[opensuse-packaging] RFC: Namespacing group and usernames
I'd like to propose the following addition to the packaging policy regarding users and groups (https://en.opensuse.org/openSUSE:Packaging_guidelines#Users_and_Groups): The names of users and groups which are created by a package should be prefixed with an underscore "_". This creates a safe namespace for the distribution and avoids collisions between system group and usernames which are created by packages and regular group and usernames. Existing users and groups can be renamed with the following scriptlet: %pre getent group GROUP >/dev/null && groupmod -n _GROUP GROUP getent group _GROUP >/dev/null || groupadd -r _GROUP getent passwd USER >/dev/null && usermod -l _USER USER getent passwd _USER >/dev/null || useradd -r -g _GROUP -d HOMEDIR -s /sbin/nologin -c "user for PACKAGENAME" _USER Group or username collisions can be problematic, if a username required for a package already exists, the pre-scriptlet will silently re-use the user/group for the package. While YaST apparently contains a blacklist preventing the creation of known system users/goups, this is tedious to maintain manually and doesn't cover the case where an administrator creates accounts via useradd/groupadd or maintains users/groups in LDAP. The lack of a separate namespace also prevents the use of certain group or usernames which might be desired. There is precedent for the above policy, it has been implemented in OpenBSD since 2002/2003 where it requires changes to about half of the packages that provide users and/or groups. However, the overwhelming majority are simple configuration file changes and one-line patches to change hard-coded names (see also http://lists.opensuse.org/opensuse-packaging/2014-02/msg00103.html for a the numbers and https://build.opensuse.org/package/view_file/openSUSE:Factory/rpmlint/config... for the group and usernames currently in use). This policy should only be enforced for new packages while existing packages can be gradually converted, I'd be willing to help with that. -- Guido Berhoerster -- To unsubscribe, e-mail: opensuse-packaging+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-packaging+owner@opensuse.org
On 02/28/2014 10:53 AM, Guido Berhoerster wrote:
I'd like to propose the following addition to the packaging policy regarding users and groups (https://en.opensuse.org/openSUSE:Packaging_guidelines#Users_and_Groups):
The names of users and groups which are created by a package should be prefixed with an underscore "_". This creates a safe namespace for the distribution and avoids collisions between system group and usernames which are created by packages and regular group and usernames.
I'm afraid I don't get the point. What are examples of possible collisions? I mean which of the following are subject to collisions on a typical system? $ cut -d: -f1 /etc/passwd | head -n -2 | paste -s -d ' ' at avahi bin colord daemon dnsmasq ftp games gdm lp mail man messagebus news nobody nscd ntop ntp obsrun polkitd postfix pulse root rtkit sshd statd svn tftp usbmux uucp vboxadd wwwrun Second, this will be inconsistent anyway because I don't think that anyone will want to rename e.g. 'root' to '_root' (for which someone already proposed an exemption list). Third, some daemon user names today are already too long (>8) for tools like ps(1) ... $ ps -fu messagebus | cut -c 1-30 UID PID PPID C STIME message+ 413 1 0 Feb27 ... and therefore an additional "_" makes things worse. With the above in mind, I'd tend to -1. Have a nice day, Berny -- To unsubscribe, e-mail: opensuse-packaging+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-packaging+owner@opensuse.org
On Fri, Feb 28, 2014 at 5:32 AM, Bernhard Voelker <mail@bernhard-voelker.de> wrote:
On 02/28/2014 10:53 AM, Guido Berhoerster wrote:
I'd like to propose the following addition to the packaging policy regarding users and groups (https://en.opensuse.org/openSUSE:Packaging_guidelines#Users_and_Groups):
The names of users and groups which are created by a package should be prefixed with an underscore "_". This creates a safe namespace for the distribution and avoids collisions between system group and usernames which are created by packages and regular group and usernames.
I'm afraid I don't get the point.
What are examples of possible collisions? I mean which of the following are subject to collisions on a typical system?
