[systemd-devel] Github systemd issue 6237

Lennart Poettering lennart at poettering.net
Mon Jul 10 10:49:06 UTC 2017 

On Thu, 06.07.17 13:21, Michael Chapman (mike at very.puzzling.org) wrote:

> On Thu, 6 Jul 2017, Zbigniew Jędrzejewski-Szmek wrote:
> > On Thu, Jul 06, 2017 at 01:43:32AM +0200, Reindl Harald wrote:
> > > well, it even don't look but pretend it can't while it does which is
> > > the worst type of operations possible - as long as "adduser" of the
> > > underlying OS accepts and create "0pointer" systemd has *no business
> > > at all* to pretend it can't
> > 
> > Then it's good the that it doesn't ;)
> > 
> > # adduser 0pointer
> > 
> > adduser: Please enter a username matching the regular expression configured
> > via the NAME_REGEX configuration variable.  Use the `--force-badname'
> > option to relax this check or reconfigure NAME_REGEX.
> 
> I know you really only brought this up to counter Reindl's comment, but I
> think it's important to point out that adduser's behaviour here is due to
> its default configuration -- not due to any fundamental "problems" with
> particular usernames. It's not clear why adduser's developers thought it was
> a good default.
> 
> I guess what I'm saying is that saying "systemd should not support usernames
> that start with a digit, since adduser doesn't" is problematic for at least
> two reasons. First, adduser can be reconfigured by the sysadmin to allow
> such usernames; and second, systemd places *fewer* restrictions on usernames
> than adduser's default configuration. systemd allows usernames containing
> uppercase letters and underscores, for instance.

Note one major difference between "adduser" and the unit file setting
"Unit=". The former is a tool you can create regular users with, while
the latter strictly applies to system users, as that's what system
services run as. And yes, different rules apply for system users than
for regular users.

And "0foobar" remains unportable and a bad idea, even if the user
bends his local system in the right way to make it accept it.

> To summarize my thoughts on this matter, I think it's fine to restrict
> usernames, but only for _very_ good reason. Specifically, we should not
> justify such restrictions simply because they exist in one form or another
> in other utilities. valid_user_group_name() currently disallows dots, for
> instance, and while I recognize that using dots in a username can sometimes
> be problematic, it is not in and of itself invalid. If other software can't
> handle dots in usernames, that's their problem. libc can, and that's all
> that's required to support it in order to use it in User= on most
> systems.

I am sorry, but you and I have very different understanding of
computer security. I do believe it is essential to validate all input,
and stick to safe input wherever we can.

I understand that you'd like to remove input validation from the
systemd codebase, and I welcome you to patch your local systemd
version for it, but please understand that in systemd upstream this is
not how things can work. Sorry.

Lennart

-- 
Lennart Poettering, Red Hat

More information about the systemd-devel mailing list