Hello,
after initial discussion on the -packaging list (see
http://lists.opensuse.org/opensuse-packaging/2014-02/msg00136.html)
and incorporating some of the feedback we would like to introduce
the attached openSUSE Enhancement Proposal about creating a safe
namspace of system user and group names. Further comments and
reviews would be appreciated.
Full text of the OSEP (currently maintained at
https://github.com/lnussel/osep_opensuse_usernames/blob/master/opensuse_user...):
_____________________________________________________________________
OSEP: XXXX
Title: Informational proposal: openSUSE Distribution Daemon User and Group Names
Version: 0.1
Last-Modified: 03 Mar 2014
Author: Guido Berhoerster , Ludwig Nussel
Status: Draft
Type: Informational
Created: 28 Feb 2014
Post-History:
_____________________________________________________________________
Abstract
--------
This OSEP proposes a defined pattern for unprivileged system user
and group names.
Specification
-------------
Packages that add unprivileged users to e.g. run daemons as need to
use names that follow the following regular expression:
^_[0-9a-z][0-9a-z_]*$
This policy is meant to be applied to all packages that are new to
openSUSE Factory. Existing packages are encouraged to switch to the
new policy.
An exception are legacy users with a static uid as created on
first installation by aaa_base, like e.g. 'root' or 'nobody'.
Motivation
----------
Many packages need to add user and group names for their
unprivileged daemons.
Currently openSUSE Factory has a known lists of more than 130<<A>> such
daemon user names. Many names are short for convenience, e.g. 'pop',
'vdr', 'tor' or 'znc'. Since there is no separate name space for
system users those names may collide with names of real persons. A
common pattern for user names on unix systems also is to combine
letters of the given names and the surname which may lead to
combinations that may also collide with system user names. Sharing a
user name between a system user and a normal user leads to
surprising or even security relevant misbehavior as the daemon user
may write to files in the real user's home or vice versa.
Since introducing a separate namespace is not possible in the
current name service model, separating system users and real users
must be done by naming them differently.
Rationale
---------
A special prefix or suffix to user names is a straight forward
solution to the same namespace problem. Since long user names may
not fully be displayed by e.g. the ps tool the chosen method needs
to be short. Therefore using a single letter character may be used.
According to the recommended regular expression for usernames in the
useradd manpage<<D>> of the shadow package, dollar could be used as
suffix or underscore as prefix or suffix.
OpenBSD already implemented a policy to use underscore (ASCII
character 95) as prefix in 2003<<C>>. This method is therefore
considered proven in practice.
For symmetry reasons and because many packages also create groups
with the same name as the user the same solution should be applied
to groups as well.
License
-------
This document has been placed in the public domain.
References
----------
[bibliography]
- [[[A]]] current list of known user names in opensuse is maintained in link:https://build.opensuse.org/package/view_file/openSUSE:Factory/rpmlint/config?expand=1[rpmlint]
- [[[B]]] link:http://anonscm.debian.org/viewvc/pkg-shadow/upstream/trunk/man/useradd.8.xml?view=markup[useradd manpage]
- [[[C]]] List of sytem users in link:http://www.openbsd.org/cgi-bin/cvsweb/\~checkout~/ports/infrastructure/db/user.list?rev=HEAD;content-type=text%2Fplain[OpenBSD] with short sentence expressing the "policy"
- [[[D]]] some link:http://lists.opensuse.org/opensuse-packaging/2014-02/msg00103.html[numbers] collected by Guido
--
To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org
To contact the owner, e-mail: opensuse-factory+owner@opensuse.org