[systemd-devel] Github systemd issue 6237

Michael Chapman mike at very.puzzling.org
Mon Jul 10 11:28:55 UTC 2017


On Mon, 10 Jul 2017, Lennart Poettering wrote:
> On Thu, 06.07.17 13:21, Michael Chapman (mike at very.puzzling.org) wrote:
>
>> On Thu, 6 Jul 2017, Zbigniew Jędrzejewski-Szmek wrote:
>>> On Thu, Jul 06, 2017 at 01:43:32AM +0200, Reindl Harald wrote:
>>>> well, it even don't look but pretend it can't while it does which is
>>>> the worst type of operations possible - as long as "adduser" of the
>>>> underlying OS accepts and create "0pointer" systemd has *no business
>>>> at all* to pretend it can't
>>>
>>> Then it's good the that it doesn't ;)
>>>
>>> # adduser 0pointer
>>>
>>> adduser: Please enter a username matching the regular expression configured
>>> via the NAME_REGEX configuration variable.  Use the `--force-badname'
>>> option to relax this check or reconfigure NAME_REGEX.
>>
>> I know you really only brought this up to counter Reindl's comment, but I
>> think it's important to point out that adduser's behaviour here is due to
>> its default configuration -- not due to any fundamental "problems" with
>> particular usernames. It's not clear why adduser's developers thought it was
>> a good default.
>>
>> I guess what I'm saying is that saying "systemd should not support usernames
>> that start with a digit, since adduser doesn't" is problematic for at least
>> two reasons. First, adduser can be reconfigured by the sysadmin to allow
>> such usernames; and second, systemd places *fewer* restrictions on usernames
>> than adduser's default configuration. systemd allows usernames containing
>> uppercase letters and underscores, for instance.
>
> Note one major difference between "adduser" and the unit file setting
> "Unit=". The former is a tool you can create regular users with, while
> the latter strictly applies to system users, as that's what system
> services run as. And yes, different rules apply for system users than
> for regular users.
>
> And "0foobar" remains unportable and a bad idea, even if the user
> bends his local system in the right way to make it accept it.
>
>> To summarize my thoughts on this matter, I think it's fine to restrict
>> usernames, but only for _very_ good reason. Specifically, we should not
>> justify such restrictions simply because they exist in one form or another
>> in other utilities. valid_user_group_name() currently disallows dots, for
>> instance, and while I recognize that using dots in a username can sometimes
>> be problematic, it is not in and of itself invalid. If other software can't
>> handle dots in usernames, that's their problem. libc can, and that's all
>> that's required to support it in order to use it in User= on most
>> systems.
>
> I am sorry, but you and I have very different understanding of
> computer security. I do believe it is essential to validate all input,
> and stick to safe input wherever we can.

That is a misrepresentation of my viewpoint.

I _do_ think systemd should validate all input. I think my other posts in 
this thread make this clear: I want to see systemd complain noisily when 
unit validation fails.

However, I do not think systemd should validate input more than it needs 
to. Just because a particular value may (and _only_ may) cause problems 
downstream of systemd does not mean that systemd should outright forbid 
it. If it doesn't cause problems in systemd, it's not our business to 
prevent its use.

> I understand that you'd like to remove input validation from the
> systemd codebase, and I welcome you to patch your local systemd
> version for it, but please understand that in systemd upstream this is
> not how things can work. Sorry.
>
> Lennart


More information about the systemd-devel mailing list