[opensuse-packaging] no more nobody user on OBS?
Hi, seems that Tumbleweed and Factory has no more user "nobody" defined in /etc/passwd. Is this wanted? cu, Rudi -- To unsubscribe, e-mail: opensuse-packaging+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-packaging+owner@opensuse.org
On Tuesday, 23 May 2017 16:47:17 CEST Ruediger Meier wrote:
Hi,
seems that Tumbleweed and Factory has no more user "nobody" defined in /etc/passwd. Is this wanted?
If I got it right there was a change to not create a bunch of unused user accounts but make sure that packages that need specific users specify that as a dependency which will create the user and group accounts accordingly. -- To unsubscribe, e-mail: opensuse-packaging+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-packaging+owner@opensuse.org
On Tuesday 23 May 2017, Oliver Kurz wrote:
On Tuesday, 23 May 2017 16:47:17 CEST Ruediger Meier wrote:
Hi,
seems that Tumbleweed and Factory has no more user "nobody" defined in /etc/passwd. Is this wanted?
If I got it right there was a change to not create a bunch of unused user accounts but make sure that packages that need specific users specify that as a dependency which will create the user and group accounts accordingly.
Hm, I think we should always add nobody. I haven't met any Linux system yet without such a user. cu, Rudi -- To unsubscribe, e-mail: opensuse-packaging+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-packaging+owner@opensuse.org
On 05/23/2017 04:47 PM, Ruediger Meier wrote:
seems that Tumbleweed and Factory has no more user "nobody" defined in /etc/passwd. Is this wanted?
Cannot reproduce here: $ grep nobody /etc/passwd nobody:x:65534:65533:nobody:/var/lib/nobody:/bin/bash $ head -n2 /etc/os-release NAME="openSUSE Tumbleweed" # VERSION="20170521" Do you mean a fresh install? Have a nice day, Berny -- To unsubscribe, e-mail: opensuse-packaging+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-packaging+owner@opensuse.org
On Tuesday 23 May 2017, Bernhard Voelker wrote:
On 05/23/2017 04:47 PM, Ruediger Meier wrote:
seems that Tumbleweed and Factory has no more user "nobody" defined in /etc/passwd. Is this wanted?
Cannot reproduce here:
$ grep nobody /etc/passwd nobody:x:65534:65533:nobody:/var/lib/nobody:/bin/bash
$ head -n2 /etc/os-release NAME="openSUSE Tumbleweed" # VERSION="20170521"
Do you mean a fresh install?
I mean on OBS build host, or local osc build chroot. $ cat /var/tmp/osc/build/openSUSE_Tumbleweed-x86_64/etc/passwd root:x:0:0:root:/root:/bin/bash systemd-coredump:x:497:497:systemd Core Dumper:/:/sbin/nologin systemd-timesync:x:498:498:systemd Time Synchronization:/:/sbin/nologin ntp:x:74:494:NTP daemon:/var/lib/ntp:/bin/false abuild:x:399:399:Autobuild:/home/abuild:/bin/bash cu, Rudi -- To unsubscribe, e-mail: opensuse-packaging+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-packaging+owner@opensuse.org
On Tue, 2017-05-23 at 16:47 +0200, Ruediger Meier wrote:
Hi,
seems that Tumbleweed and Factory has no more user "nobody" defined in /etc/passwd. Is this wanted?
cu, Rudi
That is indeed wanted - the list of users has constantly been growing and for many users/groups, it is/was not clear what requires them. So Thorsten worked on a way to change this - and packages nowadays have to specify if their content wants a specific user/group to be present. See also the packaging guidelines at https://en.opensuse.org/openSUSE:Packaging_guidelines#Users_and_Groups Cheers, Dominique
Am 23.05.2017 um 17:35 schrieb Dominique Leuenberger / DimStar:
On Tue, 2017-05-23 at 16:47 +0200, Ruediger Meier wrote:
Hi,
seems that Tumbleweed and Factory has no more user "nobody" defined in /etc/passwd. Is this wanted?
cu, Rudi
That is indeed wanted - the list of users has constantly been growing and for many users/groups, it is/was not clear what requires them.
