On Mon, 10 Jul 2017, Lennart Poettering wrote:
On Thu, 06.07.17 13:21, Michael Chapman (m...@very.puzzling.org) wrote:
On Thu, 6 Jul 2017, Zbigniew Jędrzejewski-Szmek wrote:
On Thu, Jul 06, 2017 at 01:43:32AM +0200, Reindl Harald wrote:
well, it even don't look but pretend it can't while it does which is
the worst type of operations possible - as long as "adduser" of the
underlying OS accepts and create "0pointer" systemd has *no business
at all* to pretend it can't
Then it's good the that it doesn't ;)
# adduser 0pointer
adduser: Please enter a username matching the regular expression configured
via the NAME_REGEX configuration variable. Use the `--force-badname'
option to relax this check or reconfigure NAME_REGEX.
I know you really only brought this up to counter Reindl's comment, but I
think it's important to point out that adduser's behaviour here is due to
its default configuration -- not due to any fundamental "problems" with
particular usernames. It's not clear why adduser's developers thought it was
a good default.
I guess what I'm saying is that saying "systemd should not support usernames
that start with a digit, since adduser doesn't" is problematic for at least
two reasons. First, adduser can be reconfigured by the sysadmin to allow
such usernames; and second, systemd places *fewer* restrictions on usernames
than adduser's default configuration. systemd allows usernames containing
uppercase letters and underscores, for instance.
Note one major difference between "adduser" and the unit file setting
"Unit=". The former is a tool you can create regular users with, while
the latter strictly applies to system users, as that's what system
services run as. And yes, different rules apply for system users than
for regular users.
And "0foobar" remains unportable and a bad idea, even if the user
bends his local system in the right way to make it accept it.
To summarize my thoughts on this matter, I think it's fine to restrict
usernames, but only for _very_ good reason. Specifically, we should not
justify such restrictions simply because they exist in one form or another
in other utilities. valid_user_group_name() currently disallows dots, for
instance, and while I recognize that using dots in a username can sometimes
be problematic, it is not in and of itself invalid. If other software can't
handle dots in usernames, that's their problem. libc can, and that's all
that's required to support it in order to use it in User= on most
systems.
I am sorry, but you and I have very different understanding of
computer security. I do believe it is essential to validate all input,
and stick to safe input wherever we can.
That is a misrepresentation of my viewpoint.
I _do_ think systemd should validate all input. I think my other posts in
this thread make this clear: I want to see systemd complain noisily when
unit validation fails.
However, I do not think systemd should validate input more than it needs
to. Just because a particular value may (and _only_ may) cause problems
downstream of systemd does not mean that systemd should outright forbid
it. If it doesn't cause problems in systemd, it's not our business to
prevent its use.
I understand that you'd like to remove input validation from the
systemd codebase, and I welcome you to patch your local systemd
version for it, but please understand that in systemd upstream this is
not how things can work. Sorry.
Lennart
_______________________________________________
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/systemd-devel
