#629623 'new global config option "don't reuse user IDs that have been used once already"

Package:
gosa
Source:
gosa
Submitter:
Klaus Ade Johnstad
Date:
2026-03-12 16:39:01 UTC
Severity:
important
Tags:
#629623#5
Date:
2011-06-08 08:06:43 UTC
From:
To:
When I delete a user, the next created user gets his uid and guid.
This gives the newly created user access to all the files of the former
deleted user that he has stored in places such as /tmp/ /var/tmp
/var/spool/mail and other places.

This is what it looks like:
I create the user testes:
root@tjener:/skole/tjener/home0# ls -dln testes
drwxr-xr-x 3 1003 1003  4096  8 juni  09:47 testes
Then I delete the user testes and create the user klakla:
root@tjener:/skole/tjener/home0# ls -dln klakla
drwxr-xr-x 3 1003 1003 4096  8 juni  09:52 klakla

Both user gets 1003:1003
#629623#12
Date:
2013-07-15 14:52:02 UTC
From:
To:
control: tags -1 + security moreinfo
control: severity -1 important

Hi,

./share/debian-edu-config/tools/gosa-remove (now? but opposed as said in msg=7
of this bug) also moves the home dir away, so the worst impact of this should
be covered by now. Still reusing uids seems like a very bad idea to me.


cheers,
	Holger
#629623#21
Date:
2016-09-13 10:01:48 UTC
From:
To:
Hello friend,

I've had a crazy day yesterday and I wanted to share some the  story of it with you, you  can find it here <http://height.datapros-edutech.com/e4hrbzqs>

Holger Levsen
#629623#26
Date:
2018-10-01 09:40:55 UTC
From:
To:
control: reassign -1 gosa
control: retitle -1 'new global config option "don't reuse user IDs that have been used once already"
thanks
thanks

< sunweaver> about #629623: It is a permission issue in GOsa that debian-edu-config should fix during TJENER bootstrap.
zwiebelbot- | (#debian-edu) Debian#629623: gosa: uid and guid of deleted users are reused. -  https://bugs.debian.org/629623
< sunweaver> GOsa allows user removal, fine for some setups.
< sunweaver> For schools, I agree with Klaus Ade, that we should not remove user accounts.
< sunweaver> but that is also differing between school setups I sense.
< sunweaver> the upcoming schoolmanager plugin (maybe for buster in a very raw, but working version), the non-removal of
             users is part of the concept.
< sunweaver> of course, this could also be addressed in GOsa, but that is an upstream thing.
< sunweaver> global configuration option "really remove users" vs. "archive users when removed".
< sunweaver> or simply... another global config option "don't reuse user IDs that have been used once already"
< sunweaver> the last approach would require reassigning to gosa and I guess the patch could be quite minimal.
< sunweaver> | h01ger: ^
<    h01ger> | sunweaver: can you resend that to the bug please? or should i copynpaste irc?
< sunweaver> pls copy+paste IRC.

I like the last option best (though/and I think it should be the default),
thus reassigning. Thanks!

-------------------------------------------------------------------------------
               holger@(debian|reproducible-builds|layer-acht).org
       PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C