From Fedora Project Wiki
No edit summary
No edit summary
 
Line 30: Line 30:
<!-- Include you email address that you can be reached should people want to contact you about helping with your change, status is requested, or technical issues need to be resolved. If the change proposal is owned by a SIG, please also add a primary contact person. -->
<!-- Include you email address that you can be reached should people want to contact you about helping with your change, status is requested, or technical issues need to be resolved. If the change proposal is owned by a SIG, please also add a primary contact person. -->
* Email: zbyszek@in.waw.pl
* Email: zbyszek@in.waw.pl
* Name: [[User:Lennart|Lennart Poettering]]
* Name: [[User:Lennart|Lennart Poettering]]
 
* Release notes ticket: [https://pagure.io/fedora-docs/release-notes/issue/104 #104]
* Release notes owner: <!--- To be assigned by docs team [[User:FASAccountName| Release notes owner name]] <email address> -->
<!--- UNCOMMENT only for Changes with assigned Shepherd (by FESCo)
<!--- UNCOMMENT only for Changes with assigned Shepherd (by FESCo)
* FESCo shepherd: [[User:FASAccountName| Shehperd name]] <email address>
* FESCo shepherd: [[User:FASAccountName| Shehperd name]] <email address>

Latest revision as of 15:02, 2 March 2018


Rename "nobody" user

Summary

Use "nobody:nobody" as the names for the kernel overflow UID:GID pair, and retire the old "nfsnobody" name and the old "nobody:nobody" pair with 99:99 numbers.

Owner

Current status

Detailed Description

Status quo: Fedora statically defines "nobody:nobody" pair with uid:gid of 99:99 in setup.rpm, and "nfsnobody:nfsnobody" pair with uid:gid of 65534:65534 in nfs-utils.rpm.

This is problematic in a few different ways:

  • 65534:65534 is used by the kernel as the overflow identifier, when some UID cannot be represented in the current namespace. This applies to both NFS, but probably more commonly nowadays to UIDs outside of the current user namespace (e.g. when a file or process owned by a user from outside of a container). Calling this "nfsnobody" is misleading.
  • the name for the overflow user is only defined when nfs-utils.rpm is installed. In particular in containers people want to minimize the number of packages installed, so nfs-utils is likely not to be installed.
  • the static nobody:nobody user/group pair was used for various services for which weren't "worthy" of creating a dedicated user. This is a severely misguided concept, because all processes of the nobody user can ptrace and otherwise interact with each other. Separate users for each service should be used instead, either normal allocated users or systemd's DynamicUser's.
  • other distributions use either nobody:nobody or nobody:nogroup for the overflow uid:gid pair, and the different naming in Fedora is confusing and can lead to incorrect use.

We propose to:

  • stop using nfsnobody for the overflow uid/gid names
  • stop using nobody for the static user 99 and group 99
  • use the nobody:nobody pair of names for 65534:65534

Changing existing systems is hard, so this change would apply only to new systems. "New" means systems which have neither the old "nobody" user with uid 99 nor the nfsnobody user defined. During package installation/upgrade a scriptlet would check if either of those two conditions is encountered, and if it is, keep current behaviour (nobody=99, nfsnobody=65534), and otherwise, define nobody=65534.

On "new" systems, the mapping for nobody:nobody would be implemented in two redundant ways:

  • as a static allocation in /etc/passwd and /etc/group managed by setup.rpm
  • dynamically provided by the nss-systemd module (by compiling systemd with -Dnobody-user=nobody -Dnobody-group=nobody).

On "old" systems a flag would be set from an scriptlet to tell systemd to _not_ provide the "nobody" mapping, so that the existing mapping is used.

Benefit to Fedora

The name for the kernel overflow uid and gid will be always provided, and the name will not be misleading. Unsecure use of the nobody user will be eliminated.

Scope

  • Proposal owners:
  • recompile systemd with -Dnobody-user=nobody -Dnobody-group=nobody
  • patch systemd to support disabling the mapping for nobody in nss-systemd and implement this check in upgrade scriptlets
  • propose patches for setup.rpm to add the checks and new mapping listed in Detailed Description on update

(nfs-utils doesn't need to be changed, it's scriptlet will simply fail if a user with uid 65534 already exists.)

  • Other developers: watch for regressions
  • Policies and guidelines: nothing

(https://fedoraproject.org/wiki/Packaging:Guidelines#Users_and_Groups already says "Note that system services packaged for Fedora MUST NOT run as the nobody user" so no changes are required there.)

  • Trademark approval: N/A (not needed for this Change)

Upgrade/compatibility impact

Things should mostly work OK. The change only applies to "new" systems, which didn't have the old definitions. If something expects either "nfsnobody" to be defined, or hardcodes nobody to uid 99, it will be broken. But such things were already broken, so let's hope they are rare.

How To Test

Check if "getent passwd nobody" or "getent passwd 65534" return something like

 nobody:x:65534:65534:Kernel Overflow User:/:/sbin/nologin

on "new" systems, and the old values on "old" systems.

User Experience

Should not be noticeable by users, except that in some circumstances in containers files which were shown with numeric uid and gid will be shown as owned by nobody:nobody. Files which were shown as owned by "nfsnobody" would now we owned by "nobody".

Dependencies

Contingency Plan

  • Contingency mechanism: undo all changes and keep using nfsnobody:nfsnobody as the overflow user/group names
  • Contingency deadline: beta freeze
  • Blocks release? Yes
  • Blocks product? all products

Documentation

https://github.com/systemd/systemd/blob/master/UIDS-GIDS.md

https://fedoraproject.org/wiki/Packaging:Guidelines#Users_and_Groups

Previous discussions: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/thread/Q5GCKZ7Q7PAUQW66EV7IBJGSRJWYXBBH/?sort=date

https://bugzilla.redhat.com/show_bug.cgi?id=1350526

Release Notes

TBD