DevHeads.net

F28 System Wide Change: Rename "nobody" user

= System Wide Change: Rename "nobody" user =
<a href="https://fedoraproject.org/wiki/Changes/RenameNobodyUser" title="https://fedoraproject.org/wiki/Changes/RenameNobodyUser">https://fedoraproject.org/wiki/Changes/RenameNobodyUser</a>

Change owner(s):
*Zbigniew Jędrzejewski-Szmek <zbyszek AT in DOT waw DOT pl>
* Lennart Poettering <lpoetter AT redhat DOT com>

Use "nobody:nobody" as the names for the kernel overflow UID:GID pair,
and retire the old "nfsnobody" name and the old "nobody:nogroup" pair
with 99:99 numbers

== Detailed Description ==
Status quo: Fedora statically defines "nobody:nobody" pair with
uid:gid of 99:99 in setup.rpm, and "nfsnobody:nfsnobody" pair with
uid:gid of 65534:65534 in nfs-utils.rpm.

This is problematic in a few different ways:
* 65534:65534 is used by the kernel as the overflow identifier, when
some UID cannot be represented in the current namespace. This applies
to both NFS, but probably more commonly nowadays to UIDs outside of
the current user namespace (e.g. when a file or process owned by a
user from outside of a container). Calling this "nfsnobody" is
misleading.
* the name for the overflow user is only defined when nfs-utils.rpm is
installed. In particular in containers people want to minimize the
number of packages installed, so nfs-utils is likely not to be
installed.
* the static nobody:nobody user/group pair was used for various
services for which weren't "worthy" of creating a dedicated user. This
is a severely misguided concept, because all processes of the nobody
user can ptrace and otherwise interact with each other. Separate users
for each service should be used instead, either normal allocated users
or systemd's DynamicUser's.
* other distributions use either nobody:nobody or nobody:nogroup for
the overflow uid:gid pair, and the different naming in Fedora is
confusing and can lead to incorrect use.

We propose to:
* stop using nfsnobody for the overflow uid/gid names
* stop using nobody for the static user 99 and group 99
* use the nobody:nobody pair of names for 65534:65534

On existing systems, to make upgrades easier:
* if nfsnobody was defined, keep it in /etc/passwd *after* the new
line for nobody:nobody, so that both the old name and the new name map
to the same numbers
* if nobody user or group with number 99 was defined, keep it in
/etc/passwd and /etc/group, but rename to _nobody

The new mapping for nobody:nobody would be implemented in two redundant ways:
* as a static allocation in /etc/passwd and /etc/group managed by setup.rpm
* dynamically provided by the nss-systemd module (by compiling systemd
with -Dnobody-user=nobody -Dnobody-group=nobody).

== Scope ==
* Proposal owners:
- recompile systemd with the right options to get expected answer from
nss-systemd
- propose patches for setup.rpm to add the new mapping and do the
steps listed in Detailed Description on update
- propose patches for nfs-utils to remove the nfsnobody mapping and do
the steps listed in Detailed Description on update

* Other developers:
watch for regressions

* Release engineering:
#7258: <a href="https://pagure.io/releng/issue/7258" title="https://pagure.io/releng/issue/7258">https://pagure.io/releng/issue/7258</a>

* List of deliverables:
N/A

* Policies and guidelines:
nothing
(<a href="https://fedoraproject.org/wiki/Packaging:Guidelines#Users_and_Groups" title="https://fedoraproject.org/wiki/Packaging:Guidelines#Users_and_Groups">https://fedoraproject.org/wiki/Packaging:Guidelines#Users_and_Groups</a>
already says "Note that system services packaged for Fedora MUST NOT
run as the nobody user" so no changes are required there.)

* Trademark approval:
N/A (not needed for this Change)

Comments

Re: F28 System Wide Change: Rename "nobody" user

By Steve Dickson at 01/11/2018 - 16:13

WOW... Why do you guys keep picking on NFS?? :-)

On 01/10/2018 05:46 AM, Jan Kurik wrote:
This is a very bad idea... IMHO...

steved.

Re: F28 System Wide Change: Rename "nobody" user

By Lennart Poettering at 01/11/2018 - 17:24

I hope you are aware that user id 65534 is used by user namespacing
(i.e. CLONE_NEWUSER) too, and in that context is probably much more
prominently visible to users than in the NFS context. The fact that
the user/group is called "nfsnobody" is quite misleading if most users
see it only in the user namespacing context which has zero
relationship to NFS.

(Also, "-2" is not 65534. Since kernel 2.4 uid_t is 32bit on
Linux. That means "-2" translates to 4294967294, and not 65534. And
given that uid_t is defined as unsigned type on Linux it's kind
strange to even bother with negative values for this, that just
confuses everybody, including apparently yourself...)

