APT Wazuh agent and manager do not remove system users when the package is removed without purge

[rauldpm]

Wazuh version	Install type	Action performed	Platform
4.8.0-alpha2	Manager/Agent	Remove	Debian/CentOS

Source issue: https://github.com/wazuh/wazuh/issues/21394#issuecomment-1892704362

[!NOTE] This is an old bug, but should be addressed as the topic is system users

It has been detected when deleting a Debian agent without purge that the wazuh user and group are maintained on the system. By reviewing the code, it has been found that the user and group will only be deleted when the purge option is used.

It is necessary to review this since uninstalling a package should not maintain a necessary user for the package on the system, furthermore, in CentOS the user and group are deleted

• In Debian (note the group and passwd files)

root@f56fb668a773:~# grep -R wazuh /etc/
/etc/passwd-:wazuh:x:107:108::/var/ossec:/bin/false
/etc/group:wazuh:x:108:
/etc/passwd:wazuh:x:107:108::/var/ossec:/bin/false
/etc/shadow-:wazuh:*:19738:0:99999:7:::
/etc/init.d/wazuh-agent:WAZUH_CONTROL="$WAZUH_HOME/bin/wazuh-control"
/etc/apt/sources.list.d/wazuh.list:deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages-dev.wazuh.com/pre-release/apt/ unstable main
/etc/shadow:wazuh:*:19738:0:99999:7:::
/etc/gshadow:wazuh:!::
grep: /etc/modules-load.d/modules.conf: No such file or directory

• In CentOS (note that they are system backup files)

[root@73fa8c7b1b7c ~]# grep -R wazuh /etc/
/etc/passwd-:wazuh:x:999:997::/var/ossec:/sbin/nologin
/etc/gshadow-:wazuh:!::wazuh
/etc/yum.repos.d/wazuh.repo:[wazuh]
/etc/yum.repos.d/wazuh.repo:gpgkey=https://packages-dev.wazuh.com/key/GPG-KEY-WAZUH
/etc/yum.repos.d/wazuh.repo:baseurl=https://packages-dev.wazuh.com/pre-release/yum/
/etc/group-:wazuh:x:997:wazuh
/etc/shadow-:wazuh:!!:19738::::::

• Deleting users in APT is done at https://github.com/wazuh/wazuh-packages/blob/1c427881420a56d0170006d0f90984e3cfb8146d/debs/SPECS/wazuh-agent/debian/postrm#L41C1-L48C11
• Deleting users in YUM is done at https://github.com/wazuh/wazuh-packages/blob/master/rpms/SPECS/wazuh-agent.spec#L439-L449

[JorgeMarinoDev]

Hello @rauldpm,

After double checking this report I don't know if this is an actual issue or a feature request.

If we consider that system users must be removed by calling remove action, we must create a new feature request in wazuh-packages. In this case we could chain the remove / purge actions together.

Please clarify. @wazuh/qa

[vikman90]

@JorgeMarinoDev Thanks. Indeed, this is not a stopper as this effect appears before 4.8.0.

Here is the package's post-removal logic:

https://github.com/wazuh/wazuh-packages/blob/1c427881420a56d0170006d0f90984e3cfb8146d/debs/SPECS/wazuh-agent/debian/postrm#L11-L51

• The remove command makes a configuration backup and keeps /var/ossec. Thus, there is no point in deleting the user as the folder would be assigned to an unnamed UID/GID.
• The purge command causes /var/ossec to be fully removed, so the package may delete the user and the group.

Conclusion

• This behavior is expected and makes sense, according to the purpose of remove/purge.
• This is not a stopper.
• We just need to discuss with management whether:
  • We want this behavior.
  • We want to implement similar behavior in RPM packages.

Therefore, we should block this issue.

[havidarou]

The behavior described by @vikman90 LGTM.

Closing this issue.