So Thorsten worked on a way to change this - and packages nowadays have to specify if their content wants a specific user/group to be present.
See also the packaging guidelines at https://en.opensuse.org/openSUSE:Packaging_guidelines#Users_and_Groups
But 'nobody'? I don't see it as a system user - mere the lack of user. Greetings, Stephan -- Ma muaß weiterkämpfen, kämpfen bis zum Umfalln, a wenn die ganze Welt an Arsch offen hat, oder grad deswegn.
On Tue, 2017-05-23 at 17:46 +0200, Stephan Kulow wrote:
Am 23.05.2017 um 17:35 schrieb Dominique Leuenberger / DimStar:
On Tue, 2017-05-23 at 16:47 +0200, Ruediger Meier wrote:
Hi,
seems that Tumbleweed and Factory has no more user "nobody" defined in /etc/passwd. Is this wanted?
cu, Rudi
That is indeed wanted - the list of users has constantly been growing and for many users/groups, it is/was not clear what requires them.
So Thorsten worked on a way to change this - and packages nowadays have to specify if their content wants a specific user/group to be present.
See also the packaging guidelines at https://en.opensuse.org/openSUSE:Packaging_guidelines#Users_and_Gro ups
But 'nobody'? I don't see it as a system user - mere the lack of user.
Greetings, Stephan
historically, everything was thrown at 'nobody' for security reasons - until somebody realized that entire systems running as nobody is not actually secure, as services could start interacting. 'nobody' has no special meaning in any way. I don't see why it should be treated specially (unlike root/uid=0);. It's still right at your disposal if you have a package relying on it (e.g. NFS using it as fallback for 'anonymous/unknown') - you just need to specify it. Cheers Dominique
On Tuesday 23 May 2017, Dominique Leuenberger / DimStar wrote:
On Tue, 2017-05-23 at 17:46 +0200, Stephan Kulow wrote:
Am 23.05.2017 um 17:35 schrieb Dominique Leuenberger / DimStar:
On Tue, 2017-05-23 at 16:47 +0200, Ruediger Meier wrote:
Hi,
seems that Tumbleweed and Factory has no more user "nobody" defined in /etc/passwd. Is this wanted?
cu, Rudi
That is indeed wanted - the list of users has constantly been growing and for many users/groups, it is/was not clear what requires them.
So Thorsten worked on a way to change this - and packages nowadays have to specify if their content wants a specific user/group to be present.
See also the packaging guidelines at https://en.opensuse.org/openSUSE:Packaging_guidelines#Users_and_G ro ups
But 'nobody'? I don't see it as a system user - mere the lack of user.
Greetings, Stephan
historically, everything was thrown at 'nobody' for security reasons - until somebody realized that entire systems running as nobody is not actually secure, as services could start interacting.
'nobody' has no special meaning in any way.
The are programs which treat nobody as the only user which is neither a system nor user account.
I don't see why it should be treated specially (unlike root/uid=0);. It's still right at your disposal if you have a package relying on it (e.g. NFS using it as fallback for 'anonymous/unknown') - you just need to specify it.
You forget about users or thirdparty software which is still using nobody for whatever reason. IMO it makes no sense that openSUSE is the only existing Linux distro which does not provide "nobody/nogroup We will get bug reports for sure if we remove nobody. It doesn't hurt to keep it as it. BTW "bin" and "daemon" are also missing. They are even *required* by LSB, while "nobody" is optional. http://refspecs.linuxbase.org/LSB_3.0.0/LSB-PDA/LSB-PDA/usernames.html cu, Rudi -- To unsubscribe, e-mail: opensuse-packaging+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-packaging+owner@opensuse.org
On Tue, 2017-05-23 at 18:18 +0200, Ruediger Meier wrote:
I don't see why it should
be treated specially (unlike root/uid=0);. It's still right at your disposal if you have a package relying on it (e.g. NFS using it as fallback for 'anonymous/unknown') - you just need to specify it.
