[gentoo-dev] RFC: Namespace for users created for packages

[gentoo-dev] RFC: Namespace for users created for packages

[Michal Hrusecky]

Hi all,

interesting discussion started in openSUSE mailing list[1][2] and I would like
to open up the same question on this mailing list.

Basically it is about the following problem. Citing parts of proposal:

Many packages need to add user and group names for their unprivileged daemons.
Many names are short for convenience, e.g. 'pop', 'vdr', 'tor' or 'znc'. Since
there is no separate name space for system users those names may collide with
names of real persons. Sharing a user name between a system user and a normal
user leads to surprising or even security relevant misbehavior as the daemon
user may write to files in the real user's home or vice versa.

Conclusion, in short, is to prefix system users (with some exceptions like root
or nobody) with underscore '_'. So you would get users like '_pop', '_vdr',
'_tor' or '_znc'. OpenBSD already does that[3]. openSUSE proposal with more
details can be seen on GitHub[4].

So the question is, what would you think about such a policy in Gentoo?

[1] http://lists.opensuse.org/opensuse-factory/2014-03/msg00333.html
[2] http://lists.opensuse.org/opensuse-packaging/2014-02/msg00136.html
[3] http://www.openbsd.org/cgi-bin/cvsweb/~checkout~/ports/infrastructure/db/user.list?rev=HEAD;content-type=text%2Fplain
[4] https://github.com/lnussel/osep_opensuse_usernames/blob/master/opensuse_usernames.txt

-- 
	Michal Hrusecky <Michal@Hrusecky.net>

Re: [gentoo-dev] RFC: Namespace for users created for packages

[Alexander Berntsen]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 26/03/14 14:32, Michal Hrusecky wrote:
> So the question is, what would you think about such a policy in 
> Gentoo?
It would be useful.

Scandinavians named Tor would likely be grateful. ;-)
- -- 
Alexander
bernalex@gentoo.org
https://secure.plaimi.net/~alexander
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iF4EAREIAAYFAlMy22MACgkQRtClrXBQc7UsGAD/dxF9pgTzbUK2+uruES8eCF85
pi6rPs5XAUYFyz/38PUBAKoRwooTY1NspUalJ00j/oE78V4Lr6bCfc2o0e7vBJad
=8ITj
-----END PGP SIGNATURE-----

Re: [gentoo-dev] RFC: Namespace for users created for packages

[Tom Wijsman]

On Wed, 26 Mar 2014 14:32:58 +0100
Michal Hrusecky <miska@gentoo.org> wrote:

> Many packages need to add user and group names for their unprivileged
> daemons. Many names are short for convenience, e.g. 'pop', 'vdr',
> 'tor' or 'znc'. Since there is no separate name space for system
> users those names may collide with names of real persons. Sharing a
> user name between a system user and a normal user leads to surprising
> or even security relevant misbehavior as the daemon user may write to
> files in the real user's home or vice versa.
> 
> Conclusion, in short, is to prefix system users (with some exceptions
> like root or nobody) with underscore '_'. So you would get users like
> '_pop', '_vdr', '_tor' or '_znc'. OpenBSD already does that[3].
> openSUSE proposal with more details can be seen on GitHub[4].
> 
> So the question is, what would you think about such a policy in
> Gentoo?
> 
> [1] http://lists.opensuse.org/opensuse-factory/2014-03/msg00333.html
> [2] http://lists.opensuse.org/opensuse-packaging/2014-02/msg00136.html
> [3]
> http://www.openbsd.org/cgi-bin/cvsweb/~checkout~/ports/infrastructure/db/user.list?rev=HEAD;content-type=text%2Fplain
> [4]
> https://github.com/lnussel/osep_opensuse_usernames/blob/master/opensuse_usernames.txt

+1, it also helps spot the difference between normal users and those
that were made by the system; eg. `grep -v ^_ /etc/passwd` to only
quickly only list normal users there (while you have 'added by
portage' in this case you might not have that available in other cases).

-- 
With kind regards,

Tom Wijsman (TomWij)
Gentoo Developer

E-mail address  : TomWij@gentoo.org
GPG Public Key  : 6D34E57D
GPG Fingerprint : C165 AF18 AB4C 400B C3D2  ABF0 95B2 1FCD 6D34 E57D

Re: [gentoo-dev] RFC: Namespace for users created for packages

[Sven Vermeulen]

On Wed, Mar 26, 2014 at 02:32:58PM +0100, Michal Hrusecky wrote:
> Hi all,
> 
> interesting discussion started in openSUSE mailing list[1][2] and I would like
> to open up the same question on this mailing list.
> 
> Basically it is about the following problem. Citing parts of proposal:
> 
> Many packages need to add user and group names for their unprivileged daemons.
> Many names are short for convenience, e.g. 'pop', 'vdr', 'tor' or 'znc'. Since
> there is no separate name space for system users those names may collide with
> names of real persons. Sharing a user name between a system user and a normal
> user leads to surprising or even security relevant misbehavior as the daemon
> user may write to files in the real user's home or vice versa.
> 
> Conclusion, in short, is to prefix system users (with some exceptions like root
> or nobody) with underscore '_'. So you would get users like '_pop', '_vdr',
> '_tor' or '_znc'. OpenBSD already does that[3]. openSUSE proposal with more
> details can be seen on GitHub[4].
> 
> So the question is, what would you think about such a policy in Gentoo?

I'm in favor. It shouldn't be used as *the* check to make sure that an
account is a functional (non-interactive/daemon) account (for that there is
also the user id range and so on) but for visibility it's definitely worth
persuing.

Wkr,
	Sven Vermeulen

Re: [gentoo-dev] RFC: Namespace for users created for packages

["Paweł Hajdan, Jr."]

[-- Attachment #1: Type: text/plain, Size: 752 bytes --]

On 3/26/14, 2:32 PM, Michal Hrusecky wrote:
> Conclusion, in short, is to prefix system users (with some exceptions like root
> or nobody) with underscore '_'. So you would get users like '_pop', '_vdr',
> '_tor' or '_znc'. OpenBSD already does that[3]. openSUSE proposal with more
> details can be seen on GitHub[4].
> 
> So the question is, what would you think about such a policy in Gentoo?

+1

Also the consistency of UIDs between installations seems to be a good thing.

Maybe we don't necessarily need that in Gentoo from the start, and just
using the underscore prefix would have nice benefits, but since we're
changing things I'd say let's consider that, and consistency with
openSUSE would also be a plus IMHO.

Paweł



[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 841 bytes --]