$ cut -d: -f1 /etc/passwd | head -n -2 | paste -s -d ' ' at avahi bin colord daemon dnsmasq ftp games gdm lp mail man messagebus news nobody nscd ntop ntp obsrun polkitd postfix pulse root rtkit sshd statd svn tftp usbmux uucp vboxadd wwwrun
The "problem" with this example is you're only looking at local accounts and not including environments which use external naming services such as NIS/NIS+, LDAP, AD, etc, which may has hundreds or thousands of accounts and groups. In these environments collisions happen regardless of how much to try to limit scoop of user/group lookups.
Second, this will be inconsistent anyway because I don't think that anyone will want to rename e.g. 'root' to '_root' (for which someone already proposed an exemption list).
Third, some daemon user names today are already too long (>8) for tools like ps(1) ...
useradd(8) limits users names to 32 chars, see the CAVEATS section, however that is a local limit and if you're using an external name service longer user names are valid. I just created an LDAP user w/a username of 72 char's which was completely valid, not that I'm saying you'd want to do that. The LOGIN_NAME_MAX, getconf LOGIN_NAME_MAX, on my SLES/openSUSE systems is 256, and POSIX 2.9.2, _POSIX_LOGIN_NAME_MAX, sets that value to 9 chars.
$ ps -fu messagebus | cut -c 1-30 UID PID PPID C STIME message+ 413 1 0 Feb27
... and therefore an additional "_" makes things worse.
With the above in mind, I'd tend to -1.
Have a nice day, Berny
-- To unsubscribe, e-mail: opensuse-packaging+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-packaging+owner@opensuse.org
-- To unsubscribe, e-mail: opensuse-packaging+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-packaging+owner@opensuse.org
On 02/28/2014 03:12 PM, Darin Perusich wrote:
On Fri, Feb 28, 2014 at 5:32 AM, Bernhard Voelker <mail@bernhard-voelker.de> wrote:
What are examples of possible collisions? I mean which of the following are subject to collisions on a typical system?
$ cut -d: -f1 /etc/passwd | head -n -2 | paste -s -d ' ' at avahi bin colord daemon dnsmasq ftp games gdm lp mail man messagebus news nobody nscd ntop ntp obsrun polkitd postfix pulse root rtkit sshd statd svn tftp usbmux uucp vboxadd wwwrun
The "problem" with this example is you're only looking at local accounts and not including environments which use external naming services such as NIS/NIS+, LDAP, AD, etc, which may has hundreds or thousands of accounts and groups. In these environments collisions happen regardless of how much to try to limit scoop of user/group lookups.
I *do* live in such a heterogeneous environment, including e.g. Solaris. I wouldn't expect any other OSes to follow such a convention, and therefore there not much gain for a user who wants to have an account like 'lp'. Even worse - while today a user 'wwwrun' may exist on other UNIXoide OSs and everybody is familiar with it, "_wwwrun" won't.
Second, this will be inconsistent anyway because I don't think that anyone will want to rename e.g. 'root' to '_root' (for which someone already proposed an exemption list).
Third, some daemon user names today are already too long (>8) for tools like ps(1) ...
useradd(8) limits users names to 32 chars, see the CAVEATS section, however that is a local limit and if you're using an external name service longer user names are valid. I just created an LDAP user w/a username of 72 char's which was completely valid, not that I'm saying you'd want to do that. The LOGIN_NAME_MAX, getconf LOGIN_NAME_MAX, on my SLES/openSUSE systems is 256, and POSIX 2.9.2, _POSIX_LOGIN_NAME_MAX, sets that value to 9 chars.
That's right, yet IMO that's not an argument for artificially enlarging user names. Again: what was the starting point of the discussion, i.e. the problem? User "wwwrun" vs. "apache" as mentioned in the other thread? Well, that doesn't have much to do with collisions with normal user names, does it? Have a nice day, Berny -- To unsubscribe, e-mail: opensuse-packaging+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-packaging+owner@opensuse.org
On Fri, 28 Feb 2014 16:01, Bernhard Voelker <mail@...> wrote: <snip>
Again: what was the starting point of the discussion, i.e. the problem? User "wwwrun" vs. "apache" as mentioned in the other thread? Well, that doesn't have much to do with collisions with normal user names, does it?
