Bug#905817: UID range of DyanmicUser overlaps with existing definitions in debian-policy

Fri Aug 10 07:23:38 BST 2018

Package: systemd
Version: 239-7
Severity: important

Currently, DynamicUser gets a uid from within the following range:
61184 - 65519. Those values can be configured during build time via
-Ddynamic-uid-min= and -Ddynamic-uid-max.

The debian policy has a section about uids and gids:
https://www.debian.org/doc/debian-policy/ch-opersys.html#uid-and-gid-classes

The overlapping ranges are:
60000-64999:
 Globally allocated by the Debian project, but only created on demand.
 The ids are allocated centrally and statically, but the actual accounts
 are only created on users’ systems on demand.

 These ids are for packages which are obscure or which require many
 statically-allocated ids. These packages should check for and create the
 accounts in /etc/passwd or /etc/group (using adduser if it has this
 facility) if necessary. Packages which are likely to require further
 allocations should have a “hole” left after them in the allocation, to
 give them room to grow.

65000-65533:
 Reserved.

We don't meet the requirement of the 60000-64999 range, which says that
the ids need to be allocated statically (DynamicUser generated ids are
ephemeral).
The 65000-65533 range doesn't go into more detail, what purpose it is
reserved.

There is also:
65536-4294967293:
 Dynamically allocated user accounts. By default adduser will not
 allocate UIDs and GIDs in this range, to ease compatibility with legacy
 systems where uid_t is still 16 bits.

I'm not sure if it would be more suitable to pick the DynamicUser ids
from this range.

Filing this bug report so we don't forget about this.

CCing Sean to get his input as debian-policy maintainer.

Sean, you can get more in-detail documentation about DynamicUser at
https://www.freedesktop.org/software/systemd/man/systemd.exec.html#DynamicUser=

Regards,
Michael
-- Package-specific info:

-- System Information:
Debian Release: buster/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (200, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.17.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages systemd depends on:
ii  adduser          3.117
ii  libacl1          2.2.52-3+b1
ii  libapparmor1     2.13-8
ii  libaudit1        1:2.8.3-1+b1
ii  libblkid1        2.32-0.4
ii  libc6            2.27-5
ii  libcap2          1:2.25-1.2
ii  libcryptsetup12  2:2.0.4-2
ii  libgcrypt20      1.8.3-1
ii  libgnutls30      3.5.19-1
ii  libgpg-error0    1.32-1
ii  libidn11         1.33-2.2
ii  libip4tc0        1.6.2-1.1
ii  libkmod2         25-1
ii  liblz4-1         1.8.2-1
ii  liblzma5         5.2.2-1.3
ii  libmount1        2.32-0.4
ii  libpam0g         1.1.8-3.7
ii  libseccomp2      2.3.3-3
ii  libselinux1      2.8-1+b1
ii  libsystemd0      239-7
ii  mount            2.32-0.4
ii  procps           2:3.3.15-2
ii  util-linux       2.32-0.4

Versions of packages systemd recommends:
ii  dbus            1.12.10-1
ii  libpam-systemd  239-7

Versions of packages systemd suggests:
ii  policykit-1        0.105-21
ii  systemd-container  239-7

Versions of packages systemd is related to:
pn  dracut           <none>
ii  initramfs-tools  0.132
ii  udev             239-7

-- no debconf information