Bug#1029785: systemd-sysusers doesn't respect SYS_UID_RANGE in /etc/login.defs

Fri Jan 27 17:07:32 GMT 2023

Package: systemd
Version: 247.3-7+deb11u1
Severity: normal
X-Debbugs-Cc: mgulick at mathworks.com

Dear Maintainer,

Systemd creates a few users and groups on first boot via systemd-sysusers
(e.g. systemd-timesync, systemd-coredump).  These users are created with UIDs
and GIDs starting from 999, working downwards.  However systemd still creates
users in this range even when SYS_UID_{MIN,MAX} and SYS_GID_{MIN,MAX} are set in
/etc/login.defs (as well as the relevant settings in /etc/adduser.conf).
Starting with systemd 247, systemd does provide an option to respect
/etc/login.defs for auto-generated UIDs, however that feature must be enabled
via the compile-time option '-Dcompat-mutable-uid-boundaries=true', which Debian
does not currently do.  This feature was added to systemd via this pull request:
https://github.com/systemd/systemd/pull/17172.

At my organization, we have some unix accounts that are > 20 years old, and some
of the old UIDs and GIDs are in the 100-999 range.  These can't be easily
renumbered as this would cause NFS permission issues (there are *many* file
servers).  To work around this, we configure our systems to use a higher ID
range (30000) for system UIDs and GIDs, however systemd on Debian does not
currently respect this configuration.  Its easy-enough to renumber these
auto-created accounts since there aren't many and they don't own any files in
the filesystem, but it would be nice if systemd created them with the right
UID/GID in the first place.

FYI I looked at the rpm SPEC for RHEL9 and it looks like it has this feature
enabled, so that gives some confidence that it is stable.

Thanks,
Mike

-- Package-specific info:

-- System Information:
Debian Release: 11.6
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.10.0-20-amd64 (SMP w/12 CPU threads)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages systemd depends on:
ii  adduser          3.118
ii  libacl1          2.2.53-10
ii  libapparmor1     2.13.6-10
ii  libaudit1        1:3.0-2
ii  libblkid1        2.36.1-8+deb11u1
ii  libc6            2.31-13+deb11u5.tmw1
ii  libcap2          1:2.44-1
ii  libcrypt1        1:4.4.18-4
ii  libcryptsetup12  2:2.3.7-1+deb11u1
ii  libgcrypt20      1.8.7-6
ii  libgnutls30      3.7.1-5+deb11u2
ii  libgpg-error0    1.38-2
ii  libip4tc2        1.8.7-1
ii  libkmod2         28-1
ii  liblz4-1         1.9.3-2
ii  liblzma5         5.2.5-2.1~deb11u1
ii  libmount1        2.36.1-8+deb11u1
ii  libpam0g         1.4.0-9+deb11u1
ii  libseccomp2      2.5.1-1+deb11u1
ii  libselinux1      3.1-3
ii  libsystemd0      247.3-7+deb11u1
ii  libzstd1         1.4.8+dfsg-2.1
ii  mount            2.36.1-8+deb11u1
ii  util-linux       2.36.1-8+deb11u1

Versions of packages systemd recommends:
ii  dbus               1.12.24-0+deb11u1
ii  ntp [time-daemon]  1:4.2.8p15+dfsg-1

Versions of packages systemd suggests:
ii  policykit-1        0.105-31+deb11u1
ii  systemd-container  247.3-7+deb11u1

Versions of packages systemd is related to:
pn  dracut           <none>
ii  initramfs-tools  0.140
pn  libnss-systemd   <none>
ii  libpam-systemd   247.3-7+deb11u1
ii  udev             247.3-7+deb11u1

-- no debconf information