IMHO user apache is only valid to be used by a program named apache(|2), see other 'bound' names e.g. dnsmasq, vsftp, squid, avahi, lightdm, polkitd, postfix, rtkit, or similar. wwwrun on the other hand, implies all http-deamons, including php-instances, or other programs (e.g. loadbalancer, reverse proxies) dedicated to running a web-presence. "messagebus" is a afford, it should not have passed any simple sanity-check. Either it should be named dbus or _dbus or severely shorted to msgbus or even mbus (my fav is _dbus). No local service account should need more than 6 letters/digits, sorely from lowercase [a-z0-9] anything else gives us as admins or users hell, more likely sooner than later (hello, Murphy!), also, that would allow to start all local service accouts with a underscore (brings it up to 7 digits). See the mess around charsets, encodings, fonts and other 'oh so nice to have' 'features/bugs'. (Sorry, I'm jaded, mixed environment, multi unixes + M$, since 1996) - Yamaban. -- To unsubscribe, e-mail: opensuse-packaging+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-packaging+owner@opensuse.org
Bernhard Voelker wrote:
On 02/28/2014 10:53 AM, Guido Berhoerster wrote:
I'd like to propose the following addition to the packaging policy regarding users and groups (https://en.opensuse.org/openSUSE:Packaging_guidelines#Users_and_Groups):
The names of users and groups which are created by a package should be prefixed with an underscore "_". This creates a safe namespace for the distribution and avoids collisions between system group and usernames which are created by packages and regular group and usernames.
I'm afraid I don't get the point.
What are examples of possible collisions? I mean which of the following are subject to collisions on a typical system?
$ cut -d: -f1 /etc/passwd | head -n -2 | paste -s -d ' ' at avahi bin colord daemon dnsmasq ftp games gdm lp mail man messagebus news nobody nscd ntop ntp obsrun polkitd postfix pulse root rtkit sshd statd svn tftp usbmux uucp vboxadd wwwrun
Check this list: https://build.opensuse.org/package/view_file/openSUSE:Factory/rpmlint/config...
Second, this will be inconsistent anyway because I don't think that anyone will want to rename e.g. 'root' to '_root' (for which someone already proposed an exemption list).
As always root is special. Guido's proposal targets unprivileged daemon users.
Third, some daemon user names today are already too long (>8) for tools like ps(1) ...
Yes, that's why the proposal is a prefix that consist of only one single character. cu Ludwig -- (o_ Ludwig Nussel //\ V_/_ http://www.suse.de/ SUSE LINUX Products GmbH, GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer, HRB 16746 (AG Nürnberg) -- To unsubscribe, e-mail: opensuse-packaging+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-packaging+owner@opensuse.org
* Bernhard Voelker <mail@bernhard-voelker.de> [2014-02-28 11:32]:
On 02/28/2014 10:53 AM, Guido Berhoerster wrote:
I'd like to propose the following addition to the packaging policy regarding users and groups (https://en.opensuse.org/openSUSE:Packaging_guidelines#Users_and_Groups):
The names of users and groups which are created by a package should be prefixed with an underscore "_". This creates a safe namespace for the distribution and avoids collisions between system group and usernames which are created by packages and regular group and usernames.
I'm afraid I don't get the point.
What are examples of possible collisions? I mean which of the following are subject to collisions on a typical system?
$ cut -d: -f1 /etc/passwd | head -n -2 | paste -s -d ' ' at avahi bin colord daemon dnsmasq ftp games gdm lp mail man messagebus news nobody nscd ntop ntp obsrun polkitd postfix pulse root rtkit sshd statd svn tftp usbmux uucp vboxadd wwwrun
Have a look at the link I provided, there are 134 usernames and 139 group names. The point is to have a clean separation between the distribution and admin-controlled group and usernames, i.e. an admin should be able to rely on packages not creating non-prefixed usernames (outside aaa_base).
Second, this will be inconsistent anyway because I don't think that anyone will want to rename e.g. 'root' to '_root' (for which someone already proposed an exemption list).