You forget about users or thirdparty software which is still using nobody for whatever reason. IMO it makes no sense that openSUSE is the only existing Linux distro which does not provide "nobody/nogroup
We will get bug reports for sure if we remove nobody. It doesn't hurt to keep it as it.
BTW "bin" and "daemon" are also missing. They are even *required* by LSB, while "nobody" is optional. http://refspecs.linuxbase.org/LSB_3.0.0/LSB-PDA/LSB-PDA/usernames.htm l
right - lsb also requires Qt4; so it is definitively an up-to-date reference. But I see no problem of adding
Requires: user(bin) user(daemon) Recommends: user(nobody)
to the lsb package to satisfy the lsb needs - so any thridparty relying on lsb just has to require lsb (as chrome for example already does). Cheers, Dominique
On Tue, May 23, Ruediger Meier wrote:
You forget about users or thirdparty software which is still using nobody for whatever reason. IMO it makes no sense that openSUSE is the only existing Linux distro which does not provide "nobody/nogroup
"nogroup" is a special SUSE hack not existing on most other Linux distributions. It was an ugly workaround over 18 years ago for a typo in /etc/group. Else: why do you think that we do not provide "nobody"? It's still there and installed by default, at least if you use patterns and don't create your own, minimal system somehow else.
We will get bug reports for sure if we remove nobody. It doesn't hurt to keep it as it.
Nobody ever spoke about removing nobody.
BTW "bin" and "daemon" are also missing.
No, they are there, too: Requires: system-group-hardware Recommends: system-group-trusted Recommends: system-group-wheel Recommends: system-user-bin Recommends: system-user-daemon Requires: system-user-nobody Please, first check the code and complain only afterwards.
They are even *required* by LSB, while "nobody" is optional. http://refspecs.linuxbase.org/LSB_3.0.0/LSB-PDA/LSB-PDA/usernames.html
LSB 3.0 is from 2005 and outdated since 9 years. LSB itself is dead. You are not even able do download the code anymore and meanwhile even the certificates did expire. Thorsten -- Thorsten Kukuk, Distinguished Engineer, Senior Architect SLES & CaaSP SUSE LINUX GmbH, Maxfeldstr. 5, 90409 Nuernberg, Germany GF: Felix Imendoerffer, Jane Smithard, Graham Norton, HRB 21284 (AG Nuernberg) -- To unsubscribe, e-mail: opensuse-packaging+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-packaging+owner@opensuse.org
On Mittwoch, 24. Mai 2017, 10:26:09 CEST wrote Thorsten Kukuk:
On Tue, May 23, Ruediger Meier wrote:
You forget about users or thirdparty software which is still using nobody for whatever reason. IMO it makes no sense that openSUSE is the only existing Linux distro which does not provide "nobody/nogroup
"nogroup" is a special SUSE hack not existing on most other Linux distributions. It was an ugly workaround over 18 years ago for a typo in /etc/group.
Else: why do you think that we do not provide "nobody"? It's still there and installed by default, at least if you use patterns and don't create your own, minimal system somehow else.
We will get bug reports for sure if we remove nobody. It doesn't hurt to keep it as it.
Nobody ever spoke about removing nobody.
BTW "bin" and "daemon" are also missing.
No, they are there, too: Requires: system-group-hardware Recommends: system-group-trusted Recommends: system-group-wheel Recommends: system-user-bin Recommends: system-user-daemon Requires: system-user-nobody
Please, first check the code and complain only afterwards.
Recommends are not installed by default in build environement. So they miss there by default -- Adrian Schroeter email: adrian@suse.de SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton, HRB 21284 (AG Nürnberg) Maxfeldstraße 5 90409 Nürnberg Germany -- To unsubscribe, e-mail: opensuse-packaging+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-packaging+owner@opensuse.org
On mercredi, 24 mai 2017 10.42:45 h CEST Adrian Schröter wrote:
On Mittwoch, 24. Mai 2017, 10:26:09 CEST wrote Thorsten Kukuk:
On Tue, May 23, Ruediger Meier wrote:
You forget about users or thirdparty software which is still using nobody for whatever reason. IMO it makes no sense that openSUSE is the only existing Linux distro which does not provide "nobody/nogroup
"nogroup" is a special SUSE hack not existing on most other Linux distributions. It was an ugly workaround over 18 years ago for a typo in /etc/group.
