[opensuse-factory] OSEP: openSUSE Distribution Daemon User and Group Names

Hello, after initial discussion on the -packaging list (see http://lists.opensuse.org/opensuse-packaging/2014-02/msg00136.html) and incorporating some of the feedback we would like to introduce the attached openSUSE Enhancement Proposal about creating a safe namspace of system user and group names. Further comments and reviews would be appreciated. Full text of the OSEP (currently maintained at https://github.com/lnussel/osep_opensuse_usernames/blob/master/opensuse_user...): _____________________________________________________________________ OSEP: XXXX Title: Informational proposal: openSUSE Distribution Daemon User and Group Names Version: 0.1 Last-Modified: 03 Mar 2014 Author: Guido Berhoerster , Ludwig Nussel Status: Draft Type: Informational Created: 28 Feb 2014 Post-History: _____________________________________________________________________ Abstract -------- This OSEP proposes a defined pattern for unprivileged system user and group names. Specification ------------- Packages that add unprivileged users to e.g. run daemons as need to use names that follow the following regular expression: ^_[0-9a-z][0-9a-z_]*$ This policy is meant to be applied to all packages that are new to openSUSE Factory. Existing packages are encouraged to switch to the new policy. An exception are legacy users with a static uid as created on first installation by aaa_base, like e.g. 'root' or 'nobody'. Motivation ---------- Many packages need to add user and group names for their unprivileged daemons. Currently openSUSE Factory has a known lists of more than 130<<A>> such daemon user names. Many names are short for convenience, e.g. 'pop', 'vdr', 'tor' or 'znc'. Since there is no separate name space for system users those names may collide with names of real persons. A common pattern for user names on unix systems also is to combine letters of the given names and the surname which may lead to combinations that may also collide with system user names. Sharing a user name between a system user and a normal user leads to surprising or even security relevant misbehavior as the daemon user may write to files in the real user's home or vice versa. Since introducing a separate namespace is not possible in the current name service model, separating system users and real users must be done by naming them differently. Rationale --------- A special prefix or suffix to user names is a straight forward solution to the same namespace problem. Since long user names may not fully be displayed by e.g. the ps tool the chosen method needs to be short. Therefore using a single letter character may be used. According to the recommended regular expression for usernames in the useradd manpage<<D>> of the shadow package, dollar could be used as suffix or underscore as prefix or suffix. OpenBSD already implemented a policy to use underscore (ASCII character 95) as prefix in 2003<<C>>. This method is therefore considered proven in practice. For symmetry reasons and because many packages also create groups with the same name as the user the same solution should be applied to groups as well. License ------- This document has been placed in the public domain. References ---------- [bibliography] - [[[A]]] current list of known user names in opensuse is maintained in link:https://build.opensuse.org/package/view_file/openSUSE:Factory/rpmlint/config?expand=1[rpmlint] - [[[B]]] link:http://anonscm.debian.org/viewvc/pkg-shadow/upstream/trunk/man/useradd.8.xml?view=markup[useradd manpage] - [[[C]]] List of sytem users in link:http://www.openbsd.org/cgi-bin/cvsweb/\~checkout~/ports/infrastructure/db/user.list?rev=HEAD;content-type=text%2Fplain[OpenBSD] with short sentence expressing the "policy" - [[[D]]] some link:http://lists.opensuse.org/opensuse-packaging/2014-02/msg00103.html[numbers] collected by Guido -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org