[systemd-devel] Github systemd issue 6237

Zbigniew Jędrzejewski-Szmek zbyszek at in.waw.pl
Mon Jul 10 15:29:45 UTC 2017 

On Mon, Jul 10, 2017 at 05:03:09PM +0200, Lennart Poettering wrote:
> On Mon, 10.07.17 22:23, Michael Chapman (mike at very.puzzling.org) wrote:
> 
> > > Well, it took 3 years or so, until someone noticed the strict rules we
> > > enforce. I seriously doubt that naming system users in such unsafe
> > > ways is really that wide-spread usage.
> > 
> > That _could_ be because people that have previously used such a username
> > hadn't looked in their logs and noticed that the User= directive wasn't
> > being applied. :-)
> 
> Well: if you write a unit file, it's probably a good idea to test it
> once before deploying it. I mean, it's not that we silently skip stuff
> that was OK on sysvinit or so — that's because sysvinit of course never
> supported dropping user IDs for you, you always had to do it yourself.
> 
> If your service is dropping privs on its own it's of course completely
> between you and that service to name the user any way you like. But if
> you tell systemd to do this for you and for the service, we do some
> basic checking and validation, that's all. Or in other words: if I
> write a unit file on my laptop here, and it works, then systemd is
> supposed to give you the guarantee that it also works correctly on
> my server system I deploy this on, too (to some degree at least), even
> if it runs a slightly different Linux distro.
> 
> > So be it. I'm fine with us remaining in disagreement... I just wish I
> > understood exactly what the security implications are in allowing such
> > usernames. I know my colleagues are going to ask me about this, and being
> > able to point at something and say "oh yeah, it breaks this specifically"
> > would be really handy.
> 
> I am pretty sure it would be very welcome if somebody would do a
> proper investigation and collect the precise restrictions different
> systems in different versions enforce on naming users. And not just
> across distro versions and their user name regexes, but also across
> application software packages running on top of those distros. I am
> not aware of any sufficiently comprehensive list of this.
> 
> On current Fedora, the current regex useradd enforces appears to be
> this:
> 
>     [a-zA-Z0-9._][a-zA-Z0-9._-]{0,30}[a-zA-Z0-9._-$]?
> 
> If I read things correctly at least... (the trailing $ appears to be a
> special exception they added to be nice to Windows, dunno). And this
> regex appears not to be configurable.

Maybe the logic should be reversed: instead of trying to *enforce*
the most-strict name that works everywhere, just check that the name
is between 1 and 31 characters is length and not numeric, and relax
the restrictions on the exact characters in the user name, and *warn*
if the user name has "strange" characters:
   Warning: user name "foo.bar" contains a dot which conflicts with chown user.group syntax
   Warning: user name "0day" is not portable
   Warning: user name "-user" looks like an option ;)
etc.

After all (as other people said) systemd has no such requirements
itself. It is true that such user names are confusing and
non-portable, but if the local admin has or wants to have such an
account for whatever reason, we don't really care.

Zbyszek

More information about the systemd-devel mailing list