[systemd-devel] Github systemd issue 6237

Lennart Poettering lennart at poettering.net
Mon Jul 10 15:03:09 UTC 2017 

On Mon, 10.07.17 22:23, Michael Chapman (mike at very.puzzling.org) wrote:

> > Well, it took 3 years or so, until someone noticed the strict rules we
> > enforce. I seriously doubt that naming system users in such unsafe
> > ways is really that wide-spread usage.
> 
> That _could_ be because people that have previously used such a username
> hadn't looked in their logs and noticed that the User= directive wasn't
> being applied. :-)

Well: if you write a unit file, it's probably a good idea to test it
once before deploying it. I mean, it's not that we silently skip stuff
that was OK on sysvinit or so — that's because sysvinit of course never
supported dropping user IDs for you, you always had to do it yourself.

If your service is dropping privs on its own it's of course completely
between you and that service to name the user any way you like. But if
you tell systemd to do this for you and for the service, we do some
basic checking and validation, that's all. Or in other words: if I
write a unit file on my laptop here, and it works, then systemd is
supposed to give you the guarantee that it also works correctly on
my server system I deploy this on, too (to some degree at least), even
if it runs a slightly different Linux distro.

> So be it. I'm fine with us remaining in disagreement... I just wish I
> understood exactly what the security implications are in allowing such
> usernames. I know my colleagues are going to ask me about this, and being
> able to point at something and say "oh yeah, it breaks this specifically"
> would be really handy.

I am pretty sure it would be very welcome if somebody would do a
proper investigation and collect the precise restrictions different
systems in different versions enforce on naming users. And not just
across distro versions and their user name regexes, but also across
application software packages running on top of those distros. I am
not aware of any sufficiently comprehensive list of this.

On current Fedora, the current regex useradd enforces appears to be
this:

    [a-zA-Z0-9._][a-zA-Z0-9._-]{0,30}[a-zA-Z0-9._-$]?

If I read things correctly at least... (the trailing $ appears to be a
special exception they added to be nice to Windows, dunno). And this
regex appears not to be configurable.

Lennart

-- 
Lennart Poettering, Red Hat

More information about the systemd-devel mailing list