From Fedora Project Wiki
(Rescheduling for a later Fedora release as the deadline for system Wide Changes has already passed)
(Announcing, as the Change proposal was sent just before midnight, which I (the Change wrangler) did not catch.)
Line 146: Line 146:
TBD
TBD


[[Category:ChangePageIncomplete]]
[[Category:ChangeAnnounced]]
<!-- When your change proposal page is completed and ready for review and announcement -->
<!-- When your change proposal page is completed and ready for review and announcement -->
<!-- remove Category:ChangePageIncomplete and change it to Category:ChangeReadyForWrangler -->
<!-- remove Category:ChangePageIncomplete and change it to Category:ChangeReadyForWrangler -->

Revision as of 10:46, 10 January 2018


Rename "nobody" user

Summary

Use "nobody:nobody" as the names for the kernel overflow UID:GID pair, and retire the old "nfsnobody" name and the old "nobody:nogroup" pair with 99:99 numbers.

Owner

  • Release notes owner:

Current status

  • Targeted release: Fedora 28
  • Last updated: 2018-01-10
  • Tracker bug: <will be assigned by the Wrangler>

Detailed Description

Status quo: Fedora statically defines "nobody:nobody" pair with uid:gid of 99:99 in setup.rpm, and "nfsnobody:nfsnobody" pair with uid:gid of 65534:65534 in nfs-utils.rpm.

This is problematic in a few different ways:

  • 65534:65534 is used by the kernel as the overflow identifier, when some UID cannot be represented in the current namespace. This applies to both NFS, but probably more commonly nowadays to UIDs outside of the current user namespace (e.g. when a file or process owned by a user from outside of a container). Calling this "nfsnobody" is misleading.
  • the name for the overflow user is only defined when nfs-utils.rpm is installed. In particular in containers people want to minimize the number of packages installed, so nfs-utils is likely not to be installed.
  • the static nobody:nobody user/group pair was used for various services for which weren't "worthy" of creating a dedicated user. This is a severely misguided concept, because all processes of the nobody user can ptrace and otherwise interact with each other. Separate users for each service should be used instead, either normal allocated users or systemd's DynamicUser's.
  • other distributions use either nobody:nobody or nobody:nogroup for the overflow uid:gid pair, and the different naming in Fedora is confusing and can lead to incorrect use.

We propose to:

  • stop using nfsnobody for the overflow uid/gid names
  • stop using nobody for the static user 99 and group 99
  • use the nobody:nobody pair of names for 65534:65534

On existing systems, to make upgrades easier:

  • if nfsnobody was defined, keep it in /etc/passwd *after* the new line for nobody:nobody, so that both the old name and the new name map to the same numbers
  • if nobody user or group with number 99 was defined, keep it in /etc/passwd and /etc/group, but rename to _nobody

The new mapping for nobody:nobody would be implemented in two redundant ways:

  • as a static allocation in /etc/passwd and /etc/group managed by setup.rpm
  • dynamically provided by the nss-systemd module (by compiling systemd with -Dnobody-user=nobody -Dnobody-group=nobody).

Benefit to Fedora

The name for the kernel overflow uid and gid will be always provided, and the name will not be misleading. Unsecure use of the nobody user will be eliminated.

Scope

  • Proposal owners:
  • recompile systemd with the right options to get expected answer from nss-systemd
  • propose patches for setup.rpm to add the new mapping and do the steps listed in Detailed Description on update
  • propose patches for nfs-utils to remove the nfsnobody mapping and do the steps listed in Detailed Description on update
  • Other developers: watch for regressions
  • Policies and guidelines: nothing

(https://fedoraproject.org/wiki/Packaging:Guidelines#Users_and_Groups already says "Note that system services packaged for Fedora MUST NOT run as the nobody user" so no changes are required there.)

  • Trademark approval: N/A (not needed for this Change)

Upgrade/compatibility impact

Things should mostly work OK. If somebody installed a service running as "nobody", it might start suddenly running with a different numerical uid. This could be problematic, but such use was already broken and is hopefully very rare.

How To Test

Check if "getent passwd nobody" or "getent passwd 65534" return something like

 nobody:x:65534:65534:Kernel Overflow User:/:/sbin/nologin

User Experience

Should not be noticeable by users, except that in some circumstances in containers files which were shown with numeric uid and gid will be shown as owned by nobody:nobody.

Dependencies

Contingency Plan

  • Contingency mechanism: undo all changes and keep using nfsnobody:nfsnobody as the overflow user/group names
  • Contingency deadline: beta freeze
  • Blocks release? Yes
  • Blocks product? all products

Documentation

https://github.com/systemd/systemd/blob/master/UIDS-GIDS.md

Release Notes

TBD