Yes, and that's one of the issues we are trying to fix: the UID/GID is
used prominently, in the context of userns, but it either shows up as
not registered at all currently, or is assigned to NFS which is really
misleading.

We are not taking the concept of this user/group away. We are also not
taking the UID/GID assignment 65534 away, either. All we are doing is
assigning it a better name and do so unconditionally, independently of
whether nfsutils is installed or not, as the UID/GID 65534 has plenty
uses outside of NFS.

Lennart

Re: F28 System Wide Change: Rename "nobody" user

By Chuck Anderson at 01/11/2018 - 17:44

On Thu, Jan 11, 2018 at 11:24:56PM +0100, Lennart Poettering wrote:
Is there any security implication of re-using 65534 for user
namespacing, since NFS was using it before? Why not assign a new uid
for user namespacing?

Re: F28 System Wide Change: Rename "nobody" user

By R P Herrold at 01/11/2018 - 17:36

fixing something well and extensively documented, to something
'new and improved' in the face of a huge and unchangeable set
of implementations (and third-party webbish documentation)
that cannot be changed:

RO media

off-line images

backups

iscsi targets

NFS exports from third-party appliances

interop in hetergoneous environments

SMB

... is this really worth the effort? All it does, like the
XKCD 'N+1 standards' cartoon, is add one more 'standard' that
cannot displace the incumbents and diverges from 'Unix' for
an, at best, cosmetic reason, as you state:

All we are doing is assigning it a better name ...

-- Russ herrold

Re: F28 System Wide Change: Rename "nobody" user

By Matthew Miller at 01/10/2018 - 10:21

On Wed, Jan 10, 2018 at 11:46:13AM +0100, Jan Kurik wrote:
See previous thread on this proposal from two years ago:

<a href="https://lists.fedoraproject.org/archives/list/ ... at lists dot fedoraproject.org/thread/Q5GCKZ7Q7PAUQW66EV7IBJGSRJWYXBBH/?sort=date" title="https://lists.fedoraproject.org/archives/list/ ... at lists dot fedoraproject.org/thread/Q5GCKZ7Q7PAUQW66EV7IBJGSRJWYXBBH/?sort=date">https://lists.fedoraproject.org/archives/list/ ... at lists dot fedoraproject....</a>

There's some good discussion there. I'm still in favor.

Re: F28 System Wide Change: Rename "nobody" user

By Zbigniew =?utf-... at 01/10/2018 - 20:34

On Wed, Jan 10, 2018 at 10:21:32AM -0500, Matthew Miller wrote:
Right. The same people participate in the discussion and the same
things are said. The funny thing is that not the same people are
always saying the same thing.

The situation got both more complicated (because of nss-systemd)
and simpler (because of the one concrete effect of that discussion,
i.e. FPC forbidding the use of "nobody").

I added this link to the Change page.

Zbyszek

Re: F28 System Wide Change: Rename "nobody" user

By King InuYasha at 01/10/2018 - 08:50

On Wed, Jan 10, 2018 at 5:46 AM, Jan Kurik < ... at redhat dot com> wrote:
Two questions:

1. Why nobody:nobody instead of nobody:nogroup? I've seen the latter
in use in several distributions.
* For note, we use this in Mageia:
<a href="http://gitweb.mageia.org/software/setup/tree/group" title="http://gitweb.mageia.org/software/setup/tree/group">http://gitweb.mageia.org/software/setup/tree/group</a>
* Debian and Ubuntu also define it this way.

2. For existing systems, would renaming the nobody:nobody user to
oldnobody:oldnobody work instead? The uid would be preserved, which
should keep the mapping sane, and it would make it more obvious that
it's old, rather than using weird underscores.

In general, I support this change because the two nobody users made
things confusing for me and many other people. Simplifying this would
also harmonize things with everyone else, which helps for portability
of things. :)

Re: F28 System Wide Change: Rename "nobody" user

By Stephen John Smoogen at 01/10/2018 - 11:14

On 10 January 2018 at 08:50, Neal Gompa < ... at gmail dot com> wrote:
I think all of the above would be good additions to this. Having dealt
with multiple large deployments where 99:99 caused different problems
but then were hard-coded into being fixed if something is Fedora/RHEL
based... a lot of people updating to F28+ would have problems... and a
lot of people update vs fresh install.

Re: F28 System Wide Change: Rename "nobody" user

By Steve Dickson at 01/11/2018 - 16:19

On 01/10/2018 11:14 AM, Stephen John Smoogen wrote:
steved.