Else: why do you think that we do not provide "nobody"? It's still there and installed by default, at least if you use patterns and don't create your own, minimal system somehow else.
We will get bug reports for sure if we remove nobody. It doesn't hurt to keep it as it.
Nobody ever spoke about removing nobody.
BTW "bin" and "daemon" are also missing.
No, they are there, too: Requires: system-group-hardware Recommends: system-group-trusted Recommends: system-group-wheel Recommends: system-user-bin Recommends: system-user-daemon Requires: system-user-nobody
Please, first check the code and complain only afterwards.
Recommends are not installed by default in build environement. So they miss there by default
I also think to mitigate the changes having requires here in place of recommends would help (in sense doesn't broke too much). -- Bruno Friedmann Ioda-Net Sàrl www.ioda-net.ch Bareos Partner, openSUSE Member, fsfe fellowship GPG KEY : D5C9B751C4653227 irc: tigerfoot -- To unsubscribe, e-mail: opensuse-packaging+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-packaging+owner@opensuse.org
On Tue, May 23, Stephan Kulow wrote:
Am 23.05.2017 um 17:35 schrieb Dominique Leuenberger / DimStar:
On Tue, 2017-05-23 at 16:47 +0200, Ruediger Meier wrote:
Hi,
seems that Tumbleweed and Factory has no more user "nobody" defined in /etc/passwd. Is this wanted?
cu, Rudi
That is indeed wanted - the list of users has constantly been growing and for many users/groups, it is/was not clear what requires them.
So Thorsten worked on a way to change this - and packages nowadays have to specify if their content wants a specific user/group to be present.
See also the packaging guidelines at https://en.opensuse.org/openSUSE:Packaging_guidelines#Users_and_Groups
But 'nobody'? I don't see it as a system user - mere the lack of user.
The patterns install the user nobody. Applications, which require the user nobody, have require. At least as far as I could identify them. Some have the fact, that they need the user nobody, very well hidden. So after installation, there should always be a user nobody. If not, that's a bug we need to analyze and fix. Packages requiring the user nobody should always have a "Requires: user(nobody)" in the spec file. If you need it for building packages, but not runtime, you should add "BuildRequires: user(nobody)". And we will remove the user "root" from aaa_base as next, too. But the handling will be different, we can clearly not use systemd-sysusers for that. I have some ideas, but no real code yet. Thorsten -- Thorsten Kukuk, Distinguished Engineer, Senior Architect SLES & CaaSP SUSE LINUX GmbH, Maxfeldstr. 5, 90409 Nuernberg, Germany GF: Felix Imendoerffer, Jane Smithard, Graham Norton, HRB 21284 (AG Nuernberg) -- To unsubscribe, e-mail: opensuse-packaging+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-packaging+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 05/23/2017 05:35 PM, Dominique Leuenberger / DimStar wrote:
That is indeed wanted - the list of users has constantly been growing and for many users/groups, it is/was not clear what requires them.
