On Mon, Jul 10, 2017 at 4:41 PM, Lennart Poettering
wrote:
> On Mon, 10.07.17 15:58, Lennart Poettering (lenn...@poettering.net) wrote:
>
>> On Mon, 10.07.17 15:16, Jan Synacek (jsyna...@redhat.com) wrote:
>>
>> > On Mon, Jul 10, 2017 at 12:42 PM, Lennart Poettering
>> >
On Mon, 10.07.17 17:45, Zbigniew Jędrzejewski-Szmek (zbys...@in.waw.pl) wrote:
> On Mon, Jul 10, 2017 at 06:40:00PM +0200, Lennart Poettering wrote:
> > On Mon, 10.07.17 18:36, Lennart Poettering (lenn...@poettering.net) wrote:
> >
> > > > After all (as other people said) systemd has no such
On Mon, Jul 10, 2017 at 06:40:00PM +0200, Lennart Poettering wrote:
> On Mon, 10.07.17 18:36, Lennart Poettering (lenn...@poettering.net) wrote:
>
> > > After all (as other people said) systemd has no such requirements
> > > itself. It is true that such user names are confusing and
> > >
On Mon, 10.07.17 15:29, Zbigniew Jędrzejewski-Szmek (zbys...@in.waw.pl) wrote:
> > On current Fedora, the current regex useradd enforces appears to be
> > this:
> >
> > [a-zA-Z0-9._][a-zA-Z0-9._-]{0,30}[a-zA-Z0-9._-$]?
> >
> > If I read things correctly at least... (the trailing $ appears
On Mon, 10.07.17 18:36, Lennart Poettering (lenn...@poettering.net) wrote:
> > After all (as other people said) systemd has no such requirements
> > itself. It is true that such user names are confusing and
> > non-portable, but if the local admin has or wants to have such an
> > account for
On Mon, Jul 10, 2017 at 4:03 PM, Lennart Poettering
wrote:
> On current Fedora, the current regex useradd enforces appears to be
> this:
>
> [a-zA-Z0-9._][a-zA-Z0-9._-]{0,30}[a-zA-Z0-9._-$]?
So, it *does* allow for usernames starting with numbers...
On Mon, Jul 10, 2017 at 05:03:09PM +0200, Lennart Poettering wrote:
> On Mon, 10.07.17 22:23, Michael Chapman (m...@very.puzzling.org) wrote:
>
> > > Well, it took 3 years or so, until someone noticed the strict rules we
> > > enforce. I seriously doubt that naming system users in such unsafe
> >
On Mon, 10.07.17 22:23, Michael Chapman (m...@very.puzzling.org) wrote:
> > Well, it took 3 years or so, until someone noticed the strict rules we
> > enforce. I seriously doubt that naming system users in such unsafe
> > ways is really that wide-spread usage.
>
> That _could_ be because people
On Mon, 10.07.17 15:58, Lennart Poettering (lenn...@poettering.net) wrote:
> On Mon, 10.07.17 15:16, Jan Synacek (jsyna...@redhat.com) wrote:
>
> > On Mon, Jul 10, 2017 at 12:42 PM, Lennart Poettering
> > wrote:
> > > Now, because this is so weakly defined, we hence do
Am Montag, den 10.07.2017, 12:57 +0200 schrieb Reindl Harald:
>
> Am 10.07.2017 um 12:55 schrieb Lennart Poettering:
> >
> >
> > The "nobody" user has special semantics on Linux: it's where things
> > are mapped to that can't be mapped otherwise. It's used by user
> > namspacing, by NFS and
On Mon, 10.07.17 15:16, Jan Synacek (jsyna...@redhat.com) wrote:
> On Mon, Jul 10, 2017 at 12:42 PM, Lennart Poettering
> wrote:
> > Now, because this is so weakly defined, we hence do not follow POSIX
> > rules, but filter out more that might be dangerous. Specifically:
On Mon, Jul 10, 2017 at 12:42 PM, Lennart Poettering
wrote:
> Now, because this is so weakly defined, we hence do not follow POSIX
> rules, but filter out more that might be dangerous. Specifically:
>
