[systemd-devel] Github systemd issue 6237

Lennart Poettering lennart at poettering.net
Mon Jul 10 18:24:06 UTC 2017 

On Mon, 10.07.17 17:45, Zbigniew Jędrzejewski-Szmek (zbyszek at in.waw.pl) wrote:

> On Mon, Jul 10, 2017 at 06:40:00PM +0200, Lennart Poettering wrote:
> > On Mon, 10.07.17 18:36, Lennart Poettering (lennart at poettering.net) wrote:
> > 
> > > > After all (as other people said) systemd has no such requirements
> > > > itself. It is true that such user names are confusing and
> > > > non-portable, but if the local admin has or wants to have such an
> > > > account for whatever reason, we don't really care.
> > > 
> > > I don't think things are that simple. We do our user name validation
> > > in two places: for User=/Group= and for sysusers.d drop-ins. In both
> > > cases the setting may have the effect of registering users in the
> > > system user database (in the first case if DynamicUser= is used, in
> > > the latter case if the user doesn't exist yet), and I am pretty sure
> > > we shouldn't register users in the system user databases that aren't
> > > portable.
> > 
> > Or to say this differently: User=/Group=/sysusers.d shouldn't be
> > something you can create users with that for example ArchLinux'
> > useradd command wouldn't allow you to create.
> 
> I can see it both ways, but yeah, it never came up before and
> personally I never had the need (or even whim) to create a user that
> systemd would reject. So I'd like to #6300 to go in, and apart
> from that I'm happy with the status quo, and I merged #6321 now.

BTW, one more reference point to the discussion: shadow-utils upstream
enforces this regex apparently:

    [a-z_][a-z0-9_-]*$?

The trailing $ thing appears to be a more recent addition, some
Windows thing. A minimum length of 1 is enforced, but apparently no
max length limit (neither _SC_LOGIN_NAME_MAX nor UT_NAMESIZE-1).

Fedora/RH deviate from that though and explicitly patch this out, replacing this
with the more relaxed regex mentioned earlier:

https://src.fedoraproject.org/cgit/rpms/shadow-utils.git/tree/shadow-4.1.5.1-goodname.patch

It appears our rules are hence pretty close to shadow-util's original
ones with the exeption of the max size limit and the Windows $ thing,
which really shouldn't apply to our system service users I figure.

Lennart

-- 
Lennart Poettering, Red Hat

More information about the systemd-devel mailing list