From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 8BA481387FD for ; Wed, 26 Mar 2014 13:39:05 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id CC698E0B86; Wed, 26 Mar 2014 13:38:59 +0000 (UTC) Received: from mail-ee0-f53.google.com (mail-ee0-f53.google.com [74.125.83.53]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id C0B3BE0B58 for ; Wed, 26 Mar 2014 13:38:57 +0000 (UTC) Received: by mail-ee0-f53.google.com with SMTP id b57so1668839eek.12 for ; Wed, 26 Mar 2014 06:38:56 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hrusecky.net; s=google; h=sender:date:from:to:subject:message-id:mime-version:content-type :content-disposition:user-agent; bh=1fqDdautjVwFazGPf+8IfZS967JFac6iULTB0NflB7s=; b=ZOfVoAdZawOncxr+8Ujok3z81SaEJ2IG35P73CslZO35MKurcdb5VdLJf1CxsORAMH uUEM1twXiA2tY3RyV1RccEp+zBuOTWmZHFDIcElyHDTpMv3yl85DE29Q+xja39BYfufr ifd58cq/aqFsQ4bOSeIxort/0Li2xSV4P6jCU= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:sender:date:from:to:subject:message-id :mime-version:content-type:content-disposition:user-agent; bh=1fqDdautjVwFazGPf+8IfZS967JFac6iULTB0NflB7s=; b=C2mDKN1ftG9G1iNAg6QfLJDmsznqJU+CPjFkunNL68LaSR+gOtERPwjRaGL+IH+Itz k9XuVGyCdpg+4SAyCxBDHqKYikyHK/Rw1E9+fMB7u7VyjXi3rZ7FHpuiRrg0F4Gynl7I Zasxd9X+c9xKGWGR4Dr8BBRCkMkl8IAkuaN0bc/aogBQY5ZWpXeXv0mbkA8UTKApa8KI J3sBwhDFbzsvESbT0e49zae0Pn9ineCxugXWlUrUrUou995D2xkQCdtXBKMXMS4YoyKb pe5NmrUacjyHeB2xmo3Z8H6W7J7lbNvTSA07G1jCxxrZ+xsmHjcyEODvIoLyuU/SSHbB eIXg== X-Gm-Message-State: ALoCoQlf1d3NbW9IoKSfwhEhLccABSTJqlmUJpVnogZEetZ5dHY6KSAP6zSTtlZrx0Int7ZqhwI5 X-Received: by 10.14.95.136 with SMTP id p8mr2178513eef.103.1395840780248; Wed, 26 Mar 2014 06:33:00 -0700 (PDT) Received: from localhost (cl-533.prg-01.cz.sixxs.net. [2a01:8c00:ff00:214::2]) by mx.google.com with ESMTPSA id x3sm47227037eep.17.2014.03.26.06.32.59 for (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 26 Mar 2014 06:32:59 -0700 (PDT) Sender: =?UTF-8?B?TWljaGFsIEhydcWhZWNrw70=?= Date: Wed, 26 Mar 2014 14:32:58 +0100 From: Michal Hrusecky To: gentoo-dev@lists.gentoo.org Subject: [gentoo-dev] RFC: Namespace for users created for packages Message-ID: <20140326133258.GB18451@susebook.ipv6.hrusecky.net> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline X-Operating-System: Linux User-Agent: Mutt/1.5.21 (2010-09-15) X-Archives-Salt: 6f4a0f36-b807-4090-a2bd-c372ef5ef59d X-Archives-Hash: bc112196541c854f8e5bf9bcfae62813 Hi all, interesting discussion started in openSUSE mailing list[1][2] and I would like to open up the same question on this mailing list. Basically it is about the following problem. Citing parts of proposal: Many packages need to add user and group names for their unprivileged daemons. Many names are short for convenience, e.g. 'pop', 'vdr', 'tor' or 'znc'. Since there is no separate name space for system users those names may collide with names of real persons. Sharing a user name between a system user and a normal user leads to surprising or even security relevant misbehavior as the daemon user may write to files in the real user's home or vice versa. Conclusion, in short, is to prefix system users (with some exceptions like root or nobody) with underscore '_'. So you would get users like '_pop', '_vdr', '_tor' or '_znc'. OpenBSD already does that[3]. openSUSE proposal with more details can be seen on GitHub[4]. So the question is, what would you think about such a policy in Gentoo? [1] http://lists.opensuse.org/opensuse-factory/2014-03/msg00333.html [2] http://lists.opensuse.org/opensuse-packaging/2014-02/msg00136.html [3] http://www.openbsd.org/cgi-bin/cvsweb/~checkout~/ports/infrastructure/db/user.list?rev=HEAD;content-type=text%2Fplain [4] https://github.com/lnussel/osep_opensuse_usernames/blob/master/opensuse_usernames.txt -- Michal Hrusecky