> 1. We do not permit empty usernames
> 2. We don't permit the first
On Mon, 10 Jul 2017, Lennart Poettering wrote:
On Mon, 10.07.17 21:15, Michael Chapman (m...@very.puzzling.org) wrote:
Now, I do think that systemd has the duty to complain about any system
user names outside of the safe range. Not only for security reasons,
but also for portability and
On Mon, 10.07.17 21:15, Michael Chapman (m...@very.puzzling.org) wrote:
> > Now, I do think that systemd has the duty to complain about any system
> > user names outside of the safe range. Not only for security reasons,
> > but also for portability and compatibility reasons: I think we should
> >
On Mon, 10 Jul 2017, Lennart Poettering wrote:
On Thu, 06.07.17 13:21, Michael Chapman (m...@very.puzzling.org) wrote:
On Thu, 6 Jul 2017, Zbigniew Jędrzejewski-Szmek wrote:
On Thu, Jul 06, 2017 at 01:43:32AM +0200, Reindl Harald wrote:
well, it even don't look but pretend it can't while it
On Mon, 10 Jul 2017, Lennart Poettering wrote:
On Thu, 06.07.17 09:36, Michael Chapman (m...@very.puzzling.org) wrote:
User=0day fails a syntactic validation, not a semantic validation. systemd
never even checks to see whether the user exists when the unit is loaded.
And nor should it! The
Am 10.07.2017 um 12:42 schrieb Lennart Poettering:
(I do accept though that it's a valid discussion whether systemd's
current behaviour of warning and skipping invalid User= rvalues is the
best choice, instead of erroring out completely.)
and *that* is the real point of the whole issue - if
Am 10.07.2017 um 12:55 schrieb Lennart Poettering:
On Thu, 06.07.17 10:34, Reindl Harald (h.rei...@thelounge.net) wrote:
Am 06.07.2017 um 09:59 schrieb Jonathan de Boyne Pollard:
Reindl Harald:
> at least fall back to “nobody”
Jonathan de Boyne Pollard:
> That idea is wrong.
>
>
On Thu, 06.07.17 10:34, Reindl Harald (h.rei...@thelounge.net) wrote:
>
>
> Am 06.07.2017 um 09:59 schrieb Jonathan de Boyne Pollard:
> > Reindl Harald:
> > > at least fall back to “nobody”
> >
> > Jonathan de Boyne Pollard:
> > > That idea is wrong.
> > >
> > >
On Thu, 06.07.17 09:36, Michael Chapman (m...@very.puzzling.org) wrote:
> User=0day fails a syntactic validation, not a semantic validation. systemd
> never even checks to see whether the user exists when the unit is loaded.
> And nor should it! The user must be allowed to not exist at unit-load
On Thu, 06.07.17 13:21, Michael Chapman (m...@very.puzzling.org) wrote:
> On Thu, 6 Jul 2017, Zbigniew Jędrzejewski-Szmek wrote:
> > On Thu, Jul 06, 2017 at 01:43:32AM +0200, Reindl Harald wrote:
> > > well, it even don't look but pretend it can't while it does which is
> > > the worst type of
Am 08.07.2017 um 08:29 schrieb Michael Chapman:
On Sat, 8 Jul 2017, Kai Krakow wrote:
Am Sat, 8 Jul 2017 08:05:44 +0200
schrieb Kai Krakow :
Am Sat, 8 Jul 2017 11:39:02 +1000 (AEST)
schrieb Michael Chapman :
On Sat, 8 Jul 2017, Kai Krakow
On Sat, 8 Jul 2017, Kai Krakow wrote:
Am Sat, 8 Jul 2017 08:05:44 +0200
schrieb Kai Krakow :
Am Sat, 8 Jul 2017 11:39:02 +1000 (AEST)
schrieb Michael Chapman :
On Sat, 8 Jul 2017, Kai Krakow wrote:
[...]
The bug here is that a leading number
Am Sat, 8 Jul 2017 08:05:44 +0200
schrieb Kai Krakow :
> Am Sat, 8 Jul 2017 11:39:02 +1000 (AEST)
> schrieb Michael Chapman :
>
> > On Sat, 8 Jul 2017, Kai Krakow wrote:
> > [...]
