(mark as ready) |
No edit summary |
||
(8 intermediate revisions by 3 users not shown) | |||
Line 24: | Line 24: | ||
== Summary == | == Summary == | ||
Use "nobody:nobody" as the names for the kernel overflow UID:GID pair, and retire the old "nfsnobody" name and the old "nobody: | Use "nobody:nobody" as the names for the kernel overflow UID:GID pair, and retire the old "nfsnobody" name and the old "nobody:nobody" pair with 99:99 numbers. | ||
== Owner == | == Owner == | ||
Line 30: | Line 30: | ||
<!-- Include you email address that you can be reached should people want to contact you about helping with your change, status is requested, or technical issues need to be resolved. If the change proposal is owned by a SIG, please also add a primary contact person. --> | <!-- Include you email address that you can be reached should people want to contact you about helping with your change, status is requested, or technical issues need to be resolved. If the change proposal is owned by a SIG, please also add a primary contact person. --> | ||
* Email: zbyszek@in.waw.pl | * Email: zbyszek@in.waw.pl | ||
* Name: [[User:Lennart|Lennart Poettering]] | * Name: [[User:Lennart|Lennart Poettering]] | ||
* Release notes ticket: [https://pagure.io/fedora-docs/release-notes/issue/104 #104] | |||
* Release notes | |||
<!--- UNCOMMENT only for Changes with assigned Shepherd (by FESCo) | <!--- UNCOMMENT only for Changes with assigned Shepherd (by FESCo) | ||
* FESCo shepherd: [[User:FASAccountName| Shehperd name]] <email address> | * FESCo shepherd: [[User:FASAccountName| Shehperd name]] <email address> | ||
Line 53: | Line 51: | ||
CLOSED as NEXTRELEASE -> change is completed and verified and will be delivered in next release under development | CLOSED as NEXTRELEASE -> change is completed and verified and will be delivered in next release under development | ||
--> | --> | ||
* Tracker bug: | * Tracker bug: [https://bugzilla.redhat.com/show_bug.cgi?id=1537262 #1537262] | ||
== Detailed Description == | == Detailed Description == | ||
Line 70: | Line 68: | ||
* use the nobody:nobody pair of names for 65534:65534 | * use the nobody:nobody pair of names for 65534:65534 | ||
Changing existing systems is hard, so this change would apply only to new systems. "New" means systems which have neither the old "nobody" user with uid 99 nor the nfsnobody user defined. During package installation/upgrade a scriptlet would check if either of those two conditions is encountered, and if it is, keep current behaviour (nobody=99, nfsnobody=65534), and otherwise, define nobody=65534. | |||
On "new" systems, the mapping for nobody:nobody would be implemented in two redundant ways: | |||
* as a static allocation in /etc/passwd and /etc/group managed by setup.rpm | * as a static allocation in /etc/passwd and /etc/group managed by setup.rpm | ||
* dynamically provided by the nss-systemd module (by compiling systemd with -Dnobody-user=nobody -Dnobody-group=nobody). | * dynamically provided by the nss-systemd module (by compiling systemd with -Dnobody-user=nobody -Dnobody-group=nobody). | ||
On "old" systems a flag would be set from an scriptlet to tell systemd to _not_ provide the "nobody" mapping, so that the existing mapping is used. | |||
== Benefit to Fedora == | == Benefit to Fedora == | ||
Line 83: | Line 80: | ||
== Scope == | == Scope == | ||
* Proposal owners: | * Proposal owners: | ||
* recompile systemd with the | * recompile systemd with -Dnobody-user=nobody -Dnobody-group=nobody | ||
* propose patches for setup.rpm to add the new mapping | * patch systemd to support disabling the mapping for nobody in nss-systemd and implement this check in upgrade scriptlets | ||
* propose patches for setup.rpm to add the checks and new mapping listed in Detailed Description on update | |||
(nfs-utils doesn't need to be changed, it's scriptlet will simply fail if a user with uid 65534 already exists.) | |||
