[2016-12-17 10:48] Antoine Beaupré <anar...@debian.org> > > Why all this is significant? User is created by `adduser' with all > > defaults, except homepage (optional), because it is only needed for > > `su _foo_user /some/scary/programm'. > > It's significant to me because I want to know the security impact of > creating such a user. You *assume* it's only needed for "su foo -c > daemon" but what if package maintainers want to allow more stuff to > happen with them? Can this be tweaked? Should it? > > That's the broad answer to your broad question. The specifics of "why > this matters", point by point are: > > 1. if the adduser dependency is missing, the package will fail to > install
dh-sysuser:72 addsubstvar($pkg, 'misc:Depends', 'adduser'); > 2. password and shell settings are critical to proper restriction of the > account: we do not want remote users to be able to login with that > account to leverage privileges. that means having a disabled > password, but, in the case of SSH, that may not be enough in certain > configurations: one also needs to have a disabled shell in order to > disable key-based logins, iirc. How would you make remote login, when password is '!' in /etc/shadow? As for key-based, for it to work ~/.ssh/authorized_keys must exist. Why would it? But I agree, that maybe setting shell to /usr/bin/nologin is suitable. (Must to check that nothing will break). BTW, sbuild:x:111:116:Debian source builder,,,:/var/lib/sbuild:/bin/bash > 3. it seems to me critical to know what group files will be owned > with. i would have assumed the group would have been created along > with the user, but it seems like it's not. If it is critical to you, I am okay to add `--group' flag to `adduser --system' invokation. > 4. permissions on the home directory are, again, critical: we want to > give the minimum access necessary to other users to reduce the attack > surface. Whatever creates adduser. I am okay to add this as parameter for dh-sysuser. > [...] > >> I would also mention the special way /nonexistent is handled and add > >> an EXAMPLES section for quick copy-pasting. > > > > Can you provide snippet? Or, better, patch? > > Well, that's the thing. I'm not sure I can parse the manpage > correctly. I'd be glad to provide a patch if you provide the examples. Do not parse manpage. It is generated from documentation on bottom of `dh-sysuser' file. > As for /nonexistent, I don't clearly recall anymore but it seems that a > home directory is created if and only if the home dir is not set to > /nonexistent. Is that correct? It is implementation. For user (= maintainer of package, that uses dh-sysuser), if he specifies `home' or `home=.*' parameter, that directory becomes home directory and created. Otherwise home directory becomes /nonexistent and, obviously, no created. PS. Do you read perl? -- X-Web-Site: https://sinsekvu.github.io | Note that I process my email in batch, Accept-Languages: eo,ru,en | at most once every 24 hours. If matter Accept: text/plain, text/x-diff | is urgent, you have my phone number.
pgpQtUjGYKNTR.pgp
Description: PGP signature