> > > The bug here is that a leading number will "convert" to the
Am Sat, 8 Jul 2017 11:39:02 +1000 (AEST)
schrieb Michael Chapman :
> On Sat, 8 Jul 2017, Kai Krakow wrote:
> [...]
> > The bug here is that a leading number will "convert" to the number
> > and it actually runs with the UID specified that way: 0day = 0,
> > 7days = 7.
>
Am 07.07.2017 um 21:55 schrieb Kai Krakow:
Am Tue, 4 Jul 2017 21:23:01 + (UTC)
schrieb Alexander Bisogiannis :
On Tue, 04 Jul 2017 17:21:01 +, Zbigniew Jędrzejewski-Szmek wrote:
If you need root permissions to create a unit, then it's not a
security issue. An
On Sat, 8 Jul 2017, Kai Krakow wrote:
[...]
The bug here is that a leading number will "convert" to the number and
it actually runs with the UID specified that way: 0day = 0, 7days = 7.
No, this is not the case. Only all-digit User= values are treated as UIDs.
Am Tue, 4 Jul 2017 21:23:01 + (UTC)
schrieb Alexander Bisogiannis :
> On Tue, 04 Jul 2017 17:21:01 +, Zbigniew Jędrzejewski-Szmek wrote:
>
> > If you need root permissions to create a unit, then it's not a
> > security issue. An annoyance at most.
>
> The fact that
On Wed, Jul 05, 2017 at 08:10:15PM +1000, Michael Chapman wrote:
> On Wed, 5 Jul 2017, Colin Guthrie wrote:
> >Reindl Harald wrote on 04/07/17 19:50:
> >>>When new configuration options are added, the same unit file can
> >>>almost always be used with older systemd, and it'll just warn & ignore
>
Am 06.07.2017 um 09:59 schrieb Jonathan de Boyne Pollard:
Reindl Harald:
> at least fall back to “nobody”
Jonathan de Boyne Pollard:
> That idea is wrong.
>
> https://news.ycombinator.com/item?id=14681377#14682059
Reindl Harald:
> better than a stupid [...]
Not really, no. It's the
Reindl Harald:
> at least fall back to “nobody”
Jonathan de Boyne Pollard:
> That idea is wrong.
>
> https://news.ycombinator.com/item?id=14681377#14682059
Reindl Harald:
> better than a stupid [...]
Not really, no. It's the same category of error, in fact: substituting an
account other than
Am Mittwoch, den 05.07.2017, 20:10 +1000 schrieb Michael Chapman:
> I'm pretty sure you'll find that it does. Specifically, it will fail when
> the child process for the command being executed attempts to map the
> username to a UID.
>
> The issue being discussed here is that systemd considers
On Thu, 6 Jul 2017, Zbigniew Jędrzejewski-Szmek wrote:
On Thu, Jul 06, 2017 at 01:43:32AM +0200, Reindl Harald wrote:
well, it even don't look but pretend it can't while it does which is
the worst type of operations possible - as long as "adduser" of the
underlying OS accepts and create
On Thu, Jul 06, 2017 at 01:43:32AM +0200, Reindl Harald wrote:
>
>
> Am 06.07.2017 um 01:36 schrieb Michael Chapman:
> >Note that the semantic validations you're talking about here --
> >things like "does the user exist?" -- are _not_ preemptive. They
> >are fatal: the child process will exit
Am 06.07.2017 um 01:36 schrieb Michael Chapman:
Note that the semantic validations you're talking about here -- things
like "does the user exist?" -- are _not_ preemptive. They are fatal: the
child process will exit unsuccessfully as the command is executed if the
settings will not be able
On Thu, 6 Jul 2017, Felipe Sateler wrote:
On Tue, 04 Jul 2017 18:39:15 +, Zbigniew Jędrzejewski-Szmek wrote:
Essentially, User=0day is the same as Usre=0day and the same as User="my
name is pretty!".
