[olug] Is there a rpm command to find the package that created a particular user or particular group?

[Christopher Cashell]

On Thu, Jun 27, 2013 at 1:36 PM, Rob Townley <rob.townley at gmail.com> wrote:

> Given a particular user or particular group, is there a rpm command that
> returns what package created that particular user or particular group?
>
> Analogous to `rpm -q --whatprovides /etc/security/limits.conf` returns the
> package "pam".
> Is there an rpm command that returns what package generated a particular
> user?
>

I don't think there is.  From what I remember of building RPMs, I believe
user and group modifications are scripted free-form, typically in the
*%pre*section.  They aren't specified in an easily queryiable

As a result, you'd have to search all RPM scripts, and you'd have to catch
every possible way a script might add/remove/modify users.  I would expect
most of them use *useradd* and friends, but I wouldn't count on them all to
be that simple.

Most of us already know that the httpd package is associated with the user
> apache.  But there are passwd and group entries that i would like to verify
> and want to know exactly how they got on my system.  Further i would like
> to know which the security implications of adding another group to a user
> account.
>
> Something like the following command:
> `rpm --query --user apache`              would return "httpd"
> `rpm --query --group pulse-access`   might return pulseaudio
>

You can use *rpm -q --scripts <package>* to view the scripts for a single
package, to see what it is doing.  For example:

cpcashell at meta:~$ rpm -q --scripts httpd
preinstall scriptlet (using /bin/sh):
# Add the "apache" user
getent group apache >/dev/null || groupadd -g 48 -r apache
getent passwd apache >/dev/null || \
  useradd -r -u 48 -g apache -s /sbin/nologin \
    -d /var/www -c "Apache" apache
exit 0
postinstall scriptlet (using /bin/sh):
# Register the httpd service
/sbin/chkconfig --add httpd
/sbin/chkconfig --add htcacheclean
preuninstall scriptlet (using /bin/sh):
if [ $1 = 0 ]; then
        /sbin/service httpd stop > /dev/null 2>&1
        /sbin/chkconfig --del httpd
        /sbin/service htcacheclean stop > /dev/null 2>&1
        /sbin/chkconfig --del htcacheclean
fi
posttrans scriptlet (using /bin/sh):
test -f /etc/sysconfig/httpd-disable-posttrans || \
 /sbin/service httpd condrestart >/dev/null 2>&1 || :


However, I don't know of a *good* way to reliably catch all RPM user
modifications.  I suppose you could just try brute-forcing it with
something like:

*rpm -q -a | xargs rpm -q --scripts | egrep
'(user|group)(add|usermod|del)|getent'*


But, I think you'd be almost guaranteed to miss something, somewhere.

-- 
Christopher