Yes, in the other thread I already said aaa_base should be exempt so that root, nobody, nogroup and a few others are preserved. aaa_base is installed on every system and only provides a few users/groups.
Third, some daemon user names today are already too long (>8) for tools like ps(1) ...
$ ps -fu messagebus | cut -c 1-30 UID PID PPID C STIME message+ 413 1 0 Feb27
... and therefore an additional "_" makes things worse.
If you look at the above list you'll find quite a few that are already longer than 8 characters, I think there has been support for 32 character names at least since glibc 2.0 which would be 1997. ps can display the username without truncation, it just doesn't do so by default for historical reasons, see http://procps.sourceforge.net/faq.html. It also truncates other columns like the command. -- Guido Berhoerster -- To unsubscribe, e-mail: opensuse-packaging+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-packaging+owner@opensuse.org
On 02/28/2014 04:09 PM, Guido Berhoerster wrote:
It also truncates other columns like the command.
Hmm, as other tools may also cut long user names at the end, what about *suffixing* daemon user names, e.g. "tfp$" (which useradd(8) permits) ... okay, this one looks MS'ish. ;-/ However, I think SUSE will live isolated with any such convention. How do other *IXes do this? Have a nice day, Berny -- To unsubscribe, e-mail: opensuse-packaging+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-packaging+owner@opensuse.org
* Bernhard Voelker <mail@bernhard-voelker.de> [2014-02-28 17:11]:
On 02/28/2014 04:09 PM, Guido Berhoerster wrote:
It also truncates other columns like the command.
Hmm, as other tools may also cut long user names at the end, what about *suffixing* daemon user names, e.g. "tfp$" (which useradd(8) permits) ... okay, this one looks MS'ish. ;-/
However, I think SUSE will live isolated with any such convention. How do other *IXes do this?
OpenBSD has been using this scheme since about 2002/2003, seem my initial mail which links to a post that analyzes the required modifications in their ports tree. -- Guido Berhoerster -- To unsubscribe, e-mail: opensuse-packaging+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-packaging+owner@opensuse.org
On Friday 28 February 2014 10.53:56 Guido Berhoerster wrote:
I'd like to propose the following addition to the packaging policy regarding users and groups (https://en.opensuse.org/openSUSE:Packaging_guidelines#Users_and_Groups):
The names of users and groups which are created by a package should be prefixed with an underscore "_". This creates a safe namespace for the distribution and avoids collisions between system group and usernames which are created by packages and regular group and usernames.
Existing users and groups can be renamed with the following scriptlet:
%pre getent group GROUP >/dev/null && groupmod -n _GROUP GROUP getent group _GROUP >/dev/null || groupadd -r _GROUP getent passwd USER >/dev/null && usermod -l _USER USER getent passwd _USER >/dev/null || useradd -r -g _GROUP -d HOMEDIR -s /sbin/nologin -c "user for PACKAGENAME" _USER
I'm not in favor of this kind of solution. Simply due to the fact that I already use _ as an identifier for customers groups used samba & nfs serveurs. It clearly separate my groups from anything coming from packages. If you run your script there's a risk to have collision with my already setup group like a _www like inserting package user in a personal group What about using % ? :-) -1 -- Bruno Friedmann Ioda-Net Sàrl www.ioda-net.ch openSUSE Member GPG KEY : D5C9B751C4653227 irc: tigerfoot -- To unsubscribe, e-mail: opensuse-packaging+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-packaging+owner@opensuse.org
* Bruno Friedmann <bruno@ioda-net.ch> [2014-02-28 18:39]:
On Friday 28 February 2014 10.53:56 Guido Berhoerster wrote:
I'd like to propose the following addition to the packaging policy regarding users and groups (https://en.opensuse.org/openSUSE:Packaging_guidelines#Users_and_Groups):
The names of users and groups which are created by a package should be prefixed with an underscore "_". This creates a safe namespace for the distribution and avoids collisions between system group and usernames which are created by packages and regular group and usernames.