While reducing (or better saying: letting the packages choose) is good for the final product, how could we get some of them back on OBS? Some tests rely on having a 2nd user - e.g. the coreutils-testsuite would not have to SKIP a couple of tests. (BTW: it'd be great if abuild could be member of a second group for some of these tests). ... [ 102s] basic.sh: skipped test: requires membership in two groups [ 102s] SKIP: tests/chgrp/basic.sh ... [ 119s] default-no-deref.sh: skipped test: requires membership in two groups [ 119s] SKIP: tests/chgrp/default-no-deref.sh [ 119s] deref.sh: skipped test: requires membership in two groups [ 119s] SKIP: tests/chgrp/deref.sh [ 119s] no-x.sh: skipped test: requires membership in two groups [ 119s] SKIP: tests/chgrp/no-x.sh [ 119s] posix-H.sh: skipped test: requires membership in two groups [ 119s] SKIP: tests/chgrp/posix-H.sh [ 119s] recurse.sh: skipped test: requires membership in two groups [ 119s] SKIP: tests/chgrp/recurse.sh ... [ 286s] acl.sh: skipped test: This test requires a local user named bin. [ 286s] SKIP: tests/cp/acl.sh ... [ 286s] existing-perm-race.sh: skipped test: requires membership in two groups [ 286s] SKIP: tests/cp/existing-perm-race.sh ... [ 304s] acl.sh: skipped test: This test requires a local user named bin. [ 304s] SKIP: tests/mv/acl.sh ... [ 332s] # TOTAL: 563 [ 332s] # PASS: 496 [ 332s] # SKIP: 67 Idea: could we create/have some packages doing such modifications in the build environment via BuildRequires, but which are never shipped to regular systems? ... actually like the abuild user? Thanks & have a nice day, Berny -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBAgAGBQJZJSxUAAoJEEZQLveWkXGVHUMIAJnG9iXvlplPkek/lbFMl6Wh BAPCx3HDjp9pN/b9r0ORum+irD4T8i4GZOlQ1MNI2yRdPGUVBMUluRmpzFhEkJm0 ngAzqp8KE7ZtoyifPKIlfOjvObZcio0BksTVHO93twCpP1D4zYFsAAbW3nn3OzCO SwclL84Q6Yf3S5DkNjLMZJ7iS8uVkdn9lux4HusRyw7fROWdFpUQhN7xCG8S53gE r9sDvsFG4Hq8AbQMuID7RB6nDkfLoa2derXV+8f5+nu2z0ixm6RxAEVBU7gX2kjs SstRlaNsW6pzdqRwhevwVjdj1ZfsKWkaZ8DqjjH+X4dxoVf6Sa5fdslyF2Pgoao= =p+8i -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-packaging+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-packaging+owner@opensuse.org
On Wed, 2017-05-24 at 08:46 +0200, Bernhard Voelker wrote:
Idea: could we create/have some packages doing such modifications in the build environment via BuildRequires, but which are never shipped to regular systems? ... actually like the abuild user?
BuildRequires: user(FOO) / group(BAR) ? If only used by the test suite,t hat's ok.. if the app/package needs it on the system, then additionally a Requires: user(FOO) / group(BAR) Cheers, Dominique
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 05/24/2017 08:53 AM, Dominique Leuenberger / DimStar wrote:
BuildRequires: user(FOO) / group(BAR) ?
thanks, I'll add that during the next update. Have a nice day, Berny -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBAgAGBQJZJuUpAAoJEEZQLveWkXGVs0YH/3pibxB7T45Vdy8/nuM2RKSx RQPTfY553mXplWxy6ihl5XJyieEKiZ+ag5GwzBIuy/4VN8Xml1t7Iuxwzp4FgoJt fovfFk2PM/9eovrwJy9TSzQHFZtgFZNr+cVaB3qehr7j30Hho70h24qgPvTjA1n6 zGjU3VIpmasC61EuxTx65A2JA4UxHIJU5OF9rNi6RfprZb4wDD8ZDISxKzTsYKcB Bq9LWJbH/Fd+CoueTIZqwEH31CzJT8CDQfu4CPiwABpTXxH0+LS0qfa6Nm1Jcv76 KH4cvlkPpZvsZp3DSdJhG4nU3phMIBbe0in/jnX/gbYF9HGtHQ6bDMkoN06Y/SM= =2Pdq -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-packaging+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-packaging+owner@opensuse.org
participants (8)
-
Adrian Schröter -
Bernhard Voelker -
Bruno Friedmann -
Dominique Leuenberger / DimStar -
Oliver Kurz -
Ruediger Meier -
Stephan Kulow -
Thorsten Kukuk