[2016-12-17 10:48] Antoine Beaupré <anar...@debian.org> > > Why all this is significant? User is created by `adduser' with all > > defaults, except homepage (optional), because it is only needed for > > `su _foo_user /some/scary/programm'. > > It's significant to me because I want to know the security impact of > creating such a user. You *assume* it's only needed for "su foo -c > daemon" but what if package maintainers want to allow more stuff to > happen with them? Can this be tweaked? Should it? > > That's the broad answer to your broad question. The specifics of "why > this matters", point by point are: > > 1. if the adduser dependency is missing, the package will fail to > install
dh-sysuser:72
addsubstvar($pkg, 'misc:Depends', 'adduser');
> 2. password and shell settings are critical to proper restriction of the
> account: we do not want remote users to be able to login with that
> account to leverage privileges. that means having a disabled
> password, but, in the case of SSH, that may not be enough in certain
> configurations: one also needs to have a disabled shell in order to
> disable key-based logins, iirc.
How would you make remote login, when password is '!' in /etc/shadow?
As for key-based, for it to work ~/.ssh/authorized_keys must exist. Why
would it? But I agree, that maybe setting shell to /usr/bin/nologin
is suitable. (Must to check that nothing will break).
BTW, sbuild:x:111:116:Debian source builder,,,:/var/lib/sbuild:/bin/bash
> 3. it seems to me critical to know what group files will be owned
> with. i would have assumed the group would have been created along
> with the user, but it seems like it's not.
If it is critical to you, I am okay to add `--group' flag to `adduser
--system' invokation.
> 4. permissions on the home directory are, again, critical: we want to
> give the minimum access necessary to other users to reduce the attack
> surface.
Whatever creates adduser. I am okay to add this as parameter for
dh-sysuser.
> [...]
> >> I would also mention the special way /nonexistent is handled and add
> >> an EXAMPLES section for quick copy-pasting.
> >
> > Can you provide snippet? Or, better, patch?
>
> Well, that's the thing. I'm not sure I can parse the manpage
> correctly. I'd be glad to provide a patch if you provide the examples.
Do not parse manpage. It is generated from documentation on bottom of
`dh-sysuser' file.
> As for /nonexistent, I don't clearly recall anymore but it seems that a
> home directory is created if and only if the home dir is not set to
> /nonexistent. Is that correct?
It is implementation. For user (= maintainer of package, that uses
dh-sysuser), if he specifies `home' or `home=.*' parameter, that
directory becomes home directory and created. Otherwise home directory
becomes /nonexistent and, obviously, no created.
PS. Do you read perl?
--
X-Web-Site: https://sinsekvu.github.io | Note that I process my email in batch,
Accept-Languages: eo,ru,en | at most once every 24 hours. If matter
Accept: text/plain, text/x-diff | is urgent, you have my phone number.
pgpQtUjGYKNTR.pgp
Description: PGP signature