Existing users and groups can be renamed with the following scriptlet:
%pre getent group GROUP >/dev/null && groupmod -n _GROUP GROUP getent group _GROUP >/dev/null || groupadd -r _GROUP getent passwd USER >/dev/null && usermod -l _USER USER getent passwd _USER >/dev/null || useradd -r -g _GROUP -d HOMEDIR -s /sbin/nologin -c "user for PACKAGENAME" _USER
I'm not in favor of this kind of solution. Simply due to the fact that I already use _ as an identifier for customers groups used samba & nfs serveurs. It clearly separate my groups from anything coming from packages.
If you run your script there's a risk to have collision with my already setup group like a _www like inserting package user in a personal group
Well, we are actually trying to address exactly this problem, only the other way around. And after the transition you'll have the guarantee that there will never be a collision with package groups/user, something that you don't have right now. There is a list of all groups and users created by packages in Factory, so you can easily write a small script that checks for potential collisions and preemptively rename affected users/groups, e.g. _www to __www.
What about using % ? :-)
Not as a prefix, from useradd(8): Usernames must start with a lower case letter or an underscore, followed by lower case letters, digits, underscores, or dashes. They can end with a dollar sign. In regular expression terms: [a-z_][a-z0-9_-]*[$]? -- Guido Berhoerster -- To unsubscribe, e-mail: opensuse-packaging+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-packaging+owner@opensuse.org
On Friday 2014-02-28 18:59, Guido Berhoerster wrote:
Not as a prefix, from useradd(8):
Usernames must start with a lower case letter or an underscore, followed by lower case letters, digits, underscores, or dashes. They can end with a dollar sign. In regular expression terms: [a-z_][a-z0-9_-]*[$]?
But that's an arbitrary useradd limitation then. Through AD bindings, I am already member of a group with spaces in it. Heck, I can even use an AD identity with backslash to authenticate to remote print servers. lpr -P bmlp4d -H print.gwdg.de -U 'GWDG\jengelh2' sparkles.pdf And because we can, Unicode: 19:57 nakamura:/home/jengelh # passwd 中村 New Password: Bad password: too short Reenter New Password: passwd: password updated successfully 19:58 nakamura:/home/jengelh # ssh 中村@localhost Password: Have a lot of fun... 19:58 nakamura:~ > id uid=25126(中村) gid=100(users) groups=100(users) What I concur on is that names matching /^\d+$/ are "prone" to be interpreted as numeric UIDs rather than textual IDs, and therefore should not be relied upon to describe a user by that the _name_ of "12345". The other thing is that usernames should not contain '/' because that would make programs susceptible to ".." attacks. As Windows has '\\' as directory separator, I figure applications there just always use the SAM GUID instead of the username when they have to store something and decide to do so in the plain filesystem rather than registry - also because the GUID goes better with user renames. -- To unsubscribe, e-mail: opensuse-packaging+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-packaging+owner@opensuse.org
В Fri, 28 Feb 2014 18:39 +0100 Bruno Friedmann <bruno@ioda-net.ch> пишет:
What about using % ? :-)
It will likely be confusing to use in sudoers. -- To unsubscribe, e-mail: opensuse-packaging+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-packaging+owner@opensuse.org
Guido Berhoerster wrote:
I'd like to propose the following addition to the packaging policy regarding users and groups
Thanks Guido for bringing up this topic again. I've tried to condense the discussion here into a more formal document that follows the proposed OSEP structure[1], just for the fun of trying it :-) The proposal should be taken to the Factory list to reach a wider audience after some feedback round here I think. It would be nice to present this to other distros as well, maybe we can have a common agreement. That shouldn't be precondition to implement it though. Someone has to start and try whether some things are useful in practice after all :-) cu Ludwig [1] https://en.opensuse.org/openSUSE:OSEP_0001 -- (o_ Ludwig Nussel //\ V_/_ http://www.suse.de/ SUSE LINUX Products GmbH, GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer, HRB 16746 (AG Nürnberg)
participants (8)
-
Andrey Borzenkov -
Bernhard Voelker -
Bruno Friedmann -
Darin Perusich -
Guido Berhoerster -
Jan Engelhardt -
Ludwig Nussel -
Yamaban