[systemd-devel] Github systemd issue 6237

Michael Chapman mike at very.puzzling.org
Mon Jul 10 12:23:30 UTC 2017 

On Mon, 10 Jul 2017, Lennart Poettering wrote:
> On Mon, 10.07.17 21:15, Michael Chapman (mike at very.puzzling.org) wrote:
>
>>> Now, I do think that systemd has the duty to complain about any system
>>> user names outside of the safe range. Not only for security reasons,
>>> but also for portability and compatibility reasons: I think we should
>>> ensure that unit files remain portable, and hence we should try to
>>> filter out early stuff that's unlikely going to work outside of the
>>> local scope.
>>
>> I'm curious as to what you consider portability and compatibility
>> here.
>
> I want that units written on a system A are likely to work on a system
> B. And this means that making use of concepts that are valid on A but
> knowingly invalid on B is something we should complain loudly about.
>
> Sure, there are always limitations to make things portable. But this
> specific issue is an easy one, and a widely understood one (again:
> google for it).
>
>> But there are less obviously bad usernames, because -- as you point out --
>> they're _actually in use already_. I myself already have systems with
>> usernames that begin with a digit; I don't want those systems to suddenly
>> break just because I update the Linux release to something that runs
>> systemd. (In practice they probably won't break, since I'm unlikely to write
>> system units for these users. But the principle of the matter
>> stands.)
>
> Well, it took 3 years or so, until someone noticed the strict rules we
> enforce. I seriously doubt that naming system users in such unsafe
> ways is really that wide-spread usage.

That _could_ be because people that have previously used such a username 
hadn't looked in their logs and noticed that the User= directive wasn't 
being applied. :-)

>> Sorry, but I really can't see how forbidding usernames like "joe.hacker" or
>> "0day" improves security. As you said, they're perfectly valid
>> usernames.
>
> Did I say that? I really don't think they are "perfectly valid"! They
> are questionable on all levels. And if people use them for regular
> users that's fine for them, but for system users I think stricter
> requirements need to apply.
>
> But anyway, I doubt we have to continue this here, we have different
> understandings of security. I think validation is a good thing, and
> filtering out dangerous strings early is a good thing.
>
> People can always shoot themselves in the foot, and you have every
> right to, but I really doubt this easy, well understood superficial
> check is the right place to insist that the right to shooting yourself
> in the foot is more important than the intention to secure things
> down.
>
> Lennart

So be it. I'm fine with us remaining in disagreement... I just wish I 
understood exactly what the security implications are in allowing such 
usernames. I know my colleagues are going to ask me about this, and being 
able to point at something and say "oh yeah, it breaks this specifically" 
would be really handy.

More information about the systemd-devel mailing list