* Other developers: watch for regressions | * Other developers: watch for regressions | ||
Line 101: | Line 100: | ||
<!-- What happens to systems that have had a previous versions of Fedora installed and are updated to the version containing this change? Will anything require manual configuration or data migration? Will any existing functionality be no longer supported? --> | <!-- What happens to systems that have had a previous versions of Fedora installed and are updated to the version containing this change? Will anything require manual configuration or data migration? Will any existing functionality be no longer supported? --> | ||
Things should mostly work OK. If | Things should mostly work OK. The change only applies to "new" systems, which didn't have the old definitions. If something expects either "nfsnobody" to be defined, or hardcodes nobody to uid 99, it will be broken. But such things were already broken, so let's hope they are rare. | ||
== How To Test == | == How To Test == | ||
Line 119: | Line 118: | ||
Check if "getent passwd nobody" or "getent passwd 65534" return something like | Check if "getent passwd nobody" or "getent passwd 65534" return something like | ||
nobody:x:65534:65534:Kernel Overflow User:/:/sbin/nologin | nobody:x:65534:65534:Kernel Overflow User:/:/sbin/nologin | ||
on "new" systems, and the old values on "old" systems. | |||
== User Experience == | == User Experience == | ||
<!-- If this change proposal is noticeable by its target audience, how will their experiences change as a result? Describe what they will see or notice. --> | <!-- If this change proposal is noticeable by its target audience, how will their experiences change as a result? Describe what they will see or notice. --> | ||
<!-- REQUIRED FOR SYSTEM WIDE CHANGES --> | <!-- REQUIRED FOR SYSTEM WIDE CHANGES --> | ||
Should not be noticeable by users, except that in some circumstances in containers files which were shown with numeric uid and gid will be shown as owned by nobody:nobody. | Should not be noticeable by users, except that in some circumstances in containers files which were shown with numeric uid and gid will be shown as owned by nobody:nobody. Files which were shown as owned by "nfsnobody" would now we owned by "nobody". | ||
== Dependencies == | == Dependencies == | ||
Line 137: | Line 137: | ||
== Documentation == | == Documentation == | ||
https://github.com/systemd/systemd/blob/master/UIDS-GIDS.md | https://github.com/systemd/systemd/blob/master/UIDS-GIDS.md | ||
https://fedoraproject.org/wiki/Packaging:Guidelines#Users_and_Groups | |||
Previous discussions: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/thread/Q5GCKZ7Q7PAUQW66EV7IBJGSRJWYXBBH/?sort=date | |||
https://bugzilla.redhat.com/show_bug.cgi?id=1350526 | |||
== Release Notes == | == Release Notes == | ||
Line 146: | Line 152: | ||
TBD | TBD | ||
[[Category: | [[Category:ChangeAcceptedF28]] | ||
<!-- When your change proposal page is completed and ready for review and announcement --> | <!-- When your change proposal page is completed and ready for review and announcement --> | ||
<!-- remove Category:ChangePageIncomplete and change it to Category:ChangeReadyForWrangler --> | <!-- remove Category:ChangePageIncomplete and change it to Category:ChangeReadyForWrangler --> |
Latest revision as of 15:02, 2 March 2018
Rename "nobody" user
Summary
Use "nobody:nobody" as the names for the kernel overflow UID:GID pair, and retire the old "nfsnobody" name and the old "nobody:nobody" pair with 99:99 numbers.
Owner
- Name: Zbigniew Jędrzejewski-Szmek
- Email: zbyszek@in.waw.pl
- Name: Lennart Poettering
- Release notes ticket: #104
Current status
Detailed Description
Status quo: Fedora statically defines "nobody:nobody" pair with uid:gid of 99:99 in setup.rpm, and "nfsnobody:nfsnobody" pair with uid:gid of 65534:65534 in nfs-utils.rpm.
