Guidance on solving the username namespacing problem

[Michael Biebl]

Lennart, Zbyszek,

what's your take on this?

For some more background, see
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=905817
and the recent discussion at
https://lists.debian.org/debian-policy/2020/01/msg00013.html


Thanks,
Michael

Am 14.01.20 um 11:13 schrieb Philipp Kern:
> On 2020-01-05 23:33, Philipp Kern wrote:
>> And then the following (in spirit) to base-passwd to make the systemd
>> allocation explicit:
>>
>>> --- a/README
>>> +++ b/README
>>> @@ -32,6 +32,9 @@ registry of allocations.
>>>  Reserved uids:
>>>      uid   | name              | description
>>>      ------+-------------------+---------------
>>> +    61184 |                   | reserved for systemd dynamic users
>>> +      -   |                   |
>>> +    63433 |                   |
>>>      63434 | netplan           | netplan
>>>      64000 | ftn               | fidogate
>>>      64001 | mysql             | mysql-server
>>
>> I'd still like to hear from the systemd maintainers about their opinion
>> about the UID space shift and slight reduction, of course.
> 
> So it looks like this is effectively groundhog day for them as Michael
> pointed me to [1] where the same thing was discussed before.
> 
> Given the DynamicUser design[2] I'd still assume that where it is in the
> UID space effectively does not matter much, it's fungible. There will be
> effectively no files permanently owned by those UIDs because the
> filesystem locations where the services can write are restricted and
> tightly managed.
> 
> So dear systemd maintainers, how would you think about changing the UID
> space to the above? 2249 UIDs vs. 4335 UIDs means that the space is
> effectively halved, which might be concerning. It is unfortunate that
> this cannot be changed at runtime, but if we get bug reports about this
> I feel like it should be possible to make it take multiple ranges
> instead. Apart from where the space needs to be located it does not seem
> like there are strong reasons to prefer systemd's current range over any
> other. I don't know what happens if that range is changed across a
> package upgrade, though. Presumably the hashes would be different so
> actually making the change might be tricky.
> 
> Kind regards and thanks
> Philipp Kern
> 
> [1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=905817
> [2] http://0pointer.net/blog/dynamic-users-with-systemd.html


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://alioth-lists.debian.net/pipermail/pkg-systemd-maintainers/attachments/20200114/b50b27a2/attachment.sig>