I think this is the root of the disagreement. Systemd tries to allow
units written for
Am 05.07.2017 um 20:34 schrieb Jonathan de Boyne Pollard:
Reindl Harald:
at least fall back to "nobody"
That idea is wrong.
https://news.ycombinator.com/item?id=14681377#14682059
better than a stupid "i fall back to root because i think i make the
rules and not the underlying operating
Reindl Harald:
>
> at least fall back to "nobody"
>
That idea is wrong.
https://news.ycombinator.com/item?id=14681377#14682059___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
On Tue, 04 Jul 2017 18:39:15 +, Zbigniew Jędrzejewski-Szmek wrote:
> Essentially, User=0day is the same as Usre=0day and the same as User="my
> name is pretty!".
I think this is the root of the disagreement. Systemd tries to allow
units written for version X to run on versions earlier than
Am 05.07.2017 um 12:32 schrieb Michael Chapman:
In Wed, 5 Jul 2017, Reindl Harald wrote:
The issue being discussed here is that systemd considers "0day" to be
_syntactically_ invalid for a username. See the valid_user_group_name()
function in basic/user-util.c.
yes and hence it should
In Wed, 5 Jul 2017, Reindl Harald wrote:
Am 05.07.2017 um 12:10 schrieb Michael Chapman:
On Wed, 5 Jul 2017, Colin Guthrie wrote:
> Reindl Harald wrote on 04/07/17 19:50:
> > > When new configuration options are added, the same unit file can
> > > almost always be used with older systemd,
On Wed, 5 Jul 2017, Colin Guthrie wrote:
Reindl Harald wrote on 04/07/17 19:50:
When new configuration options are added, the same unit file can
almost always be used with older systemd, and it'll just warn & ignore
the parts it doesn't understand. Similarly, various configuration
options might
Am 05.07.2017 um 12:10 schrieb Michael Chapman:
On Wed, 5 Jul 2017, Colin Guthrie wrote:
Reindl Harald wrote on 04/07/17 19:50:
When new configuration options are added, the same unit file can
almost always be used with older systemd, and it'll just warn & ignore
the parts it doesn't
Reindl Harald wrote on 04/07/17 19:50:
>> When new configuration options are added, the same unit file can
>> almost always be used with older systemd, and it'll just warn & ignore
>> the parts it doesn't understand. Similarly, various configuration
>> options might be unavailable on some
On Tue, 04 Jul 2017 17:21:01 +, Zbigniew Jędrzejewski-Szmek wrote:
> If you need root permissions to create a unit, then it's not a security
> issue. An annoyance at most.
The fact that you need to be root to create a unit file is irrelevant.
Systemd is running a service as a different user
Am 04.07.2017 um 20:39 schrieb Zbigniew Jędrzejewski-Szmek:
On Tue, Jul 04, 2017 at 07:36:02PM +0200, Reindl Harald wrote:
Am 04.07.2017 um 19:21 schrieb Zbigniew Jędrzejewski-Szmek:
My question is:
Is this a bug with a BZ against rhel/centos7 (as my understanding is that
this affects EL7
On Tue, Jul 04, 2017 at 07:36:02PM +0200, Reindl Harald wrote:
>
>
> Am 04.07.2017 um 19:21 schrieb Zbigniew Jędrzejewski-Szmek:
> >>My question is:
> >>
> >>Is this a bug with a BZ against rhel/centos7 (as my understanding is that
> >>this affects EL7 too)?
> >>
> >>If there is no BZ and based
Am 04.07.2017 um 19:21 schrieb Zbigniew Jędrzejewski-Szmek:
My question is:
Is this a bug with a BZ against rhel/centos7 (as my understanding is that
this affects EL7 too)?
If there is no BZ and based on the wording of the second to last comment
by poettering, will this be fixed/changed in a
On Tue, Jul 04, 2017 at 04:59:23PM +, Alexander Bisogiannis wrote:
> Hi all,
>
> https://github.com/systemd/systemd/issues/6237
>
> Apologies for asking here, but since the discussion is locked in Github I
> thought to ask here.
>
> This was marked as "not a bug", but in later comments the
Hi all,
https://github.com/systemd/systemd/issues/6237
Apologies for asking here, but since the discussion is locked in Github I
thought to ask here.
This was marked as "not a bug", but in later comments the wording suggests
that systemd behaviour will change and if the username in a unit
50 matches
Mail list logo