This is problematic in a few different ways:
- 65534:65534 is used by the kernel as the overflow identifier, when some UID cannot be represented in the current namespace. This applies to both NFS, but probably more commonly nowadays to UIDs outside of the current user namespace (e.g. when a file or process owned by a user from outside of a container). Calling this "nfsnobody" is misleading.
- the name for the overflow user is only defined when nfs-utils.rpm is installed. In particular in containers people want to minimize the number of packages installed, so nfs-utils is likely not to be installed.
- the static nobody:nobody user/group pair was used for various services for which weren't "worthy" of creating a dedicated user. This is a severely misguided concept, because all processes of the nobody user can ptrace and otherwise interact with each other. Separate users for each service should be used instead, either normal allocated users or systemd's DynamicUser's.
- other distributions use either nobody:nobody or nobody:nogroup for the overflow uid:gid pair, and the different naming in Fedora is confusing and can lead to incorrect use.
We propose to:
- stop using nfsnobody for the overflow uid/gid names
- stop using nobody for the static user 99 and group 99
- use the nobody:nobody pair of names for 65534:65534
Changing existing systems is hard, so this change would apply only to new systems. "New" means systems which have neither the old "nobody" user with uid 99 nor the nfsnobody user defined. During package installation/upgrade a scriptlet would check if either of those two conditions is encountered, and if it is, keep current behaviour (nobody=99, nfsnobody=65534), and otherwise, define nobody=65534.
On "new" systems, the mapping for nobody:nobody would be implemented in two redundant ways:
- as a static allocation in /etc/passwd and /etc/group managed by setup.rpm
- dynamically provided by the nss-systemd module (by compiling systemd with -Dnobody-user=nobody -Dnobody-group=nobody).
On "old" systems a flag would be set from an scriptlet to tell systemd to _not_ provide the "nobody" mapping, so that the existing mapping is used.
Benefit to Fedora
The name for the kernel overflow uid and gid will be always provided, and the name will not be misleading. Unsecure use of the nobody user will be eliminated.
Scope
- Proposal owners:
- recompile systemd with -Dnobody-user=nobody -Dnobody-group=nobody
- patch systemd to support disabling the mapping for nobody in nss-systemd and implement this check in upgrade scriptlets
- propose patches for setup.rpm to add the checks and new mapping listed in Detailed Description on update
(nfs-utils doesn't need to be changed, it's scriptlet will simply fail if a user with uid 65534 already exists.)
- Other developers: watch for regressions
- Release engineering: #7258
- List of deliverables: N/A
- Policies and guidelines: nothing
(https://fedoraproject.org/wiki/Packaging:Guidelines#Users_and_Groups already says "Note that system services packaged for Fedora MUST NOT run as the nobody user" so no changes are required there.)
- Trademark approval: N/A (not needed for this Change)
Upgrade/compatibility impact
Things should mostly work OK. The change only applies to "new" systems, which didn't have the old definitions. If something expects either "nfsnobody" to be defined, or hardcodes nobody to uid 99, it will be broken. But such things were already broken, so let's hope they are rare.
How To Test
Check if "getent passwd nobody" or "getent passwd 65534" return something like
nobody:x:65534:65534:Kernel Overflow User:/:/sbin/nologin
on "new" systems, and the old values on "old" systems.
User Experience
Should not be noticeable by users, except that in some circumstances in containers files which were shown with numeric uid and gid will be shown as owned by nobody:nobody. Files which were shown as owned by "nfsnobody" would now we owned by "nobody".
Dependencies
Contingency Plan
- Contingency mechanism: undo all changes and keep using nfsnobody:nfsnobody as the overflow user/group names
- Contingency deadline: beta freeze
- Blocks release? Yes
- Blocks product? all products
Documentation
https://github.com/systemd/systemd/blob/master/UIDS-GIDS.md
https://fedoraproject.org/wiki/Packaging:Guidelines#Users_and_Groups
Previous discussions: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/thread/Q5GCKZ7Q7PAUQW66EV7IBJGSRJWYXBBH/?sort=date
https://bugzilla.redhat.com/show_bug.cgi?id=1350526
Release Notes
TBD