD-current pkgsrc as of Sun May 26 10:29:53 UTC 2002
>Organization:
>Environment:
System: NetBSD zoo 1.5ZB NetBSD 1.5ZB (ZOO-$Revision: 1.70 $) #0: Sun Mar 10 14:35:50 MST 2002 jim@roc:/wd1/var/tmp/compile/sys/arch/i386/compile/ZOO i386
Architecture: i386
Machine: i386
>Description:
	I just updated qpopper, on account of the notification from
	audit-packages about security holes in an earlier version, and
	I discovered to my great dismay that the installation added
	an entry to my password database.  This is apparently done under
	the control of the mk/bsd.pkg.install.mk file, which has clearly
	been around for a while, but I guess I haven't added any packages
	that made use of it until now.

	I must object most strenuously to this practice.  The installation
	of a package should never alter the operational configuration of
	the system.  That should be left up to the system administrator.
	The installation didn't even notify me that it had made the addition.
	(Examination of the "fine print" in the build log reveals some output
	from useradd, but it's buried amid the forest of other messages.)
	Nor did it give me the opportunity to choose the userid of the user
	it wanted to add.

	I often install packages just to have a look at the functionality
	that they provide, with no decision made at installation time as to
	whether I will ever actually run the software.  I do not want packages
	to set themselves up to run automatically, nor do I want them to
	alter system configuration files, especially the password database.

>How-To-Repeat:
	Install, e.g., mail/qpopper.  Notice the alteration of the
	password database, as well as the addition of apop.auth.db and
	usermgmt.conf to /etc.

>Fix:
	Disable this feature by default.  Perhaps it would be reasonable
	to provide a switch in mk.conf that could turn it on, but it really
	should not be on by default.
>Release-Note:
>Audit-Trail:
>Unformatted: