[systemd-devel] Github systemd issue 6237

Mon Jul 10 16:36:47 UTC 2017

On Mon, 10.07.17 15:29, Zbigniew Jędrzejewski-Szmek (zbyszek at in.waw.pl) wrote:

> > On current Fedora, the current regex useradd enforces appears to be
> > this:
> > 
> >     [a-zA-Z0-9._][a-zA-Z0-9._-]{0,30}[a-zA-Z0-9._-$]?
> > 
> > If I read things correctly at least... (the trailing $ appears to be a
> > special exception they added to be nice to Windows, dunno). And this
> > regex appears not to be configurable.
> 
> Maybe the logic should be reversed: instead of trying to *enforce*
> the most-strict name that works everywhere, just check that the name
> is between 1 and 31 characters is length and not numeric, and relax
> the restrictions on the exact characters in the user name, and *warn*
> if the user name has "strange" characters:
>    Warning: user name "foo.bar" contains a dot which conflicts with chown user.group syntax
>    Warning: user name "0day" is not portable
>    Warning: user name "-user" looks like an option ;)
> etc.
> 
> After all (as other people said) systemd has no such requirements
> itself. It is true that such user names are confusing and
> non-portable, but if the local admin has or wants to have such an
> account for whatever reason, we don't really care.

I don't think things are that simple. We do our user name validation
in two places: for User=/Group= and for sysusers.d drop-ins. In both
cases the setting may have the effect of registering users in the
system user database (in the first case if DynamicUser= is used, in
the latter case if the user doesn't exist yet), and I am pretty sure
we shouldn't register users in the system user databases that aren't
portable.

I mean, again, systemd is the one defining both interfaces:
User=/Group= as well as sysusers.d, and I am pretty sure we should
make sure when they are used they are used in a reasonably safe and
sound and portable way. We want that people can write unit files and
run them everywhere and they work reasonably well. I think it's not
too much to ask from people to follow some simple basic rules when
making use of User=/Group=. We aren't really taking away anything
there, we aren#t really strict on something that was previously less
strict, simply because User=/Group= isn't a sysvinit concept, it's
genuinely a systemd concept.

Hence, it's not really a matter of consuming weird stuff local admins
created. It's a lot more than that: we *create* that stuff, possibly
leaving it around for good, and unit files are supposed to be
portable between systems.

Compare this with logind: we do not validate the user name passed to
us from PAM for new login sessions the same way as we do for
User=/Group=/sysusers.d. In the logind/PAM case the interface isn't
designed by us, PAM doesn't validate its input particularly carefully,
and we should probably just accept what PAM accepts as we don't create
anything here: we just consume what's listed in the user database.

Logging more verbosely about this is good, and maybe making this fatal
instead of just a warning might be good too, but just permitting it
sounds wrong to me.

Lennart

-- 
Lennart Poettering, Red Hat