On Mon, 10 Jul 2017, Lennart Poettering wrote:
On Mon, 10.07.17 21:15, Michael Chapman (m...@very.puzzling.org) wrote:
Now, I do think that systemd has the duty to complain about any system
user names outside of the safe range. Not only for security reasons,
but also for portability and compatibility reasons: I think we should
ensure that unit files remain portable, and hence we should try to
filter out early stuff that's unlikely going to work outside of the
local scope.
I'm curious as to what you consider portability and compatibility
here.
I want that units written on a system A are likely to work on a system
B. And this means that making use of concepts that are valid on A but
knowingly invalid on B is something we should complain loudly about.
Sure, there are always limitations to make things portable. But this
specific issue is an easy one, and a widely understood one (again:
google for it).
But there are less obviously bad usernames, because -- as you point out --
they're _actually in use already_. I myself already have systems with
usernames that begin with a digit; I don't want those systems to suddenly
break just because I update the Linux release to something that runs
systemd. (In practice they probably won't break, since I'm unlikely to write
system units for these users. But the principle of the matter
stands.)
Well, it took 3 years or so, until someone noticed the strict rules we
enforce. I seriously doubt that naming system users in such unsafe
ways is really that wide-spread usage.
That _could_ be because people that have previously used such a username
hadn't looked in their logs and noticed that the User= directive wasn't
being applied. :-)
Sorry, but I really can't see how forbidding usernames like "joe.hacker" or
"0day" improves security. As you said, they're perfectly valid
usernames.
Did I say that? I really don't think they are "perfectly valid"! They
are questionable on all levels. And if people use them for regular
users that's fine for them, but for system users I think stricter
requirements need to apply.
But anyway, I doubt we have to continue this here, we have different
understandings of security. I think validation is a good thing, and
filtering out dangerous strings early is a good thing.
People can always shoot themselves in the foot, and you have every
right to, but I really doubt this easy, well understood superficial
check is the right place to insist that the right to shooting yourself
in the foot is more important than the intention to secure things
down.
Lennart
So be it. I'm fine with us remaining in disagreement... I just wish I
understood exactly what the security implications are in allowing such
usernames. I know my colleagues are going to ask me about this, and being
able to point at something and say "oh yeah, it breaks this specifically"
would be really handy.
_______________________________________________
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/systemd-devel
