On 2016-12-16 23:08:37, Dmitry Bogatov wrote:
> control: tag -1 +moreinfo
>
> [2016-12-15 09:16] Antoine Beaupré <anar...@debian.org>
>>
>> part text/plain 1572
>> Package: dh-sysuser
>> Version: 1.3
>> Severity: wishlist
>>
>> It would be great to have more documentation about how this package
>> works. I tried looking at the homepage, which is just the git
>> repository and couldn't find anything.
>>
>> It's only when I installed the package that i noticed the
>> dh_sysuser(1) manpage. But then it seems a bit short and only yields
>> more questions:
>>
>> 1. are users created with adduser? are dependencies injected
>> properly?
>> 2. how are they created? what is the password? '*'? what about the
>> shell?
>> 3. is a group created? if not, what group is the user part of?
>> 4. what are the permissions of the home directory? in my use case, it
>> should be 750 - should i be handling this myself? how do i know
>> what home directory was used if i don't specify it?
>
> Why all this is significant? User is created by `adduser' with all
> defaults, except homepage (optional), because it is only needed for
> `su _foo_user /some/scary/programm'.
It's significant to me because I want to know the security impact of
creating such a user. You *assume* it's only needed for "su foo -c
daemon" but what if package maintainers want to allow more stuff to
happen with them? Can this be tweaked? Should it?
That's the broad answer to your broad question. The specifics of "why
this matters", point by point are:
1. if the adduser dependency is missing, the package will fail to
install
2. password and shell settings are critical to proper restriction of the
account: we do not want remote users to be able to login with that
account to leverage privileges. that means having a disabled
password, but, in the case of SSH, that may not be enough in certain
configurations: one also needs to have a disabled shell in order to
disable key-based logins, iirc.
3. it seems to me critical to know what group files will be owned
with. i would have assumed the group would have been created along
with the user, but it seems like it's not.
4. permissions on the home directory are, again, critical: we want to
give the minimum access necessary to other users to reduce the attack
surface.
Now, maybe you were arguing those policies be moved to the `adduser
--system` command, but at least make that explicit in the
documentation. Furthermore, some policies may vary from one package to
another: some packages may *want* the home directory to be publicly
readable, for example.
>> For example, I would recommend mentionning that most of the work is
>> done by the sysuser-helper binary.
>
> It is implementation detail.
Sure, but it's relevant and would have saved me time when trying to
figure out how this all glued together.
>> I would also mention the special way /nonexistent is handled and add
>> an EXAMPLES section for quick copy-pasting.
>
> Can you provide snippet? Or, better, patch?
Well, that's the thing. I'm not sure I can parse the manpage
correctly. I'd be glad to provide a patch if you provide the examples.
As for /nonexistent, I don't clearly recall anymore but it seems that a
home directory is created if and only if the home dir is not set to
/nonexistent. Is that correct?
A.
--
Si l'image donne l'illusion de savoir
C'est que l'adage pretend que pour croire,
L'important ne serait que de voir
- Lofofora
