[olug] Is there a rpm command to find the package that created a particular user or particular group?

Kevin sharpestmarble at gmail.com
Thu Jun 27 21:27:28 UTC 2013 

You'd also want to check and see if they modified the /etc/passwd file
directly. A service account shouldn't need the line in /etc/shadow since it
wouldn't log in, but it would also want to modify /etc/groups.


On Thu, Jun 27, 2013 at 4:12 PM, Christopher Cashell <topher-olug at zyp.org>wrote:

> On Thu, Jun 27, 2013 at 1:36 PM, Rob Townley <rob.townley at gmail.com>
> wrote:
>
> > Given a particular user or particular group, is there a rpm command that
> > returns what package created that particular user or particular group?
> >
> > Analogous to `rpm -q --whatprovides /etc/security/limits.conf` returns
> the
> > package "pam".
> > Is there an rpm command that returns what package generated a particular
> > user?
> >
>
> I don't think there is.  From what I remember of building RPMs, I believe
> user and group modifications are scripted free-form, typically in the
> *%pre*section.  They aren't specified in an easily queryiable
>
> As a result, you'd have to search all RPM scripts, and you'd have to catch
> every possible way a script might add/remove/modify users.  I would expect
> most of them use *useradd* and friends, but I wouldn't count on them all to
> be that simple.
>
> Most of us already know that the httpd package is associated with the user
> > apache.  But there are passwd and group entries that i would like to
> verify
> > and want to know exactly how they got on my system.  Further i would like
> > to know which the security implications of adding another group to a user
> > account.
> >
> > Something like the following command:
> > `rpm --query --user apache`              would return "httpd"
> > `rpm --query --group pulse-access`   might return pulseaudio
> >
>
> You can use *rpm -q --scripts <package>* to view the scripts for a single
> package, to see what it is doing.  For example:
>
> cpcashell at meta:~$ rpm -q --scripts httpd
> preinstall scriptlet (using /bin/sh):
> # Add the "apache" user
> getent group apache >/dev/null || groupadd -g 48 -r apache
> getent passwd apache >/dev/null || \
>   useradd -r -u 48 -g apache -s /sbin/nologin \
>     -d /var/www -c "Apache" apache
> exit 0
> postinstall scriptlet (using /bin/sh):
> # Register the httpd service
> /sbin/chkconfig --add httpd
> /sbin/chkconfig --add htcacheclean
> preuninstall scriptlet (using /bin/sh):
> if [ $1 = 0 ]; then
>         /sbin/service httpd stop > /dev/null 2>&1
>         /sbin/chkconfig --del httpd
>         /sbin/service htcacheclean stop > /dev/null 2>&1
>         /sbin/chkconfig --del htcacheclean
> fi
> posttrans scriptlet (using /bin/sh):
> test -f /etc/sysconfig/httpd-disable-posttrans || \
>  /sbin/service httpd condrestart >/dev/null 2>&1 || :
>
>
> However, I don't know of a *good* way to reliably catch all RPM user
> modifications.  I suppose you could just try brute-forcing it with
> something like:
>
> *rpm -q -a | xargs rpm -q --scripts | egrep
> '(user|group)(add|usermod|del)|getent'*
>
>
> But, I think you'd be almost guaranteed to miss something, somewhere.
>
> --
> Christopher
> _______________________________________________
> OLUG mailing list
> OLUG at olug.org
> https://lists.olug.org/mailman/listinfo/olug
>

More information about the OLUG mailing list