[systemd-devel] Github systemd issue 6237

Lennart Poettering lennart at poettering.net
Mon Jul 10 11:58:50 UTC 2017 

On Mon, 10.07.17 21:15, Michael Chapman (mike at very.puzzling.org) wrote:

> > Now, I do think that systemd has the duty to complain about any system
> > user names outside of the safe range. Not only for security reasons,
> > but also for portability and compatibility reasons: I think we should
> > ensure that unit files remain portable, and hence we should try to
> > filter out early stuff that's unlikely going to work outside of the
> > local scope.
> 
> I'm curious as to what you consider portability and compatibility
> here.

I want that units written on a system A are likely to work on a system
B. And this means that making use of concepts that are valid on A but
knowingly invalid on B is something we should complain loudly about.

Sure, there are always limitations to make things portable. But this
specific issue is an easy one, and a widely understood one (again:
google for it).

> But there are less obviously bad usernames, because -- as you point out --
> they're _actually in use already_. I myself already have systems with
> usernames that begin with a digit; I don't want those systems to suddenly
> break just because I update the Linux release to something that runs
> systemd. (In practice they probably won't break, since I'm unlikely to write
> system units for these users. But the principle of the matter
> stands.)

Well, it took 3 years or so, until someone noticed the strict rules we
enforce. I seriously doubt that naming system users in such unsafe
ways is really that wide-spread usage.

> Sorry, but I really can't see how forbidding usernames like "joe.hacker" or
> "0day" improves security. As you said, they're perfectly valid
> usernames.

Did I say that? I really don't think they are "perfectly valid"! They
are questionable on all levels. And if people use them for regular
users that's fine for them, but for system users I think stricter
requirements need to apply.

But anyway, I doubt we have to continue this here, we have different
understandings of security. I think validation is a good thing, and
filtering out dangerous strings early is a good thing.

People can always shoot themselves in the foot, and you have every
right to, but I really doubt this easy, well understood superficial
check is the right place to insist that the right to shooting yourself
in the foot is more important than the intention to secure things
down.

Lennart

-- 
Lennart Poettering, Red Hat

More information about the systemd-devel mailing list